Help with Idempotent lineinfile regex

Archives Ansible Project
1

Hello,

I’m trying to create a lineinfile task to append a word in a line, when it’s not present, like the following:

The line should start with AllowGroups

Follows an unknown length sequence of “\s\w+”

It’s possible to find groupN within the previous sequence, in which case the task should return ok

If groupN is not present, the result will be AllowGroups, followed by the existing sequence, followed by " groupN"

  • name: Add group to ssh allowed
    lineinfile: backrefs=yes
    dest=/etc/ssh/sshd_config
    regex=‘^AllowGroups(.)(?! groupN)(.)’
    line=‘AllowGroups\1\3 groupN’

state=present

I have tried several approaches but none have been successful.

I would appreciate any light to achieve it.

BR,
Tony

2

A better, more reliable approach would be to create a template sshd_config file (or just a regular, non-templated file) that is placed on nodes via the copy or template module.

3

It’s not an option as the current file has previously templated with some common configuration. It’s a role who has to add the group to the line if the host includes it.

Br

4

Hello,

After a lot of fiddling around I found a way to do it, I was also after a way to handle AllowGroups in sshd_config also that it shouldn’t remove other groups in the line just make sure to add the new ones.

The first one registers the current AllowGroups in a variable which is used by the later tasks.
The second one adds the AllowGroups line if it doesn’t exist at all (the regexp line will never do that)
The last line adds all the groups in the with_items: [ ‘root’, ‘admins’ ] array.

Hope someone can save a few hours work figuring this out.

I only joined here to give you the answer, If you have any questions email me at magnus(at)boden.cx

Regards
Magnus

Ansible complains if grep fails so match something that is always there too

  • name: SSH groups
    shell: ‘cat /etc/ssh/sshd_config | egrep “(Port|AllowGroups)”’
    register: ssh_groups

Add line if it doesnt exists groups will be filled in below

  • name: SSH configure AllowGroups
    lineinfile: dest=/etc/ssh/sshd_config line=“AllowGroups”
    when: ssh_groups.stdout is defined and ssh_groups.stdout.find(“AllowGroups”) == -1
    notify:

  • restart ssh

  • name: SSH configure AllowGroups
    lineinfile: dest=/etc/ssh/sshd_config regexp=“^\sAllowGroups\s+(.)$” line=“AllowGroups {{ item }} \1” backrefs=yes
    when: ssh_groups.stdout is defined and ssh_groups.stdout.find(“{{ item }}”) == -1
    with_items: [ ‘root’, ‘admins’ ]
    notify:

  • restart ssh

5

In this specific case, you can just add additional ‘AllowGroups’ lines in the ssh config. Just something I ran into last week as well…
All the different AllowGroups (and AllowUsers, DenyGroups, DenyUsers) lines are appended, so there is no need to add entries to an existing line.

I just have a template now, with some conditionals based on what roles/groups a server is in.