misc/cross_node_ssh.yml at master · myllynen/misc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# Use -e keys=unique to create unique keys for each host
---
- name: Generate user SSH keys
  hosts: "{{ 'all' if keys | default(false) == 'unique' else 'all[0]' }}"
  gather_facts: false
  vars:
    ssh_key_type: ed25519
  tasks:
    - name: Gather needed facts
      ansible.builtin.setup:
        gather_subset:
          - '!all'
          - '!min'
          - user
      when: ansible_facts.user_dir is not defined or
            ansible_facts.user_id is not defined

    - name: Generate user public/private SSH key pair
      ansible.builtin.user:
        name: "{{ ansible_facts.user_id }}"
        state: present
        generate_ssh_key: true
        ssh_key_type: "{{ ssh_key_type }}"

    - name: Read user public SSH key
      ansible.builtin.slurp:
        src: "{{ ansible_facts.user_dir }}/.ssh/id_{{ ssh_key_type }}.pub"
      register: public_key

    - name: Read user private SSH key
      ansible.builtin.slurp:
        src: "{{ ansible_facts.user_dir }}/.ssh/id_{{ ssh_key_type }}"
      register: private_key

    - name: Set public SSH key
      ansible.builtin.set_fact:
        public_ssh_key: "{{ public_key.content | b64decode }}"

    - name: Set private SSH key
      ansible.builtin.set_fact:
        private_ssh_key: "{{ private_key.content | b64decode }}"

- name: Set shared SSH keys
  hosts: "{{ 'all:!all[0]' if keys | default(false) != 'unique' else 'all[0]' }}"
  gather_facts: false
  tasks:
    - name: Set shared public SSH key
      ansible.builtin.set_fact:
        public_ssh_key: "{{ hostvars[groups.all[0]].public_ssh_key }}"
      when: keys | default(false) != 'unique'

    - name: Set shared private SSH key
      ansible.builtin.set_fact:
        private_ssh_key: "{{ hostvars[groups.all[0]].private_ssh_key }}"
      when: keys | default(false) != 'unique'

- name: Distribute shared SSH key
  hosts: "{{ 'all:!all[0]' if keys | default(false) != 'unique' else 'all[0]' }}"
  gather_facts: false
  tasks:
    - name: Gather needed facts
      ansible.builtin.setup:
        gather_subset:
          - '!all'
          - '!min'
          - user
      when: ansible_facts.user_dir is not defined

    - name: Create user SSH directory
      ansible.builtin.file:
        path: "{{ ansible_facts.user_dir }}/.ssh"
        state: directory
        mode: '0700'
      when: keys | default(false) != 'unique'

    - name: Create public SSH key
      ansible.builtin.copy:
        content: "{{ hostvars[groups.all[0]].public_ssh_key }}"
        dest: "{{ ansible_facts.user_dir }}/.ssh/id_{{ ssh_key_type }}.pub"
        mode: '0644'
      when: keys | default(false) != 'unique'

    - name: Create private SSH key
      ansible.builtin.copy:
        content: "{{ hostvars[groups.all[0]].private_ssh_key }}"
        dest: "{{ ansible_facts.user_dir }}/.ssh/id_{{ ssh_key_type }}"
        mode: '0600'
      when: keys | default(false) != 'unique'

- name: Enable cross-node SSH access
  hosts: all
  gather_facts: false
  tasks:
    - name: Gather needed facts
      ansible.builtin.setup:
        gather_subset:
          - '!all'
          - '!min'
          - network
          - ssh_host_key_ed25519_public
          - user
      when: ansible_facts.user_dir is not defined or
            ansible_facts.user_id is not defined or
            ansible_facts.fqdn is not defined or
            ansible_facts.hostname is not defined or
            ansible_facts.default_ipv4 is not defined or
            ansible_facts.ssh_host_key_ed25519_public is not defined

    - name: Update authorized keys
      ansible.posix.authorized_key:
        user: "{{ ansible_facts.user_id }}"
        key: "{{ hostvars[item].public_ssh_key }}"
      loop: "{{ ansible_play_batch }}"

    - name: Update known_hosts localhost entry
      ansible.builtin.lineinfile:
        path: "{{ ansible_facts.user_dir }}/.ssh/known_hosts"
        line: "{{ 'localhost' + ',' +
                  '127.0.0.1' + ' ' +
                  'ssh-ed25519' + ' ' +
                  hostvars[inventory_hostname].ansible_facts.ssh_host_key_ed25519_public }}"
        create: true
        mode: '0600'
      loop:
        - localhost

    - name: Update known_hosts FQDN entry
      ansible.builtin.lineinfile:
        path: "{{ ansible_facts.user_dir }}/.ssh/known_hosts"
        line: "{{ hostvars[item].ansible_facts.fqdn + ',' +
                  hostvars[item].ansible_facts.default_ipv4.address + ' ' +
                  'ssh-ed25519' + ' ' +
                  hostvars[item].ansible_facts.ssh_host_key_ed25519_public }}"
        create: true
        mode: '0600'
      loop: "{{ ansible_play_batch }}"

    - name: Update known_hosts short entry
      ansible.builtin.lineinfile:
        path: "{{ ansible_facts.user_dir }}/.ssh/known_hosts"
        line: "{{ hostvars[item].ansible_facts.hostname + ',' +
                  hostvars[item].ansible_facts.default_ipv4.address + ' ' +
                  'ssh-ed25519' + ' ' +
                  hostvars[item].ansible_facts.ssh_host_key_ed25519_public }}"
        create: true
        mode: '0600'
      loop: "{{ ansible_play_batch }}"