Overhaul reuse structure from role to task orientation

The overall config this will end up with is going to be nowhere near complicated enough to require the segmented structure of roles. A single directory of reusable tasks and resources will be much better
2020-12-04 14:47:33 -05:00 · 2020-12-04 14:47:33 -05:00 · f1639dce1e
parent 5df550669a
commit f1639dce1e
26 changed files with 181 additions and 476 deletions
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -1,19 +0,0 @@
---
- import_tasks: install.yml
-
- name: Start and enable docker service
-  become: true
-  systemd:
-    name: docker
-    state: started
-    enabled: yes
-
- import_tasks: tasks/preprocess-users.yml
-
- name: Add superusers to the docker group
-  become: true
-  user:
-    name: "{{ item.name }}"
-    groups: docker
-    append: yes
-  loop: "{{ _users_local_admin }}"
--- a/roles/networkd/defaults/main.yml
+++ b/roles/networkd/defaults/main.yml
@ -1,2 +0,0 @@
---
-omni_restart_services: false
--- a/roles/networkd/tasks/packages.yml
+++ b/roles/networkd/tasks/packages.yml
@ -1,38 +0,0 @@
---
- name: Install networkd on Fedora
-  when: ansible_distribution == "Fedora"
-  become: true
-  dnf:
-    state: latest
-    name:
-      - systemd-resolved
-      - systemd-networkd
-
- name: Install networkd on CentOS 7
-  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
-  become: true
-  yum:
-    state: latest
-    name:
-      - systemd-resolved
-      - systemd-networkd
-
- name: Install networkd on CentOS 8
-  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
-  become: true
-  block:
-    # The systemd-networkd EPEL package is currently in the testing phase, so we have
-    # to enable the testing EPEL repo to install it. Note that this is also done in
-    # the packages role
-    # https://bugzilla.redhat.com/show_bug.cgi?id=1789146
-    - name: Enable EPEL-Testing repository on CentOS 8s
-      lineinfile:
-        path: /etc/yum.repos.d/epel-testing.repo
-        regexp: "enabled=(0|1)"
-        line: "enabled=1"
-        insertbefore: "^$"
-        firstmatch: true
-    - name: Install networkd
-      dnf:
-        state: latest
-        name: systemd-networkd
--- a/roles/networkd/tasks/services.yml
+++ b/roles/networkd/tasks/services.yml
@ -1,39 +0,0 @@
---
- name: Disable NetworkManager
-  become: true
-  systemd:
-    name: "{{ item }}"
-    enabled: false
-  loop:
-    - NetworkManager
-    - NetworkManager-wait-online
-
- name: Enable systemd-networkd
-  become: true
-  systemd:
-    name: "{{ item }}"
-    enabled: true
-  loop:
-    - systemd-networkd
-    - systemd-resolved
-    - systemd-networkd-wait-online
-
- name: Stop NetworkManager
-  when: omni_restart_services == true
-  become: true
-  systemd:
-    name: "{{ item }}"
-    state: stopped
-  loop:
-    - NetworkManager
-    - NetworkManager-wait-online
-
- name: Start systemd-networkd
-  when: omni_restart_services == true
-  become: true
-  systemd:
-    name: "{{ item }}"
-    state: started
-  loop:
-    - systemd-networkd
-    - systemd-resolved
--- a/roles/networkd/templates/netdev.j2
+++ b/roles/networkd/templates/netdev.j2
@ -1,9 +0,0 @@
-# ANSIBLE MANAGED FILE - DO NOT EDIT
-[NetDev]
-Name={{ item.0.key }}
-Kind=vlan
-
-[VLAN]
-Id={{ item.1 }}
-
-# EOF
--- a/roles/networkd/templates/network.j2
+++ b/roles/networkd/templates/network.j2
@ -1,27 +0,0 @@
-# ANSIBLE MANAGED FILE - DO NOT EDIT
-[Match]
-Name={{ item.key }}
-
-[Network]
-DHCP={{ 'Yes' if item.value['dhcp'] | default(false) == true else 'No' }}
-IPv6AcceptRA={{ 'Yes' if item.value['dhcp6'] | default(false) == true else 'No' }}
-{% if item.value['addresses'] is defined %}
-{% for ip_addr in item.value['addresses'] %}
-Address={{ ip_addr }}
-{% endfor %}
-{% endif %}
-{% if item.value['dns'] is defined %}
-{% for dns_server in item.value['dns'] %}
-DNS={{ dns_server }}
-{% endfor %}
-{% endif %}
-{% if item.value['gateway'] is defined %}
-Gateway={{ item.value['gateway'] }}
-{% endif %}
-{% if item.value['vlans'] is defined %}
-{% for vlan_tag in item.value['vlans'] %}
-VLAN={{ item.key }}.{{ vlan_tag }}
-{% endfor %}
-{% endif %}
-
-# EOF
--- a/roles/packages/defaults/main.yml
+++ b/roles/packages/defaults/main.yml
@ -1,14 +0,0 @@
---
-# Role parameter documentation
-#
-# omni_pkg_repos - whether to install/enable additional repositories
-# omni_pkg_bindings - whether to install required ansible bindings to the system python
-# omni_pkg_update - whether to perform a package update
-# onni_pkg_clean - whether to force clean the package manager cache
-# omni_pkg_exclude - packages to exclude from an update; has no effect if
-#                    ``omni_pkg_update`` is false
-omni_pkg_repos: true
-omni_pkg_bindings: true
-omni_pkg_update: false
-omni_pkg_clean: false
-omni_pkg_exclude: ["kernel*", "docker-ce"]
--- a/roles/packages/tasks/bindings.yml
