add ssh hostkey deployment

4 years ago · a991a01152
parent aa83e57c7d
commit a991a01152
3 changed files with 102 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -25,20 +25,18 @@ playbook relies on Ansible 2.8 or newer, which means you can no longer use
    # Install ansible and any other requirements
    (ansible_env) $ pip install -r requirements.txt
    
-    # Run playbook
-    (ansible_env) $ sudo $(which ansible-playbook) ./local.yml
-
 ## Configuration

 The `macaddrs` structure in _roles/common/vars/main.yml_ maps the MAC address of
 a Raspberry Pi to its intended configuration state.  Add your Raspberry Pi's MAC
-address to that structure and set its configuration accordingly.
+address (specifically for `eth0` if your RPi has multiple NICs) to that
+structure and set its configuration accordingly.

 ## Running the playbook

 Then run the playbook:

-    $ sudo ansible-playbook local.yml 
+    (ansible_env) $ sudo $(which ansible-playbook) --ask-vault-pass ./local.yml

 The playbook will self-discover its settings, then idempotently configure the
 Raspberry Pi.
@ -55,6 +53,18 @@ to ensure that it does not lock you out of your Raspberry Pi.

 2. `usermod --lock pi` to ensure that the default user is completely disabled.

+## Optional configurations
+
+### SSH host keys
+
+This playbook can install ssh host keys.  To do so,
+
+1. drop the appropriate `ssh_host_*_key` files into `roles/common/files/etc/ssh/`
+2. rename each file from `ssh_host_*_key` to `ssh_host_*_key.hostname` where
+   `hostname` matches the `hostname` in `roles/common/vars/main.yml` to which
+   the hostkey should be deployed
+3. `ansible-vault encrypt roles/common/files/etc/ssh/ssh_host_*_key.*`
+
 ## Acknowledgment

 I stole a lot of knowledge from https://github.com/giuaig/ansible-raspi-config/.
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -11,6 +11,7 @@
  tags:
    - raspi
    - sw
+    - sshd

 - name: store MAC address
  set_fact:
@ -18,6 +19,7 @@
  tags:
    - raspi
    - sw
+    - sshd

 - name: store system configuration
  set_fact:
@ -25,6 +27,7 @@
  tags:
    - raspi
    - sw
+    - sshd

 - name: set hostname
  shell: "raspi-config nonint do_hostname {{ myconfig.hostname }}"
@ -79,6 +82,7 @@
    - raspi

 # Other tasks
+- include: sshd.yml
 - include: software.yml
 - include: users.yml
 - include: raspi-config.yml
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@ -0,0 +1,83 @@
+---
+# Set ssh host keys
+- name: initialize list of host keys to copy over
+  set_fact:
+    ssh_host_keyfiles: []
+  tags: [ sshd ]
+
+- name: find local copy of dsa host key
+  delegate_to: localhost
+  stat:
+    path: roles/common/files/etc/ssh/ssh_host_dsa_key.{{ myconfig.hostname }}
+  register: result
+  tags: [ sshd ]
+
+- name: add dsa key to list if found
+  set_fact:
+    ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_dsa_key.{{ myconfig.hostname }}' ]"
+  when: result.stat.exists == true
+  tags: [ sshd ]
+
+- name: find local copy of rsa host key
+  delegate_to: localhost
+  stat:
+    path: roles/common/files/etc/ssh/ssh_host_rsa_key.{{ myconfig.hostname }}
+  register: result
+  tags: [ sshd ]
+
+- name: add rsa key to list if found
+  set_fact:
+    ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_rsa_key.{{ myconfig.hostname }}' ]"
+  when: result.stat.exists == true
+  tags: [ sshd ]
+
+- name: find local copy of ed25519 host key
+  delegate_to: localhost
+  stat:
+    path: roles/common/files/etc/ssh/ssh_host_ed25519_key.{{ myconfig.hostname }}
+  register: result
+  tags: [ sshd ]
+- name: add ed25519 key to list if found
+  set_fact:
+    ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_ed25519_key.{{ myconfig.hostname }}' ]"
+  when: result.stat.exists == true
+  tags: [ sshd ]
+
+- name: find local copy of ecdsa host key
+  delegate_to: localhost
+  stat:
+    path: roles/common/files/etc/ssh/ssh_host_ecdsa_key.{{ myconfig.hostname }}
+  register: result
+  tags: [ sshd ]
+- name: add ecdsa key to list if found
+  set_fact:
+    ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_ecdsa_key.{{ myconfig.hostname }}' ]"
+  when: result.stat.exists == true
+  tags: [ sshd ]
+
+- name: set SSH host keys
+  copy:
+    src: "{{ item }}"
+    dest: "/{{ item }}"
+    owner: root
+    group: root
+    mode: '0600'
+  with_items: "{{ ssh_host_keyfiles }}"
+  register: result
+  tags: [ sshd ]
+
+- name: remove old SSH host public keys
+  file:
+    path: "/{{ item }}.pub"
+    state: absent
+  with_items: "{{ ssh_host_keyfiles }}"
+  when: result is changed
+  tags: [ sshd ]
+
+- name: regenerate SSH host public keys
+  shell:
+    cmd: "ssh-keygen -y -f /{{ item }} > /{{ item }}.pub"
+    creates: "/{{ item }}.pub"
+  with_items: "{{ ssh_host_keyfiles }}"
+  when: result is changed
+  tags: [ sshd ]