Allow setting openssh_allow_users to restrict access.

Update CI and documentation.

README.md

@@ -18,6 +18,7 @@ This example is taken from `molecule/resources/converge.yml` and is tested on ea
 
   roles:
     - role: robertdebock.openssh
+      openssh_allow_users: root
 ```
 
 The machine may need to be prepared using `molecule/resources/prepare.yml`:
@@ -43,6 +44,18 @@ For verification `molecule/resources/verify.yml` run after the role has been app
   tasks:
     - name: check if connection still works
       ping:
+
+    - name: Check if AllowUsers is set
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        line: AllowUsers root
+      check_mode: yes
+      register: openssh_check_if_allowusers_is_set
+
+    - name: assert results
+      assert:
+        that:
+          - openssh_check_if_allowusers_is_set is not changed
 ```
 
 Also see a [full explanation and example](https://robertdebock.nl/how-to-use-these-roles.html) on how to use these roles.
@@ -151,6 +164,10 @@ openssh_accept_env:
   - XMODIFIERS
 
 openssh_subsystem: sftp /usr/libexec/openssh/sftp-server
+
+# Restrict access to this (space separated list) of users.
+# For example: `openssh_allow_users: root my_user`
+# openssh_allow_users: root
 ```
 
 ## Requirements

defaults/main.yml

@@ -98,3 +98,7 @@ openssh_accept_env:
   - XMODIFIERS
 
 openssh_subsystem: sftp /usr/libexec/openssh/sftp-server
+
+# Restrict access to this (space separated list) of users.
+# For example: `openssh_allow_users: root my_user`
+# openssh_allow_users: root

molecule/default/converge.yml

@@ -6,3 +6,4 @@
 
   roles:
     - role: ansible-role-openssh
+      openssh_allow_users: root

molecule/default/verify.yml

@@ -7,3 +7,15 @@
   tasks:
     - name: check if connection still works
       ping:
+
+    - name: Check if AllowUsers is set
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        line: AllowUsers root
+      check_mode: yes
+      register: openssh_check_if_allowusers_is_set
+
+    - name: assert results
+      assert:
+        that:
+          - openssh_check_if_allowusers_is_set is not changed

templates/sshd_config_Alpine.j2

@@ -68,3 +68,7 @@ AcceptEnv {{ item }}
 {% endfor %}
 
 Subsystem {{ openssh_subsystem }}
+
+{% if openssh_allow_users is defined %}
+AllowUsers {{ openssh_allow_users }}
+{% endif %}

templates/sshd_config_Archlinux.j2

@@ -75,3 +75,7 @@ AcceptEnv {{ item }}
 {% endfor %}
 
 Subsystem {{ openssh_subsystem }}
+
+{% if openssh_allow_users is defined %}
+AllowUsers {{ openssh_allow_users }}
+{% endif %}

templates/sshd_config_Debian.j2

@@ -76,3 +76,7 @@ AcceptEnv {{ item }}
 {% endfor %}
 
 Subsystem {{ openssh_subsystem }}
+
+{% if openssh_allow_users is defined %}
+AllowUsers {{ openssh_allow_users }}
+{% endif %}

templates/sshd_config_Fedora.j2

@@ -77,3 +77,7 @@ AcceptEnv {{ item }}
 {% endfor %}
 
 Subsystem {{ openssh_subsystem }}
+
+{% if openssh_allow_users is defined %}
+AllowUsers {{ openssh_allow_users }}
+{% endif %}

templates/sshd_config_RedHat-7.j2

@@ -78,3 +78,7 @@ AcceptEnv {{ item }}
 {% endfor %}
 
 Subsystem {{ openssh_subsystem }}
+
+{% if openssh_allow_users is defined %}
+AllowUsers {{ openssh_allow_users }}
+{% endif %}

templates/sshd_config_RedHat.j2

@@ -146,3 +146,7 @@ Subsystem {{ openssh_subsystem }}
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
+
+{% if openssh_allow_users is defined %}
+AllowUsers {{ openssh_allow_users }}
+{% endif %}

templates/sshd_config_Suse.j2

@@ -76,3 +76,7 @@ AcceptEnv {{ item }}
 {% endfor %}
 
 Subsystem {{ openssh_subsystem }}
+
+{% if openssh_allow_users is defined %}
+AllowUsers {{ openssh_allow_users }}
+{% endif %}