+++ b/roles/packages/tasks/bindings.yml
@ -1,30 +0,0 @@
---
- name: Install CentOS 8 python bindings
-  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
-  become: true
-  dnf:
-    state: latest
-    name:
-      - python3-libselinux
-      - python3-policycoreutils
-      - python3-firewall
-
- name: Install CentOS 7 python bindings
-  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
-  become: true
-  yum:
-    state: latest
-    name:
-      - libselinux-python
-      - policycoreutils-python
-      - python-firewall
-
- name: Install Fedora python bindings
-  when: ansible_distribution == "Fedora"
-  become: true
-  dnf:
-    state: latest
-    name:
-      - libselinux-python
-      - policycoreutils-python
-      - python3-firewall
--- a/roles/packages/tasks/update.yml
+++ b/roles/packages/tasks/update.yml
@ -1,37 +0,0 @@
---
-# Gotta hate this, but I have to hardcode the systemd exclusion on cent8
-# Because I'm using "janky-systemd-networkd-2-the-jankening" (see the networkd role)
-# there are a pile of conflicts when you run "dnf update" with it installed. I found
-# two options that work: 1) uninstall systemd-networkd, update, then reinstall it;
-# 2) hardcode the exclusion here. Whenever I thought too hard about the potential
-# consequences of instituting uninstalling-my-network-init-system-as-a-service I
-# started to get a migaine, so I went with option two.
- name: Upgrade Fedora and CentOS 8 packages
-  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
-  become: true
-  dnf:
-    state: latest
-    name: "*"
-    exclude: "{{ ','.join(omni_pkg_exclude + ['systemd*']) }}"
-
- name: Upgrade CentOS 7 packages
-  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
-  become: true
-  yum:
-    state: latest
-    name: "*"
-    exclude: "{{ ','.join(omni_pkg_exclude) }}"
-
- name: Upgrade Fedora packages
-  when: ansible_distribution == "Fedora"
-  become: true
-  dnf:
-    state: latest
-    name: "*"
-    exclude: "{{ ','.join(omni_pkg_exclude) }}"
-
-# Yeah I'll get here eventually
-# - name: Upgrade APT packages
-#   when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
-#   become: true
-#   apt:
--- a/roles/packages/vars/main.yml
+++ b/roles/packages/vars/main.yml
@ -1,46 +0,0 @@
---
-omni_packages_global:
-  - automake
-  - cmake
-  - curl
-  - gcc
-  - gcc-c++
-  - git
-  - make
-  - nano
-  - openssl-devel
-  - systemd-devel
-  - unzip
-  - vim
-  - vim-minimal
-
-omni_packages_fedora:
-  - libselinux-python
-  - git-lfs
-  - readline-devel
-  - policycoreutils-python
-  - python-devel
-  - python-virtualenv
-  - python3-devel
-
-omni_packages_centos_8:
-  - bind-utils
-  - bash-completion
-  - nc
-  - nfs-utils
-  - python3
-  - python3-pip
-  - python3-setuptools
-  - python3-virtualenv
-  - wget
-
-omni_packages_centos_7:
-  - bind-utils
-  - bash-completion
-  - nc
-  - nfs-utils
-  - python3
-  - python3-pip
-  - python3-setuptools
-  - python3-virtualenv
-  - wget
--- a/roles/sshd/defaults/main.yml
+++ b/roles/sshd/defaults/main.yml
@ -1,3 +0,0 @@
---
-omni_restart_services: false
-omni_ssh_enabled: true
--- a/roles/sshd/tasks/install.yml
+++ b/roles/sshd/tasks/install.yml
@ -1,14 +0,0 @@
---
- name: Install OpenSSH server on Fedora and CentOS 8
-  when: ansible_distribution == "Fedora" or (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8")
-  become: true
-  dnf:
-    name: openssh-server
-    state: latest
-
- name: Install OpenSSH server on CentOS 7
-  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
-  become: true
-  yum:
-    name: openssh-server
-    state: latest
--- a/roles/sshd/templates/motd.j2
+++ b/roles/sshd/templates/motd.j2
@ -1,7 +0,0 @@
-
-     ////////////   ////     ////   ///////////
-    ////           //////   ////   ////    ////
-   ////////       //// /// ////   ///////////
-  ////           ////   //////   ////
- ////////////   ////     ////   {{ omni_description | default('Omni Network System') }}
- _______________________________{{ omni_description | default('Omni Network System') | length * '\\' }}\
--- a/tasks/centos-8-kernelplus.yml
+++ b/tasks/centos-8-kernelplus.yml
@ -1,62 +1,61 @@
 ---
- name: Disable kernel installation from base repository
+# This is a workaround for Cent8 removing drivers from the kernel that are required for
+# my RAID cards to work. Kernel-Plus includes the drivers, thus one of the first things
+# we need to do is to replace the kernel before doing an update.
+- name: Replace default kernel with kernel-plus on CentOS 8
+  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
  become: true
-  lineinfile:
-    path: /etc/yum.repos.d/CentOS-Base.repo
-    line: exclude=kernel*
+  block:
+    - name: Disable kernel installation from base repository
+      lineinfile:
+        path: /etc/yum.repos.d/CentOS-Base.repo
+        line: exclude=kernel*

