From 851d15f0e5845e78ee79f52fef6aa27425f329a6 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Tue, 19 Mar 2024 12:01:02 +0100
Subject: [PATCH] Update to 2024-03-19 12:01

---
 roles/seafile/defaults/main.yml    | 4 ++--
 roles/ssh/defaults/main.yml        | 4 ++++
 roles/ssh/tasks/conf.yml           | 5 ++++-
 roles/ssh/templates/sshd_config.j2 | 2 +-
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/roles/seafile/defaults/main.yml b/roles/seafile/defaults/main.yml
index 0f555d4..8864179 100644
--- a/roles/seafile/defaults/main.yml
+++ b/roles/seafile/defaults/main.yml
@@ -11,11 +11,11 @@
 #   MaxUsers = "9"
 #   Mode = "subscription"
 #   etc...
-seafile_version: "{{ seafile_license is defined | ternary('10.0.9','11.0.5') }}"
+seafile_version: "{{ seafile_license is defined | ternary('10.0.9','11.0.6') }}"
 
 # Archive URL and sha256 are only used for the community version
 seafile_archive_url: https://s3.eu-central-1.amazonaws.com/download.seadrive.org/seafile-server_{{ seafile_version }}_x86-64.tar.gz
-seafile_archive_sha256: 47d994238519c679969a3c5591063041dc10102a6b1ac0e4d59be069c137225d
+seafile_archive_sha256: 792f5df347c07cba023ce99ca27d4c3bde36660890d34e0a2d54e6ff95a38103
 
 seafile_root_dir: /opt/seafile
 seafile_data_dir: "{{ seafile_root_dir }}/data"
diff --git a/roles/ssh/defaults/main.yml b/roles/ssh/defaults/main.yml
index d1eb5a4..320898f 100644
--- a/roles/ssh/defaults/main.yml
+++ b/roles/ssh/defaults/main.yml
@@ -71,3 +71,7 @@ sshd_max_conn_per_minute: 0
 # Use DNS. If disabled, kerb auth won't be used (as it uses DNS)
 # You might need to disable it when you need no SSH login delay even if DNS is unavailable
 sshd_use_dns: True
+
+# List of users for which no management of the SSH keys will be done by ansible (they will
+# be able to set their own ~/.ssh/authorized_keys)
+ssh_local_users: []
diff --git a/roles/ssh/tasks/conf.yml b/roles/ssh/tasks/conf.yml
index 86d70ee..cb67844 100644
--- a/roles/ssh/tasks/conf.yml
+++ b/roles/ssh/tasks/conf.yml
@@ -1,7 +1,10 @@
 ---
 
 - name: Deploy sshd configuration
-  template: src=sshd_config.j2 dest=/etc/ssh/sshd_config
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    validate: sshd -t -f %s
   notify: restart sshd
   tags: ssh
 
diff --git a/roles/ssh/templates/sshd_config.j2 b/roles/ssh/templates/sshd_config.j2
index 82d9e34..a3db0c4 100644
--- a/roles/ssh/templates/sshd_config.j2
+++ b/roles/ssh/templates/sshd_config.j2
@@ -57,7 +57,7 @@ X11Forwarding no
 Subsystem       sftp    internal-sftp
 
 # Local user are managed separately
-Match User root,ansible,lbkp,zimbra,zfs-recv
+Match User root,ansible,lbkp,zimbra,zfs-recv{% if ssh_local_users | length > 0 %},{{ ssh_local_users | join(',') }}{% endif +%}
   AuthorizedKeysFile /etc/ssh/authorized_keys/%u/authorized_keys %h/.ssh/authorized_keys
 
 {% for user in ssh_users | default([]) %}