LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
248 Commits
12 Branches
967 KiB
 
 
 
 
Tree: ce001b6bef
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ce001b6bef'
${ noResults }
lilik_playbook/roles/ssh_server/tasks/main.yaml

132 lines
3.5 KiB
Raw Blame History

# We can not use include_role here since it not share the connection with the current role
- include: roles/service/tasks/main.yaml
vars:
service_name: ssh
service_packages:
- openssh-server
- openssh-sftp-server
- name: lookup user ca key
set_fact:
user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}"
- name: Update container user CA key
copy:
content: "ssh-rsa {{ user_ca_key }}"
dest: "/etc/ssh/user_ca.pub"
notify: restart ssh
- name: Check if host certificate is valid
shell: '[[ $(ssh-keygen -f /etc/ssh/ssh_host_ed25519_key-cert.pub -L |grep "$(ssh-keygen -f /etc/ssh/user_ca.pub -l|cut -d " " -f 2)" -A 3 |grep Valid |cut -d " " -f 13) > $(date +%Y-%m-%dT%H:%M:%S --date "+1 month") ]]'
args:
executable: /bin/bash
register: vm_has_valid_ssh_certificate
changed_when: false
failed_when: false
- debug:
var: vm_has_valid_ssh_certificate
verbosity: 2
- block:
- name: Read host public key
slurp:
src: "/etc/ssh/ssh_host_ed25519_key.pub"
register: vm_public_key
- debug:
var: vm_public_key['content']
verbosity: 2
- name: generate host request
set_fact:
ca_request:
type: 'sign_request'
request:
keyType: 'ssh_host'
hostName: '{{ ansible_docker_extra_args | default(inventory_hostname) }}.lilik.it'
keyData: "{{ vm_public_key['content'] | b64decode | replace('\n', '')}}"
- debug:
var: ca_request | to_json
verbosity: 2
- name: start sign request
include: ca-dialog.yaml
vars:
ansible_connection: ssh
- debug:
var: request_result
verbosity: 2
- set_fact:
request_output: "{{ request_result.stdout | from_json }}"
- debug:
var: request_output
verbosity: 2
- name: generate get request
set_fact:
ca_request:
type: 'get_certificate'
requestID: '{{ request_output.requestID }}'
- debug:
var: ca_request
verbosity: 2
- debug:
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
- name: wait for cert
include: ca-dialog.yaml
vars:
ansible_connection: ssh
- debug:
var: request_result
verbosity: 2
- set_fact:
cert_key: "{{ request_result.stdout | string | from_json }}"
- name: Write certificate to container
copy:
content: "{{ cert_key.result }}"
dest: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
register: set_pub_key
notify: restart ssh
when: "vm_has_valid_ssh_certificate.rc != 0"
- name: add certificate to sshd config
lineinfile:
line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub'
dest: '/etc/ssh/sshd_config'
regexp: '^HostCertificate *'
notify: restart ssh
- name: trust user ca key
lineinfile:
line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub'
dest: '/etc/ssh/sshd_config'
regexp: '^TrustedUserCAKeys *'
notify: restart ssh
- name: permit root login only with certificate
lineinfile:
line: 'PermitRootLogin without-password'
dest: '/etc/ssh/sshd_config'
regexp: '^PermitRootLogin *'
notify: restart ssh
- meta: flush_handlers
- name: "waiting for ssh on {{ ansible_docker_extra_args | default(inventory_hostname) }} to start"
wait_for:
host: "{{ hostvars | ip_from_inventory(inventory_hostname) }}"
port: 22
timeout: 30
delegate_to: "{{ inventory_hostname }}"
delegate_facts: True