2 changed files with 86 additions and 42 deletions
Unified View
Diff Options
-
+65 -0templates/ssh_config.j2
-
+21 -42users.yaml
+ 65
- 0
templates/ssh_config.j2
View File
| @@ -0,0 +1,65 @@ | |||||
| {{ ansible_managed | comment }} | |||||
| # This is the ssh client system-wide configuration file. See | |||||
| # ssh_config(5) for more information. This file provides defaults for | |||||
| # users, and the values can be changed in per-user configuration files | |||||
| # or on the command line. | |||||
| # Configuration data is parsed as follows: | |||||
| # 1. command line options | |||||
| # 2. user-specific file | |||||
| # 3. system-wide file | |||||
| # Any configuration value is only changed the first time it is set. | |||||
| # Thus, host-specific definitions should be at the beginning of the | |||||
| # configuration file, and defaults at the end. | |||||
| # Site-wide defaults for some commonly used options. For a comprehensive | |||||
| # list of available options, their meanings and defaults, please see the | |||||
| # ssh_config(5) man page. | |||||
| Host * | |||||
| # ForwardAgent no | |||||
| # ForwardX11 no | |||||
| # ForwardX11Trusted yes | |||||
| # RhostsRSAAuthentication no | |||||
| # RSAAuthentication yes | |||||
| # PasswordAuthentication yes | |||||
| # HostbasedAuthentication no | |||||
| # GSSAPIAuthentication no | |||||
| # GSSAPIDelegateCredentials no | |||||
| # GSSAPIKeyExchange no | |||||
| # GSSAPITrustDNS no | |||||
| # BatchMode no | |||||
| # CheckHostIP yes | |||||
| # AddressFamily any | |||||
| # ConnectTimeout 0 | |||||
| # StrictHostKeyChecking ask | |||||
| # IdentityFile ~/.ssh/identity | |||||
| # IdentityFile ~/.ssh/id_rsa | |||||
| # IdentityFile ~/.ssh/id_dsa | |||||
| # IdentityFile ~/.ssh/id_ecdsa | |||||
| # IdentityFile ~/.ssh/id_ed25519 | |||||
| # Port 22 | |||||
| # Protocol 2 | |||||
| # Cipher 3des | |||||
| # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc | |||||
| # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 | |||||
| # EscapeChar ~ | |||||
| # Tunnel no | |||||
| # TunnelDevice any:any | |||||
| # PermitLocalCommand no | |||||
| # VisualHostKey no | |||||
| # ProxyCommand ssh -q -W %h:%p gateway.example.com | |||||
| # RekeyLimit 1G 1h | |||||
| SendEnv LANG LC_* | |||||
| HashKnownHosts yes | |||||
| GSSAPIAuthentication yes | |||||
| Host kita-stjs-server | |||||
| HostName 192.168.61.8 | |||||
| Host kita-stma-server | |||||
| HostName kita-stma-9 | |||||
| Host kita-stwg-server | |||||
| HostName 172.23.63.9 | |||||
+ 21
- 42
users.yaml
View File
| @@ -6,54 +6,33 @@ | |||||
| - laptops | - laptops | ||||
| remote_user: root | remote_user: root | ||||
| roles: | roles: | ||||
| - name: root_user | |||||
| - name: users | - name: users | ||||
| - hosts: desktops:laptops | |||||
| remote_user: root | |||||
| tasks: | |||||
| - fetch: | |||||
| src: /etc/ssh/ssh_host_ed25519_key.pub | |||||
| dest: host_files/{{ inventory_hostname }} | |||||
| - name: /etc/ssh/ssh_config | |||||
| template: | |||||
| src: ssh_config.j2 | |||||
| dest: /etc/ssh/ssh_config | |||||
| - name: /etc/ssh/ssh_known_hosts | |||||
| template: | |||||
| src: ssh_known_hosts.j2 | |||||
| dest: /etc/ssh/ssh_known_hosts | |||||
| mode: 'u=rw,g=r,o=r' | |||||
| - hosts: | |||||
| - servers | |||||
| - desktops | |||||
| - laptops | |||||
| remote_user: root | |||||
| tasks: | |||||
| - name: fetch ssh public keys | |||||
| fetch: | |||||
| src: /home/{{item}}/.ssh/id_ed25519.pub | |||||
| dest: host_files | |||||
| fail_on_missing: yes | |||||
| loop: "{{ users.keys() | list }}" | |||||
| - name: delete ssh known hosts user files | |||||
| shell: rm /home/*/.ssh/known_hosts | |||||
| failed_when: false | |||||
| # - hosts: desktops:laptops | |||||
| # remote_user: root | |||||
| # tasks: | |||||
| # - name: /etc/ssh/ssh_config | |||||
| # template: | |||||
| # src: ssh_config.j2 | |||||
| # dest: /etc/ssh/ssh_config | |||||
| # - name: ssh known hosts | |||||
| # known_hosts: | |||||
| # name: "{{item}}" | |||||
| # key: "{{item}},{{hostvars[item].ansible_default_ipv4.address}} {{hostvars[item].ansible_ssh_host_key_ed25519_public_keytype}} {{hostvars[item].ansible_ssh_host_key_ed25519_public}}" | |||||
| # path: /etc/ssh/ssh_known_hosts | |||||
| # loop: "{{groups.servers}}" | |||||
| - hosts: | - hosts: | ||||
| - servers | - servers | ||||
| remote_user: root | remote_user: root | ||||
| tasks: | tasks: | ||||
| - name: read ssh public keys | |||||
| local_action: command fish -c 'cat host_files/*/home/{{item}}/.ssh/id_ed25519.pub' | |||||
| loop: "{{ users.keys() | list }}" | |||||
| register: _ssh_public_keys | |||||
| - name: authorize ssh public keys | - name: authorize ssh public keys | ||||
| copy: | |||||
| content: "{{ _ssh_public_keys | json_query(\"results[?item=='\"+item+\"'].stdout\") | join(\"\n\") }}" | |||||
| dest: /home/{{item}}/.ssh/authorized_keys | |||||
| loop: "{{ users.keys() | list }}" | |||||
| authorized_key: | |||||
| user: "{{item.name}}" | |||||
| key: "{{item.ssh_public_key}}" | |||||
| loop: "{{ hostvars | json_query(\"*.user_ssh_keys_info.results[]\") }}" | |||||
| loop_control: | |||||
| label: "{{ item.name }}" | |||||
| tags: | |||||
| - users | |||||