From f7c525f38c648198c744e351ecd8401f94210fb1 Mon Sep 17 00:00:00 2001
From: Denis Knauf <deac+git@denkn.at>
Date: Sun, 14 Jan 2024 22:32:35 +0100
Subject: [PATCH] sshd_config: checks for include-option, provided => write to
 99-default.conf, else to sshd_config and prepend include to sshd_config, if
 not found.

---
 tasks/sshd_config.yml | 38 +++++++++++++++++++++++++++++---------
 1 file changed, 29 insertions(+), 9 deletions(-)

diff --git a/tasks/sshd_config.yml b/tasks/sshd_config.yml
index e7ed672..793a831 100644
--- a/tasks/sshd_config.yml
+++ b/tasks/sshd_config.yml
@@ -1,15 +1,35 @@
 ---
 # vim: set expandtab tabstop=2 shiftwidth=2:
 
-- when: '"debian" == ansible_facts["distribution"]|lower and 12 <= ansible_facts["distribution_version"]|int'
-  name: 'sshd_config.d/99-default.conf'
-  template:
-    src:  'sshd-default.conf.j2'
-    dest: '/etc/ssh/sshd_config.d/99-default.conf'
-    owner:  root
-    group:  root
-    mode:   0644
-- when: '"debian" != ansible_facts["distribution"]|lower or  11 >= ansible_facts["distribution_version"]|int'
+- name: 'check sshd include option'
+  command: 'sshd -o "include /dev/null"'
+  register: sshd_include_option_check
+  failed_when: 'sshd_include_option_check.rc not in [1,255] or sshd_include_option_check.stderr not in ["Include directive not supported as a command-line option", "command-line: line 0: Bad configuration option: include"]'
+- set_facts:
+    sshd_include_option: 'sshd_include_option_check.stderr == "Include directive not supported as a command-line option"'
+- when: 'true == sshd_include_option'
+  block:
+  - name: '/etc/ssh/sshd_config.d'
+    file:
+      type: directory
+      dest: '/etc/ssh/sshd_config.d'
+      owner: root
+      group: root
+      mode: 0644
+  - name: 'sshd_config.d/99-default.conf'
+    template:
+      src:  'sshd-default.conf.j2'
+      dest: '/etc/ssh/sshd_config.d/99-default.conf'
+      owner:  root
+      group:  root
+      mode:   0644
+  - lineinfile:
+      path:         /etc/ssh/sshd_config
+      insertbefore: BOF
+      regexp:       '^\s*include\s+/etc/ssh/sshd_config.d/'
+      line:         'include /etc/ssh/sshd_config.d/*.conf'
+      firstmatch:   true
+- when: 'false == sshd_include_option'
   block:
   - name: sshd_config
     lineinfile: