il/ilnmors-homelab
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a7365da43101b7abd734499cbe16c5e0b7b31ecb
ilnmors-homelab/ansible/roles/console/tasks/node/set_ssh_client.yaml
il a7365da431 1.0.0 Release IaaS
2026-03-15 04:41:02 +09:00

110 lines
3.4 KiB
YAML
Raw Blame History

---
- name: Create ssh id_console
ansible.builtin.copy:
content: "{{ hostvars['console']['ssh']['console']['key'] }}"
dest: "/etc/secrets/{{ node['uid'] }}/id_console"
owner: "{{ ansible_user }}"
group: "root"
mode: "0400"
become: true
no_log: true
- name: Create ssh id_console.pub
ansible.builtin.copy:
content: "{{ hostvars['console']['ssh']['console']['pub'] }}"
dest: "/etc/secrets/{{ node['uid'] }}/id_console.pub"
owner: "{{ ansible_user }}"
group: "root"
mode: "0400"
become: true
no_log: true
- name: Create ssh_known_hosts
become: true
ansible.builtin.copy:
content: |
@cert-authority *.ilnmors.internal {{ hostvars['console']['ssh']['ca']['pub'] }}
dest: "/etc/ssh/ssh_known_hosts"
owner: "root"
group: "root"
mode: "0644"
no_log: true
- name: Check id_console-cert.pub
ansible.builtin.stat:
path: "/etc/secrets/{{ node['uid'] }}/id_console-cert.pub"
register: "is_signed_console_key"
- name: Get current id_console-cert.pub allow users
ansible.builtin.shell: |
set -o pipefail
ssh-keygen -L -f /etc/secrets/{{ node['uid'] }}/id_console-cert.pub | \
sed -n '/Principals:/,/Critical Options:/p' | \
sed '1d;$d' | \
sed 's/^[[:space:]]*//'
when: is_signed_console_key.stat.exists
changed_when: false
register: "current_allow_users"
no_log: true
- name: Set key informations
ansible.builtin.set_fact:
current_user_list: "{{ current_allow_users.stdout_lines }}"
when: is_signed_console_key.stat.exists
no_log: true
- name: Compare key values between current information and defined information
ansible.builtin.set_fact:
is_certificate_info_different: true
when: (current_user_list | default([])) != (node['ssh_users'].split(',') | map('trim') | list)
- name: Get SSH CA and signing
when: not is_signed_console_key.stat.exists or (is_certificate_info_different | default(false))
block:
- name: Get SSH CA
ansible.builtin.copy:
content: |
{{ hostvars['console']['ssh']['ca']['key'] }}
dest: "/run/user/{{ node['uid'] }}/local_ssh_ca_private_key"
owner: "console"
group: "svadmins"
mode: "0400"
no_log: true
- name: Sign on ssh console key (pub file)
ansible.builtin.command: |
ssh-keygen -s /run/user/{{ node['uid'] }}/local_ssh_ca_private_key \
-I "{{ node['name'] }}" \
-n "{{ node['ssh_users'] }}" \
/etc/secrets/{{ node['uid'] }}/id_console.pub
become: true
changed_when: not is_signed_console_key.stat.exists or (is_certificate_info_different | default(false))
no_log: true
always:
- name: Clean temporary files
ansible.builtin.file:
path: "/run/user/{{ node['uid'] }}/local_ssh_ca_private_key"
state: "absent"
no_log: true
- name: Create .ssh directory
ansible.builtin.file:
path: "{{ node['home_path'] }}/.ssh"
state: "directory"
owner: "{{ ansible_user }}"
group: "svadmins"
mode: "0700"
- name: Create ssh config file
ansible.builtin.copy:
content: |
{% for host in groups['all'] if host != 'console' %}
Host {{ host }}
HostName {{ hostvars[host]['ansible_host'] }}
User {{ hostvars[host]['ansible_user'] }}
IdentityFile /etc/secrets/{{ node['uid'] }}/id_console
{% endfor %}
dest: "{{ node['home_path'] }}/.ssh/config"
owner: "{{ ansible_user }}"
group: "svadmins"
mode: "0600"
Reference in New Issue View Git Blame Copy Permalink