kube/ansible-update-ssh-config.yaml

---
- name: Collect servers SSH public keys to known_hosts
  hosts: localhost
  connection: local
  vars:
    targets: "{{ hostvars[groups['all']] }}"
  tasks:
    - name: Generate known_hosts
      ansible.builtin.copy:
        dest: known_hosts
        content: |
          # Use `ansible-playbook ansible-update-ssh-config.yml` to update this file
          {% for host in groups['all'] | sort %}
          {{ lookup('ansible.builtin.pipe', 'ssh-keyscan -t ecdsa %s ' % (
              hostvars[host].get('ansible_host', host))) }} # {{ host }}
          {% endfor %}
    - name: Generate ssh_config
      ansible.builtin.copy:
        dest: ssh_config
        content: |
          # Use `ansible-playbook ansible-update-ssh-config.yml` to update this file
          # Use `ssh -F ssh_config ...` to connect to target machine or
          # Add `Include ~/path/to/this/kube/ssh_config` in your ~/.ssh/config
          {% for host in groups['all'] | sort %}
          Host {{ [host, hostvars[host].get('ansible_host', host)] | unique | join(' ') }}
              User root
              Hostname {{ hostvars[host].get('ansible_host', host) }}
              GlobalKnownHostsFile known_hosts
              UserKnownHostsFile /dev/null
              ControlMaster auto
              ControlPersist 8h
          {% endfor %}

- name: Pull authorized keys from Gitea
  hosts: localhost
  connection: local
  vars:
    targets: "{{ hostvars[groups['all']] }}"
  tasks:
    - name: Download https://git.k-space.ee/user.keys
      loop:
        - arti
        - eaas
        - lauri
        - rasmus
      ansible.builtin.get_url:
        url: https://git.k-space.ee/{{ item }}.keys
        dest: "./{{ item }}.keys"

- name: Push authorized keys to targets
  hosts:
    - misc
    - kubernetes
    - doors
  tasks:
    - name: Generate /root/.ssh/authorized_keys
      ansible.builtin.copy:
        dest: "/root/.ssh/authorized_keys"
        owner: root
        group: root
        mode: '0644'
        content: |
          # Use `ansible-playbook ansible-update-ssh-config.yml` from https://git.k-space.ee/k-space/kube/ to update this file
          {% for user in admins + extra_admins | unique | sort %}
          {% for line in lookup("ansible.builtin.file", user + ".keys").split("\n") %}
          {% if line.startswith("sk-") %}
          {{ line }} # {{ user }}
          {% endif %}
          {% endfor %}
          {% endfor %}
Add Ansible playbook to update known_hosts and ssh_config 2024-07-19 08:47:16 +00:00			`---`
Reorder SSH key update playbook 2024-07-27 05:30:17 +00:00			`- name: Collect servers SSH public keys to known_hosts`
			`hosts: localhost`
			`connection: local`
			`vars:`
			`targets: "{{ hostvars[groups['all']] }}"`
			`tasks:`
			`- name: Generate known_hosts`
			`ansible.builtin.copy:`
			`dest: known_hosts`
			`content: \|`
			# Use `ansible-playbook ansible-update-ssh-config.yml` to update this file
			`{% for host in groups['all'] \| sort %}`
			`{{ lookup('ansible.builtin.pipe', 'ssh-keyscan -t ecdsa %s ' % (`
			`hostvars[host].get('ansible_host', host))) }} # {{ host }}`
			`{% endfor %}`
			`- name: Generate ssh_config`
			`ansible.builtin.copy:`
			`dest: ssh_config`
			`content: \|`
			# Use `ansible-playbook ansible-update-ssh-config.yml` to update this file
			# Use `ssh -F ssh_config ...` to connect to target machine or
			# Add `Include ~/path/to/this/kube/ssh_config` in your ~/.ssh/config
			`{% for host in groups['all'] \| sort %}`
			`Host {{ [host, hostvars[host].get('ansible_host', host)] \| unique \| join(' ') }}`
			`User root`
			`Hostname {{ hostvars[host].get('ansible_host', host) }}`
			`GlobalKnownHostsFile known_hosts`
			`UserKnownHostsFile /dev/null`
			`ControlMaster auto`
			`ControlPersist 8h`
			`{% endfor %}`

Add Ansible tasks to update authorized SSH keys 2024-07-19 11:08:51 +00:00			`- name: Pull authorized keys from Gitea`
			`hosts: localhost`
			`connection: local`
			`vars:`
			`targets: "{{ hostvars[groups['all']] }}"`
			`tasks:`
			`- name: Download https://git.k-space.ee/user.keys`
			`loop:`
			`- arti`
			`- eaas`
			`- lauri`
			`- rasmus`
			`ansible.builtin.get_url:`
			`url: https://git.k-space.ee/{{ item }}.keys`
			`dest: "./{{ item }}.keys"`

			`- name: Push authorized keys to targets`
			`hosts:`
			`- misc`
			`- kubernetes`
			`- doors`
			`tasks:`
			`- name: Generate /root/.ssh/authorized_keys`
			`ansible.builtin.copy:`
			`dest: "/root/.ssh/authorized_keys"`
			`owner: root`
			`group: root`
			`mode: '0644'`
			`content: \|`
			# Use `ansible-playbook ansible-update-ssh-config.yml` from https://git.k-space.ee/k-space/kube/ to update this file
			`{% for user in admins + extra_admins \| unique \| sort %}`
			`{% for line in lookup("ansible.builtin.file", user + ".keys").split("\n") %}`
			`{% if line.startswith("sk-") %}`
			`{{ line }} # {{ user }}`
			`{% endif %}`
			`{% endfor %}`
			`{% endfor %}`