diff options
-rw-r--r-- | ssh-key-renewal.yml | 174 |
1 files changed, 174 insertions, 0 deletions
diff --git a/ssh-key-renewal.yml b/ssh-key-renewal.yml new file mode 100644 index 0000000..788b104 --- /dev/null +++ b/ssh-key-renewal.yml @@ -0,0 +1,174 @@ +--- +# abstract: if we find vars.pubkey_string inside one of the ssh public host key files, we will regenerate +# all of them. +- hosts: "{{ runtime_hosts | default('CHANGEME') }}" + vars: + host_key_checking: false + pubkey_string: "CHANGEME" + gather_facts: false + tasks: + - name: Gather necessary facts + setup: + gather_subset: + - "distribution" + - "distribution_version" + - "lsb" + - "default_ipv4" + - "env" + - name: Set up Red Hat and derivatives + debug: + msg: "System is {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_lsb.description}}), checking in." + when: ansible_distribution_file_variety == "RedHat" + changed_when: true + notify: "redhat" + - name: Set up Debian and derivatives + debug: + msg: "System is {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_lsb.description}}), checking in." + when: ansible_distribution_file_variety == "Debian" + changed_when: true + notify: "debian" + - name: Set up SUSE and derivatives + debug: + msg: "System is {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_lsb.description}}), checking in." + # SuSE was "renamed" to SUSE somewhen around SLES 11 (now SLE :-} ), so we'll check for both. Even though generation 11 + # repositories should be pretty ...deaddish by now. + when: ansible_distribution_file_variety == "SUSE" or ansible_distribution_file_variety == "SuSE" + changed_when: true + notify: "suse" + - name: Set up Arch and derivatives + debug: + msg: "System is {{ansible_distribution}} ({{ansible_distribution_file_variety}}) ({{ansible_lsb.description}}), checking in." + when: ansible_distribution_file_variety == "Archlinux" + changed_when: true + notify: "arch" + handlers: + - name: Distro not implemented yet + debug: + msg: ":(" + listen: + - "suse" + - "arch" + - name: 'Find "{{vars.pubkey_string}}" in host keys (changed = yes, we will continue)' + # grep only fails if it finds nothing, so this is sufficient: + shell: "grep -i {{vars.pubkey_string}} /etc/ssh/ssh_host_*key.pub" + args: + warn: false + register: gres + failed_when: false + changed_when: gres.rc|int == 0 + listen: + - "redhat" + notify: + - "redhat upd" + become: true + - name: 'Find "{{vars.pubkey_string}}" in host keys (changed = yes, we will continue)' + # grep only fails if it finds nothing, so this is sufficient: + shell: "grep -i {{vars.pubkey_string}} /etc/ssh/ssh_host_*key.pub" + args: + warn: false + register: gres + failed_when: false + changed_when: gres.rc|int == 0 + listen: + - "debian" + notify: + - "debian upd" + become: true + # Cannot combine this way: it would only delete the public keys, the private + # keys never contain the comment :-) + # - name: Find old SSH keys + # find: + # paths: /etc/ssh + # patterns: "^ssh_host_.*key.pub$" + # use_regex: true + # contains: + # - "Tpl-MAVM-" + # - "tpl-mavm-" + # register: hkfiles + # listen: + # - "redhat upd" + # - "debian upd" + # become: true + - name: Gather all SSH key files + find: + paths: /etc/ssh + patterns: "^ssh_host_.*key.*$" + use_regex: true + register: hkfiles + listen: + - "redhat upd" + notify: + - "redhat del" + changed_when: hkfiles.files is defined + - name: Gather all SSH key files + find: + paths: /etc/ssh + patterns: "^ssh_host_.*key.*$" + use_regex: true + register: hkfiles + listen: + - "debian upd" + notify: + - "debian del" + changed_when: hkfiles.files is defined + - name: Remove SSH keys + file: + path: "{{item.path}}" + state: absent + with_items: "{{hkfiles.files}}" + listen: + - "redhat del" + notify: + - "redhat reg" + become: true + - name: Remove SSH keys + file: + path: "{{item.path}}" + state: absent + with_items: "{{hkfiles.files}}" + listen: + - "debian del" + notify: + - "debian reg" + become: true + - name: Trigger regeneration of SSH keys + shell: "/usr/sbin/dpkg-reconfigure openssh-server" + listen: "debian upd" + notify: "debian reg" + become: true + - name: Restart SSH daemon to trigger regeneration of / loading of regenerated keys + systemd: + name: "sshd" + state: "restarted" + listen: + - "debian reg" + - "redhat reg" + become: true + - name: Remove host key from the machine and user executing the playbook + # remote_user: root + known_hosts: + name: "{{ item }}" + state: absent + delegate_to: localhost + loop: + - "{{inventory_hostname}}" + - "{{ansible_default_ipv4.address}}" + - "{{ansible_hostname}}" + - "{{ansible_fqdn}}" + - "{{ansible_nodename}}" + listen: + - "debian reg" + - "redhat reg" + # - name: Add host key to the machine and user executing the playbook + # known_hosts: + # state: present + # name: "{{ansible_hostname}}" + # delegate_to: localhost + # listen: + # - "debian reg" + # - "redhat reg" + - name: Verify SSH reachability + ping: + listen: + - "debian reg" + - "redhat reg" |