2 changed files with 86 additions and 42 deletions
Split View
Diff Options
-
+65 -0templates/ssh_config.j2
-
+21 -42users.yaml
+ 65
- 0
templates/ssh_config.j2
View File
| @@ -0,0 +1,65 @@ | |||
| {{ ansible_managed | comment }} | |||
| # This is the ssh client system-wide configuration file. See | |||
| # ssh_config(5) for more information. This file provides defaults for | |||
| # users, and the values can be changed in per-user configuration files | |||
| # or on the command line. | |||
| # Configuration data is parsed as follows: | |||
| # 1. command line options | |||
| # 2. user-specific file | |||
| # 3. system-wide file | |||
| # Any configuration value is only changed the first time it is set. | |||
| # Thus, host-specific definitions should be at the beginning of the | |||
| # configuration file, and defaults at the end. | |||
| # Site-wide defaults for some commonly used options. For a comprehensive | |||
| # list of available options, their meanings and defaults, please see the | |||
| # ssh_config(5) man page. | |||
| Host * | |||
| # ForwardAgent no | |||
| # ForwardX11 no | |||
| # ForwardX11Trusted yes | |||
| # RhostsRSAAuthentication no | |||
| # RSAAuthentication yes | |||
| # PasswordAuthentication yes | |||
| # HostbasedAuthentication no | |||
| # GSSAPIAuthentication no | |||
| # GSSAPIDelegateCredentials no | |||
| # GSSAPIKeyExchange no | |||
| # GSSAPITrustDNS no | |||
| # BatchMode no | |||
| # CheckHostIP yes | |||
| # AddressFamily any | |||
| # ConnectTimeout 0 | |||
| # StrictHostKeyChecking ask | |||
| # IdentityFile ~/.ssh/identity | |||
| # IdentityFile ~/.ssh/id_rsa | |||
| # IdentityFile ~/.ssh/id_dsa | |||
| # IdentityFile ~/.ssh/id_ecdsa | |||
| # IdentityFile ~/.ssh/id_ed25519 | |||
| # Port 22 | |||
| # Protocol 2 | |||
| # Cipher 3des | |||
| # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc | |||
| # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 | |||
| # EscapeChar ~ | |||
| # Tunnel no | |||
| # TunnelDevice any:any | |||
| # PermitLocalCommand no | |||
| # VisualHostKey no | |||
| # ProxyCommand ssh -q -W %h:%p gateway.example.com | |||
| # RekeyLimit 1G 1h | |||
| SendEnv LANG LC_* | |||
| HashKnownHosts yes | |||
| GSSAPIAuthentication yes | |||
| Host kita-stjs-server | |||
| HostName 192.168.61.8 | |||
| Host kita-stma-server | |||
| HostName kita-stma-9 | |||
| Host kita-stwg-server | |||
| HostName 172.23.63.9 | |||
+ 21
- 42
users.yaml
View File
| @@ -6,54 +6,33 @@ | |||
| - laptops | |||
| remote_user: root | |||
| roles: | |||
| - name: root_user | |||
| - name: users | |||
| - hosts: desktops:laptops | |||
| remote_user: root | |||
| tasks: | |||
| - fetch: | |||
| src: /etc/ssh/ssh_host_ed25519_key.pub | |||
| dest: host_files/{{ inventory_hostname }} | |||
| - name: /etc/ssh/ssh_config | |||
| template: | |||
| src: ssh_config.j2 | |||
| dest: /etc/ssh/ssh_config | |||
| - name: /etc/ssh/ssh_known_hosts | |||
| template: | |||
| src: ssh_known_hosts.j2 | |||
| dest: /etc/ssh/ssh_known_hosts | |||
| mode: 'u=rw,g=r,o=r' | |||
| - hosts: | |||
| - servers | |||
| - desktops | |||
| - laptops | |||
| remote_user: root | |||
| tasks: | |||
| - name: fetch ssh public keys | |||
| fetch: | |||
| src: /home/{{item}}/.ssh/id_ed25519.pub | |||
| dest: host_files | |||
| fail_on_missing: yes | |||
| loop: "{{ users.keys() | list }}" | |||
| - name: delete ssh known hosts user files | |||
| shell: rm /home/*/.ssh/known_hosts | |||
| failed_when: false | |||
| # - hosts: desktops:laptops | |||
| # remote_user: root | |||
| # tasks: | |||
| # - name: /etc/ssh/ssh_config | |||
| # template: | |||
| # src: ssh_config.j2 | |||
| # dest: /etc/ssh/ssh_config | |||
| # - name: ssh known hosts | |||
| # known_hosts: | |||
| # name: "{{item}}" | |||
| # key: "{{item}},{{hostvars[item].ansible_default_ipv4.address}} {{hostvars[item].ansible_ssh_host_key_ed25519_public_keytype}} {{hostvars[item].ansible_ssh_host_key_ed25519_public}}" | |||
| # path: /etc/ssh/ssh_known_hosts | |||
| # loop: "{{groups.servers}}" | |||
| - hosts: | |||
| - servers | |||
| remote_user: root | |||
| tasks: | |||
| - name: read ssh public keys | |||
| local_action: command fish -c 'cat host_files/*/home/{{item}}/.ssh/id_ed25519.pub' | |||
| loop: "{{ users.keys() | list }}" | |||
| register: _ssh_public_keys | |||
| - name: authorize ssh public keys | |||
| copy: | |||
| content: "{{ _ssh_public_keys | json_query(\"results[?item=='\"+item+\"'].stdout\") | join(\"\n\") }}" | |||
| dest: /home/{{item}}/.ssh/authorized_keys | |||
| loop: "{{ users.keys() | list }}" | |||
| authorized_key: | |||
| user: "{{item.name}}" | |||
| key: "{{item.ssh_public_key}}" | |||
| loop: "{{ hostvars | json_query(\"*.user_ssh_keys_info.results[]\") }}" | |||
| loop_control: | |||
| label: "{{ item.name }}" | |||
| tags: | |||
| - users | |||