- name: Enable Centos-plus repository
-  become: true
-  lineinfile:
-    path: /etc/yum.repos.d/CentOS-centosplus.repo
-    regexp: "#?enabled=(0|1)"
-    line: enabled=1
+    - name: Enable Centos-plus repository
+      lineinfile:
+        path: /etc/yum.repos.d/CentOS-centosplus.repo
+        regexp: "#?enabled=(0|1)"
+        line: enabled=1

- name: Enable kernel installation from plus repository
-  become: true
-  lineinfile:
-    path: /etc/yum.repos.d/CentOS-centosplus.repo
-    line: includepkgs=kernel*
+    - name: Enable kernel installation from plus repository
+      lineinfile:
+        path: /etc/yum.repos.d/CentOS-centosplus.repo
+        line: includepkgs=kernel*

-# Note that the order of the next four tasks is very specific and intentional
-# See this wiki page: https://plone.lucidsolutions.co.nz/linux/centos/7/install-centos-plus-kernel-kernel-plus/view
- name: Install kernel-plus
-  become: true
-  dnf:
-    name:
-      - kernel-plus
-      - kernel-plus-devel
-    state: latest
-  register: _dnf_kernel_plus
+    # Note that the order of the next four tasks is very specific and intentional
+    # See this wiki page: https://plone.lucidsolutions.co.nz/linux/centos/7/install-centos-plus-kernel-kernel-plus/view
+    - name: Install kernel-plus
+      dnf:
+        state: "{{ _runtime_update_state }}"
+        name:
+          - kernel-plus
+          - kernel-plus-devel
+      register: _dnf_kernel_plus

- name: Uninstall kernel-tools
-  become: true
-  dnf:
-    name:
-      - kernel-tools
-      - kernel-tools-libs
-    state: absent
+    - name: Uninstall kernel-tools
+      dnf:
+        name:
+          - kernel-tools
+          - kernel-tools-libs
+        state: absent

