From e70ab6ce45acd4a790a845b5fa91ded8831a78f3 Mon Sep 17 00:00:00 2001
From: Giancarlo Razzolini <grazzolini@archlinux.org>
Date: Mon, 17 Feb 2020 14:01:25 -0300
Subject: [PATCH] roles/aurweb: Change aurweb role to support sshd includes

Added support for the aurweb role to the new openssh include mechanism,
that's baked into our sshd role.
---
 playbooks/aur-dev.archlinux.org.yml     | 2 +-
 roles/aurweb/tasks/main.yml             | 2 +-
 roles/aurweb/templates/aurweb_config.j2 | 5 +++++
 3 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 roles/aurweb/templates/aurweb_config.j2

diff --git a/playbooks/aur-dev.archlinux.org.yml b/playbooks/aur-dev.archlinux.org.yml
index 569e0d050..adf4e69ba 100644
--- a/playbooks/aur-dev.archlinux.org.yml
+++ b/playbooks/aur-dev.archlinux.org.yml
@@ -6,7 +6,7 @@
   roles:
     - { role: common }
     - { role: tools }
-    - { role: sshd }
+    - { role: sshd, sshd_enable_includes: true }
     - { role: root_ssh }
     - { role: certbot }
     - { role: nginx }
diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml
index 19e220ae0..cba246d66 100644
--- a/roles/aurweb/tasks/main.yml
+++ b/roles/aurweb/tasks/main.yml
@@ -245,6 +245,6 @@
        - aurweb-tuvotereminder.timer
 
 - name: configure sshd
-  template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 validate='/usr/sbin/sshd -t -f %s'
+  template: src=aurweb_config.j2 dest={{ sshd_includes_dir }}/aurweb_config owner=root group=root mode=0600 validate='/usr/sbin/sshd -t -f %s'
   notify:
     - restart sshd
diff --git a/roles/aurweb/templates/aurweb_config.j2 b/roles/aurweb/templates/aurweb_config.j2
new file mode 100644
index 000000000..371524a3b
--- /dev/null
+++ b/roles/aurweb/templates/aurweb_config.j2
@@ -0,0 +1,5 @@
+Match User {{ aurweb_user }}
+        PasswordAuthentication no
+        AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k"
+        AuthorizedKeysCommandUser {{ aurweb_user }}
+        AcceptEnv AUR_OVERWRITE
-- 
GitLab