ansible-proxy-chain/openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/proposal.md

Why

Ansible's template module requires %s in the validate command as a placeholder for the temp file. Our drop-in config uses validate: "sshd -t -f /etc/ssh/sshd_config" which lacks %s, causing the module to fail on both relay and landing servers.

What Changes

• Remove the validate parameter from the SSH hardening drop-in task — it's a 6-line incremental config that doesn't need pre-validation; sshd reload will fail safely on bad syntax

Capabilities

New Capabilities

Modified Capabilities

Impact

• roles/base/tasks/main.yml: remove validate from the SSH hardening drop-in task