77 lines
2.2 KiB
YAML
77 lines
2.2 KiB
YAML
---
|
|
|
|
# - name: Debug ansible facts
|
|
# ansible.builtin.debug:
|
|
# msg: "{{ ansible_facts }}"
|
|
|
|
# - name: Debug host vars
|
|
# ansible.builtin.debug:
|
|
# msg: "{{ hostvars[inventory_hostname]['ansible_fqdn'] }}"
|
|
|
|
- name: Ensure ssh config dir exists
|
|
delegate_to: localhost
|
|
become: false
|
|
ansible.builtin.file:
|
|
path: "{{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}"
|
|
state: directory
|
|
owner: "{{ lookup('env', 'USER') }}"
|
|
group: "{{ lookup('env', 'USER') }}"
|
|
mode: '0700'
|
|
|
|
- name: Generate local SSH key pair
|
|
delegate_to: localhost
|
|
become: false
|
|
community.crypto.openssh_keypair:
|
|
backend: opensshbin
|
|
comment: "{{ ansible_user }}@{{ static_fqdn }}"
|
|
mode: '0600'
|
|
passphrase: "{{ ssh_keygen_passphrase }}"
|
|
path: "{{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}/{{ static_fqdn }}"
|
|
regenerate: full_idempotence
|
|
size: 521
|
|
state: present
|
|
type: ecdsa
|
|
register: ssh_keygen
|
|
|
|
- name: Copy SSH pubkey to target
|
|
ansible.posix.authorized_key:
|
|
key: "{{ ssh_keygen.public_key }}"
|
|
user: "{{ ansible_user }}"
|
|
state: present
|
|
|
|
- name: Template out sshd_config
|
|
ansible.builtin.template:
|
|
src: sshd_config.j2
|
|
dest: /etc/ssh/sshd_config
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
notify:
|
|
- Restart sshd
|
|
|
|
- name: Flush handlers for immediate shhd restart
|
|
ansible.builtin.meta: flush_handlers
|
|
|
|
- name: Add local ssh client config
|
|
delegate_to: localhost
|
|
become: false
|
|
community.general.ssh_config:
|
|
host: "{{ sshd.nickname | default(omit) }} {{ static_fqdn }}"
|
|
hostname: "{{ static_fqdn }}"
|
|
identity_file: "{{ ssh_keygen.filename }}"
|
|
port: "{{ sshd.listen.port | default('22') }}"
|
|
remote_user: "{{ ansible_user }}"
|
|
ssh_config_file: "{{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}/{{ static_fqdn }}.conf"
|
|
state: present
|
|
|
|
- name: Include generated ssh config in default config file
|
|
delegate_to: localhost
|
|
become: false
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ lookup('env', 'HOME') }}/.ssh/config"
|
|
line: "Include {{ lookup('env', 'HOME') }}/.ssh/conf.d/{{ sshd.config_path }}/{{ static_fqdn }}.conf"
|
|
mode: '0600'
|
|
state: present
|
|
create: true
|
|
insertafter: ^Include\s.*$
|