- name: Install kernel-plus-tools
-  become: true
-  dnf:
-    name:
-      - kernel-plus-tools
-      - kernel-plus-tools-libs
-    state: latest
+    - name: Install kernel-plus-tools
+      dnf:
+        state: "{{ _runtime_update_state }}"
+        name:
+          - kernel-plus-tools
+          - kernel-plus-tools-libs

- name: Reboot into new kernel
-  become: true
-  when: _dnf_kernel_plus.changed is true and "centos.plus" not in ansible_kernel
-  reboot:
-    reboot_timeout: 3600
+    - name: Reboot into new kernel
+      when: _dnf_kernel_plus.changed is true and "centos.plus" not in ansible_kernel
+      reboot:
+        reboot_timeout: 3600

- name: Uninstall kernel
-  become: true
-  dnf:
-    name:
-      - kernel
-      - kernel-devel
-      - kernel-core
-      - kernel-modules
-    state: absent
+    - name: Uninstall kernel
+      dnf:
+        state: absent
+        name:
+          - kernel
+          - kernel-devel
+          - kernel-core
+          - kernel-modules
--- a/tasks/deploy-ssh-keys.yml
+++ b/tasks/deploy-ssh-keys.yml
@ -1,29 +0,0 @@
---
- name: Create SSH directory
-  become: true
-  file:
-    path: /home/{{ item.name }}/.ssh
-    state: directory
-    owner: "{{ item.name }}"
-    group: "{{ item.name }}"
-    mode: 0755
-  loop: "{{ _users_local }}"
-
- name: Update authorized keys
-  become: true
-  authorized_key:
-    user: "{{ item.name }}"
-    key: "{{ item.sshkeys | join('\n') }}"
-    state: present
-    exclusive: true
-  loop: "{{ _users_local }}"
-
- name: Enforce ownership of authorized keys
-  become: true
-  file:
-    path: /home/{{ item.name }}/.ssh/authorized_keys
-    state: touch
-    owner: "{{ item.name }}"
-    group: "{{ item.name }}"
-    mode: 0444
-  loop: "{{ _users_local }}"
--- a/roles/docker/tasks/install.yml
+++ b/roles/docker/tasks/install.yml
@ -15,8 +15,8 @@
  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
  yum:
    # Update the cache to update with the new docker repo
-    update_cache: yes
-    state: latest
+    update_cache: true
+    state: "{{ _runtime_update_state }}"
    name:
      - device-mapper-persistent-data  # Required for docker devicestorage driver
      - lvm2                           #  same
@ -28,8 +28,8 @@
  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
  dnf:
    # Update the cache to update with the new docker repo
-    update_cache: yes
-    state: latest
+    update_cache: true
+    state: "{{ _runtime_update_state }}"
    name:
      - device-mapper-persistent-data  # Required for docker devicestorage driver
      - lvm2                           #  same
--- a/roles/networkd/tasks/main.yml
+++ b/roles/networkd/tasks/main.yml
@ -1,6 +1,4 @@
 ---
- import_tasks: packages.yml
-
 - name: Configure networking via systemd
  become: true
  when: omni_networking is defined
@ -13,33 +11,14 @@

    - name: Make network files
      template:
-        src: network.j2
+        src: networkd/network.j2
        dest: "/etc/systemd/network/{{ item.key }}.network"
        mode: 0644
      loop: "{{ omni_networking | dict2items }}"

