gregandev
/
rpi-ansible
mirror of https://github.com/ruanbekker/rpi-ansible
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

add ssh hostkey deployment

Browse Source
master
Glenn K. Lockwood 4 years ago
parent aa83e57c7d
commit a991a01152
3 changed files with 102 additions and 5 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 20
      README.md
  2. 4
      roles/common/tasks/main.yml
  3. 83
      roles/common/tasks/sshd.yml

20
README.md
Unescape View File

@ -25,20 +25,18 @@ playbook relies on Ansible 2.8 or newer, which means you can no longer use
# Install ansible and any other requirements # Install ansible and any other requirements
(ansible_env) $ pip install -r requirements.txt (ansible_env) $ pip install -r requirements.txt
# Run playbook
(ansible_env) $ sudo $(which ansible-playbook) ./local.yml
## Configuration ## Configuration
The `macaddrs` structure in _roles/common/vars/main.yml_ maps the MAC address of The `macaddrs` structure in _roles/common/vars/main.yml_ maps the MAC address of
a Raspberry Pi to its intended configuration state. Add your Raspberry Pi's MAC a Raspberry Pi to its intended configuration state. Add your Raspberry Pi's MAC
address to that structure and set its configuration accordingly. address (specifically for `eth0` if your RPi has multiple NICs) to that
structure and set its configuration accordingly.
## Running the playbook ## Running the playbook
Then run the playbook: Then run the playbook:
$ sudo ansible-playbook local.yml (ansible_env) $ sudo $(which ansible-playbook) --ask-vault-pass ./local.yml
The playbook will self-discover its settings, then idempotently configure the The playbook will self-discover its settings, then idempotently configure the
Raspberry Pi. Raspberry Pi.
@ -55,6 +53,18 @@ to ensure that it does not lock you out of your Raspberry Pi.
2. `usermod --lock pi` to ensure that the default user is completely disabled. 2. `usermod --lock pi` to ensure that the default user is completely disabled.
## Optional configurations
### SSH host keys
This playbook can install ssh host keys. To do so,
1. drop the appropriate `ssh_host_*_key` files into `roles/common/files/etc/ssh/`
2. rename each file from `ssh_host_*_key` to `ssh_host_*_key.hostname` where
`hostname` matches the `hostname` in `roles/common/vars/main.yml` to which
the hostkey should be deployed
3. `ansible-vault encrypt roles/common/files/etc/ssh/ssh_host_*_key.*`
## Acknowledgment ## Acknowledgment
I stole a lot of knowledge from https://github.com/giuaig/ansible-raspi-config/. I stole a lot of knowledge from https://github.com/giuaig/ansible-raspi-config/.

4
roles/common/tasks/main.yml
Unescape View File

@ -11,6 +11,7 @@
tags: tags:
- raspi - raspi
- sw - sw
- sshd
- name: store MAC address - name: store MAC address
set_fact: set_fact:
@ -18,6 +19,7 @@
tags: tags:
- raspi - raspi
- sw - sw
- sshd
- name: store system configuration - name: store system configuration
set_fact: set_fact:
@ -25,6 +27,7 @@
tags: tags:
- raspi - raspi
- sw - sw
- sshd
- name: set hostname - name: set hostname
shell: "raspi-config nonint do_hostname {{ myconfig.hostname }}" shell: "raspi-config nonint do_hostname {{ myconfig.hostname }}"
@ -79,6 +82,7 @@
- raspi - raspi
# Other tasks # Other tasks
- include: sshd.yml
- include: software.yml - include: software.yml
- include: users.yml - include: users.yml
- include: raspi-config.yml - include: raspi-config.yml

83
roles/common/tasks/sshd.yml
Unescape View File

@ -0,0 +1,83 @@
---
# Set ssh host keys
- name: initialize list of host keys to copy over
set_fact:
ssh_host_keyfiles: []
tags: [ sshd ]
- name: find local copy of dsa host key
delegate_to: localhost
stat:
path: roles/common/files/etc/ssh/ssh_host_dsa_key.{{ myconfig.hostname }}
register: result
tags: [ sshd ]
- name: add dsa key to list if found
set_fact:
ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_dsa_key.{{ myconfig.hostname }}' ]"
when: result.stat.exists == true
tags: [ sshd ]
- name: find local copy of rsa host key
delegate_to: localhost
stat:
path: roles/common/files/etc/ssh/ssh_host_rsa_key.{{ myconfig.hostname }}
register: result
tags: [ sshd ]
- name: add rsa key to list if found
set_fact:
ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_rsa_key.{{ myconfig.hostname }}' ]"
when: result.stat.exists == true
tags: [ sshd ]
- name: find local copy of ed25519 host key
delegate_to: localhost
stat:
path: roles/common/files/etc/ssh/ssh_host_ed25519_key.{{ myconfig.hostname }}
register: result
tags: [ sshd ]
- name: add ed25519 key to list if found
set_fact:
ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_ed25519_key.{{ myconfig.hostname }}' ]"
when: result.stat.exists == true
tags: [ sshd ]
- name: find local copy of ecdsa host key
delegate_to: localhost
stat:
path: roles/common/files/etc/ssh/ssh_host_ecdsa_key.{{ myconfig.hostname }}
register: result
tags: [ sshd ]
- name: add ecdsa key to list if found
set_fact:
ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_ecdsa_key.{{ myconfig.hostname }}' ]"
when: result.stat.exists == true
tags: [ sshd ]
- name: set SSH host keys
copy:
src: "{{ item }}"
dest: "/{{ item }}"
owner: root
group: root
mode: '0600'
with_items: "{{ ssh_host_keyfiles }}"
register: result
tags: [ sshd ]
- name: remove old SSH host public keys
file:
path: "/{{ item }}.pub"
state: absent
with_items: "{{ ssh_host_keyfiles }}"
when: result is changed
tags: [ sshd ]
- name: regenerate SSH host public keys
shell:
cmd: "ssh-keygen -y -f /{{ item }} > /{{ item }}.pub"
creates: "/{{ item }}.pub"
with_items: "{{ ssh_host_keyfiles }}"
when: result is changed
tags: [ sshd ]
Write Preview
Loading…
Cancel
Save