add ssh hostkey deployment

master
Glenn K. Lockwood 4 years ago
parent aa83e57c7d
commit a991a01152
  1. 20
      README.md
  2. 4
      roles/common/tasks/main.yml
  3. 83
      roles/common/tasks/sshd.yml

@ -25,20 +25,18 @@ playbook relies on Ansible 2.8 or newer, which means you can no longer use
# Install ansible and any other requirements # Install ansible and any other requirements
(ansible_env) $ pip install -r requirements.txt (ansible_env) $ pip install -r requirements.txt
# Run playbook
(ansible_env) $ sudo $(which ansible-playbook) ./local.yml
## Configuration ## Configuration
The `macaddrs` structure in _roles/common/vars/main.yml_ maps the MAC address of The `macaddrs` structure in _roles/common/vars/main.yml_ maps the MAC address of
a Raspberry Pi to its intended configuration state. Add your Raspberry Pi's MAC a Raspberry Pi to its intended configuration state. Add your Raspberry Pi's MAC
address to that structure and set its configuration accordingly. address (specifically for `eth0` if your RPi has multiple NICs) to that
structure and set its configuration accordingly.
## Running the playbook ## Running the playbook
Then run the playbook: Then run the playbook:
$ sudo ansible-playbook local.yml (ansible_env) $ sudo $(which ansible-playbook) --ask-vault-pass ./local.yml
The playbook will self-discover its settings, then idempotently configure the The playbook will self-discover its settings, then idempotently configure the
Raspberry Pi. Raspberry Pi.
@ -55,6 +53,18 @@ to ensure that it does not lock you out of your Raspberry Pi.
2. `usermod --lock pi` to ensure that the default user is completely disabled. 2. `usermod --lock pi` to ensure that the default user is completely disabled.
## Optional configurations
### SSH host keys
This playbook can install ssh host keys. To do so,
1. drop the appropriate `ssh_host_*_key` files into `roles/common/files/etc/ssh/`
2. rename each file from `ssh_host_*_key` to `ssh_host_*_key.hostname` where
`hostname` matches the `hostname` in `roles/common/vars/main.yml` to which
the hostkey should be deployed
3. `ansible-vault encrypt roles/common/files/etc/ssh/ssh_host_*_key.*`
## Acknowledgment ## Acknowledgment
I stole a lot of knowledge from https://github.com/giuaig/ansible-raspi-config/. I stole a lot of knowledge from https://github.com/giuaig/ansible-raspi-config/.

@ -11,6 +11,7 @@
tags: tags:
- raspi - raspi
- sw - sw
- sshd
- name: store MAC address - name: store MAC address
set_fact: set_fact:
@ -18,6 +19,7 @@
tags: tags:
- raspi - raspi
- sw - sw
- sshd
- name: store system configuration - name: store system configuration
set_fact: set_fact:
@ -25,6 +27,7 @@
tags: tags:
- raspi - raspi
- sw - sw
- sshd
- name: set hostname - name: set hostname
shell: "raspi-config nonint do_hostname {{ myconfig.hostname }}" shell: "raspi-config nonint do_hostname {{ myconfig.hostname }}"
@ -79,6 +82,7 @@
- raspi - raspi
# Other tasks # Other tasks
- include: sshd.yml
- include: software.yml - include: software.yml
- include: users.yml - include: users.yml
- include: raspi-config.yml - include: raspi-config.yml

@ -0,0 +1,83 @@
---
# Set ssh host keys
- name: initialize list of host keys to copy over
set_fact:
ssh_host_keyfiles: []
tags: [ sshd ]
- name: find local copy of dsa host key
delegate_to: localhost
stat:
path: roles/common/files/etc/ssh/ssh_host_dsa_key.{{ myconfig.hostname }}
register: result
tags: [ sshd ]
- name: add dsa key to list if found
set_fact:
ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_dsa_key.{{ myconfig.hostname }}' ]"
when: result.stat.exists == true
tags: [ sshd ]
- name: find local copy of rsa host key
delegate_to: localhost
stat:
path: roles/common/files/etc/ssh/ssh_host_rsa_key.{{ myconfig.hostname }}
register: result
tags: [ sshd ]
- name: add rsa key to list if found
set_fact:
ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_rsa_key.{{ myconfig.hostname }}' ]"
when: result.stat.exists == true
tags: [ sshd ]
- name: find local copy of ed25519 host key
delegate_to: localhost
stat:
path: roles/common/files/etc/ssh/ssh_host_ed25519_key.{{ myconfig.hostname }}
register: result
tags: [ sshd ]
- name: add ed25519 key to list if found
set_fact:
ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_ed25519_key.{{ myconfig.hostname }}' ]"
when: result.stat.exists == true
tags: [ sshd ]
- name: find local copy of ecdsa host key
delegate_to: localhost
stat:
path: roles/common/files/etc/ssh/ssh_host_ecdsa_key.{{ myconfig.hostname }}
register: result
tags: [ sshd ]
- name: add ecdsa key to list if found
set_fact:
ssh_host_keyfiles: "{{ ssh_host_keyfiles }} + [ 'etc/ssh/ssh_host_ecdsa_key.{{ myconfig.hostname }}' ]"
when: result.stat.exists == true
tags: [ sshd ]
- name: set SSH host keys
copy:
src: "{{ item }}"
dest: "/{{ item }}"
owner: root
group: root
mode: '0600'
with_items: "{{ ssh_host_keyfiles }}"
register: result
tags: [ sshd ]
- name: remove old SSH host public keys
file:
path: "/{{ item }}.pub"
state: absent
with_items: "{{ ssh_host_keyfiles }}"
when: result is changed
tags: [ sshd ]
- name: regenerate SSH host public keys
shell:
cmd: "ssh-keygen -y -f /{{ item }} > /{{ item }}.pub"
creates: "/{{ item }}.pub"
with_items: "{{ ssh_host_keyfiles }}"
when: result is changed
tags: [ sshd ]
Loading…
Cancel
Save