    - name: Make netdev files
      template:
-        src: netdev.j2
+        src: networkd/netdev.j2
        dest: "/etc/systemd/network/{{ item.0.key + '.' + item.1 }}.netdev"
        mode: 0644
      loop: "{{ omni_networking | dict2items | subelements('value.vlans', true) }}"
-
- import_tasks: services.yml
-
- name: Symlink so systemd-resolved uses /etc/resolv.conf
-  become: true
-  file:
-    dest: /etc/resolv.conf
-    src: /run/systemd/resolve/resolv.conf
-    state: link
-    force: true
-    setype: net_conf_t
-
- name: Symlink so /etc/resolv.conf uses systemd
-  become: true
-  file:
-    dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
-    src: /usr/lib/systemd/system/systemd-resolved.service
-    state: link
-    force: true
--- a/tasks/networkd/install.yml
+++ b/tasks/networkd/install.yml
@ -0,0 +1,26 @@
+---
+- name: Install systemd-networkd on CentOS 7
+  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
+  become: true
+  yum:
+    state: "{{ _runtime_update_state }}"
+    name:
+      - systemd-networkd
+      - systemd-resolved
+
+- name: Install systemd-networkd on CentOS 8
+  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
+  become: true
+  dnf:
+    state: "{{ _runtime_update_state }}"
+    name: systemd-networkd
+
+
+- name: Install systemd-networkd on Fedora
+  when: ansible_distribution == "Fedora" and ansible_distribution_major_version == "8"
+  become: true
+  dnf:
+    state: "{{ _runtime_update_state }}"
+    name:
+      - systemd-networkd
+      - systemd-resolved
--- a/tasks/networkd/services.yml
+++ b/tasks/networkd/services.yml
@ -0,0 +1,36 @@
+---
+- name: Disable NetworkManager
+  become: true
+  systemd:
+    name: "{{ item }}"
+    enabled: false
+  loop:
+    - NetworkManager
+    - NetworkManager-wait-online
+
+- name: Enable systemd-networkd
+  become: true
+  systemd:
+    name: "{{ item }}"
+    enabled: true
+  loop:
+    - systemd-networkd
+    - systemd-resolved
+    - systemd-networkd-wait-online
+
+- name: Symlink so systemd-resolved uses /etc/resolv.conf
+  become: true
+  file:
+    dest: /etc/resolv.conf
+    src: /run/systemd/resolve/resolv.conf
+    state: link
+    force: true
+    setype: net_conf_t
+
+- name: Symlink so /etc/resolv.conf uses systemd
+  become: true
+  file:
+    dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
+    src: /usr/lib/systemd/system/systemd-resolved.service
+    state: link
+    force: true
--- a/roles/packages/tasks/clean.yml
+++ b/roles/packages/tasks/clean.yml
@ -1,14 +1,17 @@
 ---
- name: Clean DNF cache
-  become: true
+# I'm honestly not sure why these 304 warnings are being raised by the linter here...
+- name: Clean DNF cache  # noqa: 304
  when: ansible_distribution == "Fedora" or (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8")
+  become: true
  command:
    cmd: /usr/bin/dnf clean all
    warn: false
+  changed_when: true

- name: Clean YUM cache
-  become: true
+- name: Clean YUM cache  # noqa: 304
  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
+  become: true
  command:
    cmd: /usr/bin/yum clean all
    warn: false
+  changed_when: true
--- a/roles/packages/tasks/main.yml
+++ b/roles/packages/tasks/main.yml
@ -1,23 +1,3 @@
---
- import_tasks: bindings.yml
-  when: omni_pkg_bindings == true
-
- import_tasks: repos.yml
-  when: omni_pkg_repos == true
-
- import_tasks: clean.yml
-  when: omni_pkg_clean == true
-
- import_tasks: update.yml
-  when: omni_pkg_update == true
-
- name: Install packages on Fedora
-  become: true
-  when: ansible_distribution == "Fedora"
-  dnf:
-    state: latest
-    name: "{{ omni_packages_global + omni_packages_fedora }}"
-
 # NOTE: This is currently horrifically broken. See the ongoing drama around
 # systemd-networkd on cent8. Basically triggering an update- or an install- will give
 # a conflict error due to the spicy-jankaroni-with-extra-cheese edition of
@ -30,12 +10,12 @@
  become: true
  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
  dnf:
-    state: latest
+    state: "{{ _runtime_update_state }}"
    name: "{{ omni_packages_global + omni_packages_centos_8 }}"

 - name: Install packages on CentOS 7
  become: true
  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
  yum:
-    state: latest
+    state: "{{ _runtime_update_state }}"
    name: "{{ omni_packages_global + omni_packages_centos_7 }}"
--- a/roles/packages/tasks/repos.yml
+++ b/roles/packages/tasks/repos.yml
@ -5,14 +5,16 @@
  block:
    - name: Enable Extra Packages for Enterprise Linux on CentOS 8
      dnf:
-        state: latest
+        state: present
        name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

