git.lirion.de

Of git, get, and gud

aboutsummaryrefslogtreecommitdiffstats
path: root/ssh-key-renewal.yml
diff options
context:
space:
mode:
Diffstat (limited to 'ssh-key-renewal.yml')
-rw-r--r--ssh-key-renewal.yml174
1 files changed, 174 insertions, 0 deletions
diff --git a/ssh-key-renewal.yml b/ssh-key-renewal.yml
new file mode 100644
index 0000000..788b104
--- /dev/null
+++ b/ssh-key-renewal.yml
@@ -0,0 +1,174 @@
+---
+# abstract: if we find vars.pubkey_string inside one of the ssh public host key files, we will regenerate
+# all of them.
+- hosts: "{{ runtime_hosts | default('CHANGEME') }}"
+ vars:
+ host_key_checking: false
+ pubkey_string: "CHANGEME"
+ gather_facts: false
+ tasks:
+ - name: Gather necessary facts
+ setup:
+ gather_subset:
+ - "distribution"
+ - "distribution_version"
+ - "lsb"
+ - "default_ipv4"
+ - "env"
+ - name: Set up Red Hat and derivatives
+ debug:
+ msg: "System is {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_lsb.description}}), checking in."
+ when: ansible_distribution_file_variety == "RedHat"
+ changed_when: true
+ notify: "redhat"
+ - name: Set up Debian and derivatives
+ debug:
+ msg: "System is {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_lsb.description}}), checking in."
+ when: ansible_distribution_file_variety == "Debian"
+ changed_when: true
+ notify: "debian"
+ - name: Set up SUSE and derivatives
+ debug:
+ msg: "System is {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_lsb.description}}), checking in."
+ # SuSE was "renamed" to SUSE somewhen around SLES 11 (now SLE :-} ), so we'll check for both. Even though generation 11
+ # repositories should be pretty ...deaddish by now.
+ when: ansible_distribution_file_variety == "SUSE" or ansible_distribution_file_variety == "SuSE"
+ changed_when: true
+ notify: "suse"
+ - name: Set up Arch and derivatives
+ debug:
+ msg: "System is {{ansible_distribution}} ({{ansible_distribution_file_variety}}) ({{ansible_lsb.description}}), checking in."
+ when: ansible_distribution_file_variety == "Archlinux"
+ changed_when: true
+ notify: "arch"
+ handlers:
+ - name: Distro not implemented yet
+ debug:
+ msg: ":("
+ listen:
+ - "suse"
+ - "arch"
+ - name: 'Find "{{vars.pubkey_string}}" in host keys (changed = yes, we will continue)'
+ # grep only fails if it finds nothing, so this is sufficient:
+ shell: "grep -i {{vars.pubkey_string}} /etc/ssh/ssh_host_*key.pub"
+ args:
+ warn: false
+ register: gres
+ failed_when: false
+ changed_when: gres.rc|int == 0
+ listen:
+ - "redhat"
+ notify:
+ - "redhat upd"
+ become: true
+ - name: 'Find "{{vars.pubkey_string}}" in host keys (changed = yes, we will continue)'
+ # grep only fails if it finds nothing, so this is sufficient:
+ shell: "grep -i {{vars.pubkey_string}} /etc/ssh/ssh_host_*key.pub"
+ args:
+ warn: false
+ register: gres
+ failed_when: false
+ changed_when: gres.rc|int == 0
+ listen:
+ - "debian"
+ notify:
+ - "debian upd"
+ become: true
+ # Cannot combine this way: it would only delete the public keys, the private
+ # keys never contain the comment :-)
+ # - name: Find old SSH keys
+ # find:
+ # paths: /etc/ssh
+ # patterns: "^ssh_host_.*key.pub$"
+ # use_regex: true
+ # contains:
+ # - "Tpl-MAVM-"
+ # - "tpl-mavm-"
+ # register: hkfiles
+ # listen:
+ # - "redhat upd"
+ # - "debian upd"
+ # become: true
+ - name: Gather all SSH key files
+ find:
+ paths: /etc/ssh
+ patterns: "^ssh_host_.*key.*$"
+ use_regex: true
+ register: hkfiles
+ listen:
+ - "redhat upd"
+ notify:
+ - "redhat del"
+ changed_when: hkfiles.files is defined
+ - name: Gather all SSH key files
+ find:
+ paths: /etc/ssh
+ patterns: "^ssh_host_.*key.*$"
+ use_regex: true
+ register: hkfiles
+ listen:
+ - "debian upd"
+ notify:
+ - "debian del"
+ changed_when: hkfiles.files is defined
+ - name: Remove SSH keys
+ file:
+ path: "{{item.path}}"
+ state: absent
+ with_items: "{{hkfiles.files}}"
+ listen:
+ - "redhat del"
+ notify:
+ - "redhat reg"
+ become: true
+ - name: Remove SSH keys
+ file:
+ path: "{{item.path}}"
+ state: absent
+ with_items: "{{hkfiles.files}}"
+ listen:
+ - "debian del"
+ notify:
+ - "debian reg"
+ become: true
+ - name: Trigger regeneration of SSH keys
+ shell: "/usr/sbin/dpkg-reconfigure openssh-server"
+ listen: "debian upd"
+ notify: "debian reg"
+ become: true
+ - name: Restart SSH daemon to trigger regeneration of / loading of regenerated keys
+ systemd:
+ name: "sshd"
+ state: "restarted"
+ listen:
+ - "debian reg"
+ - "redhat reg"
+ become: true
+ - name: Remove host key from the machine and user executing the playbook
+ # remote_user: root
+ known_hosts:
+ name: "{{ item }}"
+ state: absent
+ delegate_to: localhost
+ loop:
+ - "{{inventory_hostname}}"
+ - "{{ansible_default_ipv4.address}}"
+ - "{{ansible_hostname}}"
+ - "{{ansible_fqdn}}"
+ - "{{ansible_nodename}}"
+ listen:
+ - "debian reg"
+ - "redhat reg"
+ # - name: Add host key to the machine and user executing the playbook
+ # known_hosts:
+ # state: present
+ # name: "{{ansible_hostname}}"
+ # delegate_to: localhost
+ # listen:
+ # - "debian reg"
+ # - "redhat reg"
+ - name: Verify SSH reachability
+ ping:
+ listen:
+ - "debian reg"
+ - "redhat reg"