Linux configuration can be tricky for new Linux admins. Editing the main config file directly often works, until an upgrade overwrites your changes or a typo takes down a service. That's where .d directories come in.
These special directories let you manage configuration in small, modular files instead of touching the system defaults.
It's a safer, cleaner, and more automation-friendly approach used across most modern Linux systems.
Table of Contents
What is a .d Directory?
A .d directory is simply a folder that holds multiple small configuration fragments for a single service.
For example:
/etc/ssh/sshd_config /etc/ssh/sshd_config.d/
The first is the main SSH daemon config file and the second (ending in .d) is a directory where you can drop in extra .conf files that get merged at startup.
The .d suffix isn't an official standard, but it's now a common Linux convention. It stands for "directory of configuration fragments" and is often called a drop-in directory because you can just "drop in" your changes without editing the base file.
Advantages of Using Drop-in Configuration Directory (.d)
1. Safe from Package Upgrades
System updates may replace or modify main config files. Files in .d directories are not touched, so your settings remain intact.
Example:
/etc/ssh/sshd_config.d/99-custom.conf
Your file will override defaults even after an upgrade.
2. Better for Automation
Tools like Ansible or Puppet work best when configs are modular. You can:
- Deploy or remove a single file.
- Manage version-controlled snippets.
- Avoid parsing large monolithic files.
3. Order and Precedence
Files in .d directories load alphabetically. Later files override earlier ones.
That's why many admins prefix filenames with numbers:
10-defaults.conf 50-hardening.conf 99-local.conf
4. Safer Troubleshooting
You can disable a config temporarily by renaming a single file. No need to risk breaking a huge system config by editing it in place.
Real Examples
| Service | Main File | Drop-in Directory |
|---|---|---|
| SSH | /etc/ssh/sshd_config | /etc/ssh/sshd_config.d/ |
| Systemd | /etc/systemd/system.conf | /etc/systemd/system.conf.d/ |
| APT | /etc/apt/apt.conf | /etc/apt/apt.conf.d/ |
| Logrotate | /etc/logrotate.conf | /etc/logrotate.d/ |
Best Practice
Keep distro defaults untouched and put your overrides in .d directories with clear naming:
/etc/ssh/sshd_config.d/99-hardening.conf
Only replace the main file if you truly need a full custom configuration, which is rare.
Key Takeaway
Even though .d directories aren't part of any strict standard, they've become a best practice for safe and maintainable Linux configuration.
They protect your settings from updates, simplify automation, and make system management less error-prone, which is exactly what you want when scaling with tools like Ansible.
Let's look at why you should use drop-In (.d) directories for Linux configuration management with an example, and how it makes automation tools like Ansible far more reliable.
1. The Old Way: Editing Main Config Files
Traditionally, sysadmins edited big configuration files directly:
sudo nano /etc/ssh/sshd_config
This works fine until:
- A package upgrade resets or merges the file
- A second admin overwrites your changes
- An automation tool tries to manage it differently
Result: config drift, merge conflicts, and headaches.
2. The Modern Way: Drop-In Config Directories
Modern Linux systems now support drop-in configuration directories like /etc/ssh/sshd_config.d/ and /etc/sudoers.d/. They let you safely extend or override defaults without touching the main file.
To fix this, most modern daemons now use a .d directory for modular configs.
An Example for SSH:
Include /etc/ssh/sshd_config.d/*.conf
Each .conf file inside that directory gets loaded in order, and later files override earlier ones.
So if you add /etc/ssh/sshd_config.d/99-custom.conf, it wins over everything else.
Other examples:
| Service | Directory |
|---|---|
| SSH | /etc/ssh/sshd_config.d/ |
| Systemd | /etc/systemd/system.conf.d/ |
| Sysctl | /etc/sysctl.d/ |
| Sudo | /etc/sudoers.d/ |
3. Why This Makes Automation Easier
When you use Ansible, Puppet, or Chef, these directories are a dream to manage.
You can simply drop a file instead of editing an existing one:
- name: Deploy SSH override
copy:
src: sshd_override.conf
dest: /etc/ssh/sshd_config.d/99-ansible.conf
mode: '0644'
notify: Reload sshdBenefits:
- No merge conflicts
- No overwriting distro defaults
- Fully idempotent (re-runs don't change anything unnecessarily)
- Works cleanly across OS versions
4. Practical Example: SSH Configuration
Instead of editing /etc/ssh/sshd_config to disable password login, just create:
/etc/ssh/sshd_config.d/99-hardening.conf
# Managed by Ansible PermitRootLogin no PasswordAuthentication no
Reload the service:
sudo systemctl reload sshd
Now your system is hardened, safe from package updates, and your automation remains clean.
5. When You Might Still Edit the Main File
- If the service does not yet support
.dincludes (rare today) - If you must remove or change the
Includedirective itself - For immutable images where you want total config control
But for everyday systems, overrides are safer and easier.
6. Key Takeaways
| Don't | Do |
|---|---|
Edit /etc/sshd_config directly | Drop your settings into /etc/ssh/sshd_config.d/99-custom.conf |
| Replace vendor files | Keep defaults intact for update safety |
| Restart blindly | Use systemctl reload to apply changes safely |
Frequently Asked Questions
A: Drop-in directories are special folders (like /etc/ssh/sshd_config.d/) where you can place small .conf files that extend or override the main configuration file. They make Linux configuration modular, safer, and easier to automate.
A: Editing main config files works, until updates or automation overwrite your changes. Drop-in files protect your settings from being lost and reduce merge conflicts when multiple admins or tools manage the same system.
.d directories?A: Not all, but most modern Linux services do, especially those managed by systemd, such as SSH, APT, sudo, sysctl, and journald.
You can usually confirm by checking if the main config file includes a line like:Include /etc/ssh/sshd_config.d/*.conf
.d files loaded?A: They're read alphabetically, and later files override earlier ones. That's why admins use numbered names such as:10-defaults.conf
99-custom.conf
A: System upgrades may replace or modify the main config files, but they never touch your files in the .d directory. Your overrides persist safely across updates.
.d directories with Ansible or Puppet?A: Just deploy your config as a small file inside the .d directory:name: Add SSH override
copy:
src: sshd_override.conf
dest: /etc/ssh/sshd_config.d/99-ansible.conf
mode: '0644'
notify: Reload sshd
This keeps automation idempotent and easy to maintain.
A: Only when:
- The service doesn't support includes
- You must change or remove the Include directive
- You're building an immutable or minimal image where you want total control
A: Simply rename or move the file:sudo mv /etc/ssh/sshd_config.d/99-custom.conf /etc/ssh/sshd_config.d/99-custom.conf.disabled
sudo systemctl reload sshd
.d directories contain subfolders?A: No, they only read files directly inside the directory. Nested folders are ignored.
.d directories?A: They bring safety, clarity, and modularity to Linux configuration. You can override vendor defaults without breaking updates, and tools like Ansible can manage them cleanly.
Conclusion
Drop-in .d directories make Linux configuration safer, cleaner, and easier to maintain. Instead of replacing entire files, you only add what's needed. This approach keeps the original vendor defaults intact, makes upgrades smoother, and reduces the risk of breaking critical services.
For system administrators and automation tools like Ansible, drop-in directories provide a structured way to manage changes across multiple systems. They help you avoid conflicts, simplify version control, and maintain predictable behavior.
In short, if you're managing Linux at scale, or just want a more reliable setup, learning to use .d directories is a best practice worth adopting.
So next time you see /etc/something.conf, look for /etc/something.d/, that's where modern Linux expects you to customize.
Recommended Read:
