From 278817249e98d0eadb72b3166f052207df4b1d1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Fri, 19 Jul 2024 14:08:51 +0300 Subject: [PATCH] Add Ansible tasks to update authorized SSH keys --- .gitignore | 1 + ansible-update-ssh-config.yaml | 42 ++++++++++++++++++++++++++++ ansible.cfg | 4 ++- inventory.yml | 10 +++++-- ssh_config | 50 ++++++++++++++++++++++++++++++++++ 5 files changed, 103 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index a2c59e9..0faa25c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +*.keys *secrets.yml *secret.yml *.swp diff --git a/ansible-update-ssh-config.yaml b/ansible-update-ssh-config.yaml index cf2e577..9374627 100644 --- a/ansible-update-ssh-config.yaml +++ b/ansible-update-ssh-config.yaml @@ -1,4 +1,42 @@ --- +- name: Pull authorized keys from Gitea + hosts: localhost + connection: local + vars: + targets: "{{ hostvars[groups['all']] }}" + tasks: + - name: Download https://git.k-space.ee/user.keys + loop: + - arti + - eaas + - lauri + - rasmus + ansible.builtin.get_url: + url: https://git.k-space.ee/{{ item }}.keys + dest: "./{{ item }}.keys" + +- name: Push authorized keys to targets + hosts: + - misc + - kubernetes + - doors + tasks: + - name: Generate /root/.ssh/authorized_keys + ansible.builtin.copy: + dest: "/root/.ssh/authorized_keys" + owner: root + group: root + mode: '0644' + content: | + # Use `ansible-playbook ansible-update-ssh-config.yml` from https://git.k-space.ee/k-space/kube/ to update this file + {% for user in admins + extra_admins | unique | sort %} + {% for line in lookup("ansible.builtin.file", user + ".keys").split("\n") %} + {% if line.startswith("sk-") %} + {{ line }} # {{ user }} + {% endif %} + {% endfor %} + {% endfor %} + - name: Collect servers SSH public keys to known_hosts hosts: localhost connection: local @@ -19,10 +57,14 @@ dest: ssh_config content: | # Use `ansible-playbook ansible-update-ssh-config.yml` to update this file + # Use `ssh -F ssh_config ...` to connect to target machine or + # Add `Include ~/path/to/this/kube/ssh_config` in your ~/.ssh/config {% for host in groups['all'] | sort %} Host {{ [host, hostvars[host].get('ansible_host', host)] | unique | join(' ') }} User root Hostname {{ hostvars[host].get('ansible_host', host) }} GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h {% endfor %} diff --git a/ansible.cfg b/ansible.cfg index 968f177..90a4b83 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -5,9 +5,11 @@ pattern = deprecation_warnings = False fact_caching = jsonfile fact_caching_connection = ~/.ansible/k-space-fact-cache + +fact_caching_timeout = 7200 remote_user = root [ssh_connection] -control_path = %(directory)s/%%r@%%h:%%p +control_path = ~/.ssh/cm-%%r@%%h:%%p ssh_args = -o ControlMaster=auto -o ControlPersist=8h -F ssh_config pipelining = True diff --git a/inventory.yml b/inventory.yml index 53a8285..85a0006 100644 --- a/inventory.yml +++ b/inventory.yml @@ -1,4 +1,9 @@ all: + vars: + admins: + - lauri + - eaas + extra_admins: [] children: misc: hosts: @@ -8,7 +13,7 @@ all: ansible_host: 172.23.0.7 proxmox: vars: - admins: + extra_admins: - rasmus hosts: pve1: @@ -63,9 +68,8 @@ all: # ansible_host: 172.20.3.89 doors: vars: - admins: + extra_admins: - arti - - herman hosts: grounddoor: ansible_host: 100.102.3.1 diff --git a/ssh_config b/ssh_config index efe1ead..744f2d1 100644 --- a/ssh_config +++ b/ssh_config @@ -1,121 +1,171 @@ # Use `ansible-playbook ansible-update-ssh-config.yml` to update this file +# Use `ssh -F ssh_config ...` to connect to target machine or +# Add `Include ~/path/to/this/kube/ssh_config` in your ~/.ssh/config Host backdoor 100.102.3.3 User root Hostname 100.102.3.3 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host frontdoor 100.102.3.2 User root Hostname 100.102.3.2 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host grounddoor 100.102.3.1 User root Hostname 100.102.3.1 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host master1.kube.k-space.ee 172.21.3.51 User root Hostname 172.21.3.51 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host master2.kube.k-space.ee 172.21.3.52 User root Hostname 172.21.3.52 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host master3.kube.k-space.ee 172.21.3.53 User root Hostname 172.21.3.53 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host mon1.kube.k-space.ee 172.21.3.61 User root Hostname 172.21.3.61 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host mon2.kube.k-space.ee 172.21.3.62 User root Hostname 172.21.3.62 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host mon3.kube.k-space.ee 172.21.3.63 User root Hostname 172.21.3.63 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host nas.k-space.ee 172.23.0.7 User root Hostname 172.23.0.7 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host ns1.k-space.ee 172.20.0.2 User root Hostname 172.20.0.2 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host pve1 172.21.20.1 User root Hostname 172.21.20.1 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host pve2 172.21.20.2 User root Hostname 172.21.20.2 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host pve8 172.21.20.8 User root Hostname 172.21.20.8 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host pve9 172.21.20.9 User root Hostname 172.21.20.9 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host storage1.kube.k-space.ee 172.20.3.71 User root Hostname 172.20.3.71 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host storage2.kube.k-space.ee 172.20.3.72 User root Hostname 172.20.3.72 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host storage3.kube.k-space.ee 172.20.3.73 User root Hostname 172.20.3.73 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host storage4.kube.k-space.ee 172.20.3.74 User root Hostname 172.20.3.74 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host worker1.kube.k-space.ee 172.20.3.81 User root Hostname 172.20.3.81 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host worker2.kube.k-space.ee 172.20.3.82 User root Hostname 172.20.3.82 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host worker3.kube.k-space.ee 172.20.3.83 User root Hostname 172.20.3.83 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host worker4.kube.k-space.ee 172.20.3.84 User root Hostname 172.20.3.84 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h Host workshopdoor 100.102.3.4 User root Hostname 100.102.3.4 GlobalKnownHostsFile known_hosts UserKnownHostsFile /dev/null + ControlMaster auto + ControlPersist 8h