diff --git a/templates/ssh_config.j2 b/templates/ssh_config.j2 new file mode 100644 index 0000000..193ef7b --- /dev/null +++ b/templates/ssh_config.j2 @@ -0,0 +1,65 @@ +{{ ansible_managed | comment }} + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +Host * +# ForwardAgent no +# ForwardX11 no +# ForwardX11Trusted yes +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# GSSAPIKeyExchange no +# GSSAPITrustDNS no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 +# Port 22 +# Protocol 2 +# Cipher 3des +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h + SendEnv LANG LC_* + HashKnownHosts yes + GSSAPIAuthentication yes + +Host kita-stjs-server + HostName 192.168.61.8 + +Host kita-stma-server + HostName kita-stma-9 + +Host kita-stwg-server + HostName 172.23.63.9 diff --git a/users.yaml b/users.yaml index 3aedb7c..645a465 100644 --- a/users.yaml +++ b/users.yaml @@ -6,54 +6,33 @@ - laptops remote_user: root roles: - - name: root_user - name: users -- hosts: desktops:laptops - remote_user: root - tasks: - - fetch: - src: /etc/ssh/ssh_host_ed25519_key.pub - dest: host_files/{{ inventory_hostname }} - - name: /etc/ssh/ssh_config - template: - src: ssh_config.j2 - dest: /etc/ssh/ssh_config - - name: /etc/ssh/ssh_known_hosts - template: - src: ssh_known_hosts.j2 - dest: /etc/ssh/ssh_known_hosts - mode: 'u=rw,g=r,o=r' - -- hosts: - - servers - - desktops - - laptops - remote_user: root - tasks: - - - name: fetch ssh public keys - fetch: - src: /home/{{item}}/.ssh/id_ed25519.pub - dest: host_files - fail_on_missing: yes - loop: "{{ users.keys() | list }}" - - - name: delete ssh known hosts user files - shell: rm /home/*/.ssh/known_hosts - failed_when: false +# - hosts: desktops:laptops +# remote_user: root +# tasks: +# - name: /etc/ssh/ssh_config +# template: +# src: ssh_config.j2 +# dest: /etc/ssh/ssh_config +# - name: ssh known hosts +# known_hosts: +# name: "{{item}}" +# key: "{{item}},{{hostvars[item].ansible_default_ipv4.address}} {{hostvars[item].ansible_ssh_host_key_ed25519_public_keytype}} {{hostvars[item].ansible_ssh_host_key_ed25519_public}}" +# path: /etc/ssh/ssh_known_hosts +# loop: "{{groups.servers}}" - hosts: - servers remote_user: root tasks: - - name: read ssh public keys - local_action: command fish -c 'cat host_files/*/home/{{item}}/.ssh/id_ed25519.pub' - loop: "{{ users.keys() | list }}" - register: _ssh_public_keys - name: authorize ssh public keys - copy: - content: "{{ _ssh_public_keys | json_query(\"results[?item=='\"+item+\"'].stdout\") | join(\"\n\") }}" - dest: /home/{{item}}/.ssh/authorized_keys - loop: "{{ users.keys() | list }}" + authorized_key: + user: "{{item.name}}" + key: "{{item.ssh_public_key}}" + loop: "{{ hostvars | json_query(\"*.user_ssh_keys_info.results[]\") }}" + loop_control: + label: "{{ item.name }}" + tags: + - users