From a991a011522affb23e2583cc3d7b6064cd3c3085 Mon Sep 17 00:00:00 2001
From: "Glenn K. Lockwood" <glennklockwood@gmail.com>
Date: Sun, 26 Jul 2020 18:39:54 -0700
Subject: [PATCH] add ssh hostkey deployment

---
 README.md                   | 20 ++++++---
 roles/common/tasks/main.yml |  4 ++
 roles/common/tasks/sshd.yml | 83 +++++++++++++++++++++++++++++++++++++
 3 files changed, 102 insertions(+), 5 deletions(-)
 create mode 100644 roles/common/tasks/sshd.yml

diff --git a/README.md b/README.md
index bfad545..7bc36aa 100644
--- a/README.md
+++ b/README.md
@@ -25,20 +25,18 @@ playbook relies on Ansible 2.8 or newer, which means you can no longer use
     # Install ansible and any other requirements
     (ansible_env) $ pip install -r requirements.txt
     
-    # Run playbook
-    (ansible_env) $ sudo $(which ansible-playbook) ./local.yml
-
 ## Configuration
 
 The `macaddrs` structure in _roles/common/vars/main.yml_ maps the MAC address of
 a Raspberry Pi to its intended configuration state.  Add your Raspberry Pi's MAC
-address to that structure and set its configuration accordingly.
+address (specifically for `eth0` if your RPi has multiple NICs) to that
+structure and set its configuration accordingly.
 
 ## Running the playbook
 
 Then run the playbook:
 
-    $ sudo ansible-playbook local.yml 
+    (ansible_env) $ sudo $(which ansible-playbook) --ask-vault-pass ./local.yml
 
 The playbook will self-discover its settings, then idempotently configure the
 Raspberry Pi.
@@ -55,6 +53,18 @@ to ensure that it does not lock you out of your Raspberry Pi.
 
 2. `usermod --lock pi` to ensure that the default user is completely disabled.
 
+## Optional configurations
+
+### SSH host keys
+
+This playbook can install ssh host keys.  To do so,
+
+1. drop the appropriate `ssh_host_*_key` files into `roles/common/files/etc/ssh/`
+2. rename each file from `ssh_host_*_key` to `ssh_host_*_key.hostname` where
+   `hostname` matches the `hostname` in `roles/common/vars/main.yml` to which
+   the hostkey should be deployed
+3. `ansible-vault encrypt roles/common/files/etc/ssh/ssh_host_*_key.*`
+
 ## Acknowledgment
 
 I stole a lot of knowledge from https://github.com/giuaig/ansible-raspi-config/.
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index d2b23a3..512a755 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -11,6 +11,7 @@
   tags:
     - raspi
     - sw
+    - sshd
 
 - name: store MAC address
   set_fact:
@@ -18,6 +19,7 @@
   tags:
     - raspi
     - sw
+    - sshd
 
 - name: store system configuration
   set_fact:
@@ -25,6 +27,7 @@
   tags:
     - raspi
     - sw
+    - sshd
 
 - name: set hostname
   shell: "raspi-config nonint do_hostname {{ myconfig.hostname }}"
@@ -79,6 +82,7 @@
     - raspi
 
 # Other tasks
+- include: sshd.yml
 - include: software.yml
 - include: users.yml
 - include: raspi-config.yml
diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml
new file mode 100644
index 0000000..971bedd
--- /dev/null
+++ b/roles/common/tasks/sshd.yml
@@ -0,0 +1,83 @@
+---
+# Set ssh host keys
+- name: initialize list of host keys to copy over
+  set_fact:
+    ssh_host_keyfiles: []
+  tags: [ sshd ]
+
+- name: find local copy of dsa host key
+  delegate_to: localhost
+  stat:
+    path: roles/common/files/etc/ssh/ssh_host_dsa_key.{{ myconfig.hostname }}
+  register: result
+  tags: [ sshd ]
+
+- name: add dsa key to list if found
+  set_fact:
+    ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_dsa_key.{{ myconfig.hostname }}' ]"
+  when: result.stat.exists == true
+  tags: [ sshd ]
+
+- name: find local copy of rsa host key
+  delegate_to: localhost
+  stat:
+    path: roles/common/files/etc/ssh/ssh_host_rsa_key.{{ myconfig.hostname }}
+  register: result
+  tags: [ sshd ]
+
+- name: add rsa key to list if found
+  set_fact:
+    ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_rsa_key.{{ myconfig.hostname }}' ]"
+  when: result.stat.exists == true
+  tags: [ sshd ]
+
+- name: find local copy of ed25519 host key
+  delegate_to: localhost
+  stat:
+    path: roles/common/files/etc/ssh/ssh_host_ed25519_key.{{ myconfig.hostname }}
+  register: result
+  tags: [ sshd ]
+- name: add ed25519 key to list if found
+  set_fact:
+    ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_ed25519_key.{{ myconfig.hostname }}' ]"
+  when: result.stat.exists == true
+  tags: [ sshd ]
+
+- name: find local copy of ecdsa host key
+  delegate_to: localhost
+  stat:
+    path: roles/common/files/etc/ssh/ssh_host_ecdsa_key.{{ myconfig.hostname }}
+  register: result
+  tags: [ sshd ]
+- name: add ecdsa key to list if found
+  set_fact:
+    ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_ecdsa_key.{{ myconfig.hostname }}' ]"
+  when: result.stat.exists == true
+  tags: [ sshd ]
+
+- name: set SSH host keys
+  copy:
+    src: "{{ item }}"
+    dest: "/{{ item }}"
+    owner: root
+    group: root
+    mode: '0600'
+  with_items: "{{ ssh_host_keyfiles }}"
+  register: result
+  tags: [ sshd ]
+
+- name: remove old SSH host public keys
+  file:
+    path: "/{{ item }}.pub"
+    state: absent
+  with_items: "{{ ssh_host_keyfiles }}"
+  when: result is changed
+  tags: [ sshd ]
+
+- name: regenerate SSH host public keys
+  shell:
+    cmd: "ssh-keygen -y -f /{{ item }} > /{{ item }}.pub"
+    creates: "/{{ item }}.pub"
+  with_items: "{{ ssh_host_keyfiles }}"
+  when: result is changed
+  tags: [ sshd ]