On 2015-01-23 23:45, shawn wilson wrote:
Is there a way to have default config lines that emerge updates won't
touch?
For instance, my /etc/ssh/sshd_config differs from the default in some
places. I know this and upstream shows me the same diffs in that file
over and over again. But maybe upstream will add a new option - I'd
like to see that (obviously I'd miss out on new crypto types if I
ignored that line, but that's ok - I keep up on that anyway). There
are obviously other places in other files as well - logrotate
retention comes to mind as well.
1) you have a fresh /etc/ssh/sshd_config
2) describe and apply the changes you want to make, like:
ensure PermitRootLogin is without-password
ensure AllowUsers is admin1 admin2
After some time, you have a shiny new OpenSSH version installed that
adds some lines, so you have a ._cfg to deal with. What do you do?
- mv ._cfg to sshd_config
- do 2) as before
Your configuration is updated and your changes stay there too. I also
keep a "virgin" copy of the configuration so that anybody comes to the
server can directly diff between the original file and the changes done.
This can be both down in shell scripts or an easier way is to use
configuration management. For example with ansible, you can use the
lineinfile module:
http://docs.ansible.com/lineinfile_module.html
