CI: Refactor sshd configuration into a role

Prep for applying it to macOS 13 GitHub runners.

refs mitogen-hq#1186

tests/image_prep/_container_setup.yml

@@ -23,10 +23,16 @@
   gather_facts: true
   vars:
     distro: "{{ansible_distribution}}"
-  tasks:
-    - when: ansible_virtualization_type != "docker"
-      meta: end_play
 
+  pre_tasks:
+    - meta: end_play
+      when:
+        - ansible_facts.virtualization_type != "docker"
+
+  roles:
+    - role: sshd
+
+  tasks:
     - name: Ensure requisite apt packages are installed
       apt:
         name: "{{ common_packages + packages }}"
@@ -134,10 +140,6 @@
         content: |
           i-am-mitogen-test-docker-image
 
-    - copy:
-        dest: /etc/ssh/banner.txt
-        src: ../data/docker/ssh_login_banner.txt
-
     - name: Ensure /etc/sudoers.d exists
       file:
         state: directory
@@ -169,17 +171,6 @@
         line: "%wheel  ALL=(ALL)       ALL"
       when: ansible_os_family == 'RedHat'
 
-    - name: Enable SSH banner
-      lineinfile:
-        path: /etc/ssh/sshd_config
-        line: Banner /etc/ssh/banner.txt
-
-    - name: Allow remote SSH root login
-      lineinfile:
-        path: /etc/ssh/sshd_config
-        line: PermitRootLogin yes
-        regexp: '.*PermitRootLogin.*'
-
     - name: Allow remote SSH root login
       lineinfile:
         path: /etc/pam.d/sshd

tests/image_prep/roles/sshd/defaults/main.yml

@@ -0,0 +1 @@
+sshd_config_file: /etc/ssh/sshd_config

tests/image_prep/roles/sshd/tasks/main.yml

@@ -0,0 +1,18 @@
+- name: Create login banner
+  copy:
+    src: banner.txt
+    dest: /etc/ssh/banner.txt
+    mode: u=rw,go=r
+
+- name: Configure sshd_config
+  lineinfile:
+    path: "{{ sshd_config_file }}"
+    line: "{{ item.line }}"
+    regexp: "{{ item.regexp }}"
+  loop:
+    - line:     Banner /etc/ssh/banner.txt
+      regexp:   '^#? *Banner.*'
+    - line:     PermitRootLogin yes
+      regexp:   '.*PermitRootLogin.*'
+  loop_control:
+    label: "{{ item.line }}"