simplify ssh host key configuration

2025-04-20 17:21:44 +02:00 · 2020-07-26 20:07:59 -07:00 · 2020-07-26 20:07:59 -07:00 · 426ac99b91
commit 426ac99b91
parent 06c572ffc3
2 changed files with 16 additions and 63 deletions
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@ -1,83 +1,31 @@
 ---
+#
 # Set ssh host keys
- name: initialize list of host keys to copy over
-  set_fact:
-    ssh_host_keyfiles: []
-  tags: [ sshd ]
-
- name: find local copy of dsa host key
-  delegate_to: localhost
-  stat:
-    path: roles/common/files/etc/ssh/ssh_host_dsa_key.{{ myconfig.hostname }}
-  register: result
-  tags: [ sshd ]
-
- name: add dsa key to list if found
-  set_fact:
-    ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_dsa_key.{{ myconfig.hostname }}' ]"
-  when: result.stat.exists == true
-  tags: [ sshd ]
-
- name: find local copy of rsa host key
-  delegate_to: localhost
-  stat:
-    path: roles/common/files/etc/ssh/ssh_host_rsa_key.{{ myconfig.hostname }}
-  register: result
-  tags: [ sshd ]
-
- name: add rsa key to list if found
-  set_fact:
-    ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_rsa_key.{{ myconfig.hostname }}' ]"
-  when: result.stat.exists == true
-  tags: [ sshd ]
-
- name: find local copy of ed25519 host key
-  delegate_to: localhost
-  stat:
-    path: roles/common/files/etc/ssh/ssh_host_ed25519_key.{{ myconfig.hostname }}
-  register: result
-  tags: [ sshd ]
- name: add ed25519 key to list if found
-  set_fact:
-    ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_ed25519_key.{{ myconfig.hostname }}' ]"
-  when: result.stat.exists == true
-  tags: [ sshd ]
-
- name: find local copy of ecdsa host key
-  delegate_to: localhost
-  stat:
-    path: roles/common/files/etc/ssh/ssh_host_ecdsa_key.{{ myconfig.hostname }}
-  register: result
-  tags: [ sshd ]
- name: add ecdsa key to list if found
-  set_fact:
-    ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_ecdsa_key.{{ myconfig.hostname }}' ]"
-  when: result.stat.exists == true
-  tags: [ sshd ]
-
+#
 - name: set SSH host keys
  copy:
    src: "{{ item }}"
-    dest: "/{{ item }}"
+    dest: "/{{ item.split('.')[0] }}"
    owner: root
    group: root
    mode: '0600'
-  with_items: "{{ ssh_host_keyfiles }}"
+  with_items: "{{ myconfig.ssh_host_key_files }}"
  register: result
+  when: "'ssh_host_key_files' in myconfig"
  tags: [ sshd ]

 - name: remove old SSH host public keys
  file:
-    path: "/{{ item }}.pub"
+    path: "/{{ item.split('.')[0] }}.pub"
    state: absent
-  with_items: "{{ ssh_host_keyfiles }}"
-  when: result is changed
+  with_items: "{{ myconfig.ssh_host_key_files }}"
+  when: "'ssh_host_key_files' in myconfig and result is changed"
  tags: [ sshd ]

 - name: regenerate SSH host public keys
  shell:
-    cmd: "ssh-keygen -y -f /{{ item }} > /{{ item }}.pub"
+    cmd: "ssh-keygen -y -f /{{ item.split('.')[0] }} > /{{ item.split('.')[0] }}.pub"
    creates: "/{{ item }}.pub"
-  with_items: "{{ ssh_host_keyfiles }}"
-  when: result is changed
+  with_items: "{{ myconfig.ssh_host_key_files }}"
+  when: "'ssh_host_key_files' in myconfig and result is changed"
  tags: [ sshd ]
--- a/roles/common/vars/main.yml
+++ b/roles/common/vars/main.yml
@ -19,6 +19,11 @@ macaddrs:
        enable_serial_hw: True
        enable_onewire: False
        enable_rgpio: False
+        ssh_host_key_files:
+          - etc/ssh/ssh_host_rsa_key.cloverdale
+          - etc/ssh/ssh_host_dsa_key.cloverdale
+          - etc/ssh/ssh_host_ecdsa_key.cloverdale
+          - etc/ssh/ssh_host_ed25519_key.cloverdale
    b8:27:eb:39:d7:57:
        hostname: "clovermine"
        domain: "local"