-    - name: Enable EPEL-Testing repository on CentOS 8s
+    # The testing repo had to be enabled for a previous version of systemd-networkd
+    # to be installed
+    - name: Disable EPEL-Testing repository on CentOS 8
      lineinfile:
        path: /etc/yum.repos.d/epel-testing.repo
        regexp: "enabled=(0|1)"
-        line: "enabled=1"
+        line: "enabled=0"
        insertbefore: "^$"
        firstmatch: true

@ -25,6 +27,6 @@
 - name: Enable Extra Packages for Enterprise Linux on CentOS 7
  become: true
  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
-  dnf:
-    state: latest
-    name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpmz
+  yum:
+    state: present
+    name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
--- a/tasks/packages/update.yml
+++ b/tasks/packages/update.yml
@ -0,0 +1,32 @@
+---
+# Ansible Lint 403 ("Package installs should not use latest") is silenced here because
+# it would defeat the point otherwise
+- name: Upgrade Fedora and CentOS 8 packages  # noqa: 403
+  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
+  become: true
+  dnf:
+    state: latest
+    name: "*"
+    exclude: "{{ ','.join(omni_pkg_exclude | default(['kernel*', 'docker-ce'])) }}"
+
+- name: Upgrade CentOS 7 packages  # noqa: 403
+  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
+  become: true
+  yum:
+    state: latest
+    name: "*"
+    exclude: "{{ ','.join(omni_pkg_exclude | default(['kernel*', 'docker-ce'])) }}"
+
+- name: Upgrade Fedora packages  # noqa: 403
+  when: ansible_distribution == "Fedora"
+  become: true
+  dnf:
+    state: latest
+    name: "*"
+    exclude: "{{ ','.join(omni_pkg_exclude | default(['kernel*', 'docker-ce'])) }}"
+
+# Yeah I'll get here eventually
+# - name: Upgrade APT packages
+#   when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
+#   become: true
+#   apt:
--- a/tasks/preprocess-users.yml
+++ b/tasks/preprocess-users.yml
@ -1,39 +0,0 @@
---
- name: Load users variables
-  include_vars:
-    file: users.yml
-
- name: Reconcile user targets with host targets to get host users
-  set_fact:
-    _users_local: >-
-      {{
-      _users_local | default([]) + ([item] if item.targets | intersect(omni_local_targets) else [])
-      }}
-  loop: "{{ omni_users }}"
-
- name: Determine local user names
-  set_fact:
-    _users_local_names: "{{ _users_local_names | default([]) + [item.name] }}"
-  loop: "{{ _users_local }}"
-
- name: Determine administrative users
-  set_fact:
-    _users_local_admin: >-
-      {{
-      _users_local_admin | default([]) + ([item] if item.admin | default(False) else [])
-      }}
-  loop: "{{ _users_local }}"
-
- name: Determine existing users
-  shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"'
-  changed_when: false
-  register: _users_local_existing
-
- name: Determine removed users
-  set_fact:
-    _users_local_removed: >-
-      {{
-      _users_local_removed | default([]) +
-      ([item] if item not in _users_local_names else [])
-      }}
-  loop: "{{ _users_local_existing.stdout_lines }}"
--- a/tasks/sshd/banner.yml
+++ b/tasks/sshd/banner.yml
@ -0,0 +1,7 @@
+---
+- name: Install SSH Banner
+  become: true
+  template:
+    src: motd.j2
+    dest: /etc/issue.net
+    mode: 0644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@ -1,13 +1,4 @@
 ---
- import_tasks: install.yml
-
- name: Install SSH Banner
-  become: true
-  template:
-    src: motd.j2
-    dest: /etc/issue.net
-    mode: 0644
-
 - name: Set parameters in sshd config
  become: true
  lineinfile:
@ -26,10 +17,13 @@
      set: "GSSAPIAuthentication no"
    - match: "#?ChallengeResponseAuthentication (yes|no)"
      set: "ChallengeResponseAuthentication no"
+  loop_control:
+    label: "{{ item.set }}"
+  register: _sshd_config_result

 - name: Restart sshd service
+  when: _sshd_config_result.changed
  become: true
  systemd:
    name: sshd
-    state: "{{ 'restarted' if omni_restart_services == true else 'started' }}"
-    enabled: "{{ omni_ssh_enabled }}"
+    state: restarted