--- # abstract: if we find vars.pubkey_string inside one of the ssh public host key files, we will regenerate # all of them. - hosts: "{{ runtime_hosts | default('CHANGEME') }}" vars: host_key_checking: false pubkey_string: "CHANGEME" gather_facts: false tasks: - name: Gather necessary facts setup: gather_subset: - "distribution" - "distribution_version" - "lsb" - "default_ipv4" - "env" - name: Set up Red Hat and derivatives debug: msg: "System is {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_lsb.description}}), checking in." when: ansible_distribution_file_variety == "RedHat" changed_when: true notify: "redhat" - name: Set up Debian and derivatives debug: msg: "System is {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_lsb.description}}), checking in." when: ansible_distribution_file_variety == "Debian" changed_when: true notify: "debian" - name: Set up SUSE and derivatives debug: msg: "System is {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_lsb.description}}), checking in." # SuSE was "renamed" to SUSE somewhen around SLES 11 (now SLE :-} ), so we'll check for both. Even though generation 11 # repositories should be pretty ...deaddish by now. when: ansible_distribution_file_variety == "SUSE" or ansible_distribution_file_variety == "SuSE" changed_when: true notify: "suse" - name: Set up Arch and derivatives debug: msg: "System is {{ansible_distribution}} ({{ansible_distribution_file_variety}}) ({{ansible_lsb.description}}), checking in." when: ansible_distribution_file_variety == "Archlinux" changed_when: true notify: "arch" handlers: - name: Distro not implemented yet debug: msg: ":(" listen: - "suse" - "arch" - name: 'Find "{{vars.pubkey_string}}" in host keys (changed = yes, we will continue)' # grep only fails if it finds nothing, so this is sufficient: shell: "grep -i {{vars.pubkey_string}} /etc/ssh/ssh_host_*key.pub" args: warn: false register: gres failed_when: false changed_when: gres.rc|int == 0 listen: - "redhat" notify: - "redhat upd" become: true - name: 'Find "{{vars.pubkey_string}}" in host keys (changed = yes, we will continue)' # grep only fails if it finds nothing, so this is sufficient: shell: "grep -i {{vars.pubkey_string}} /etc/ssh/ssh_host_*key.pub" args: warn: false register: gres failed_when: false changed_when: gres.rc|int == 0 listen: - "debian" notify: - "debian upd" become: true # Cannot combine this way: it would only delete the public keys, the private # keys never contain the comment :-) # - name: Find old SSH keys # find: # paths: /etc/ssh # patterns: "^ssh_host_.*key.pub$" # use_regex: true # contains: # - "Tpl-MAVM-" # - "tpl-mavm-" # register: hkfiles # listen: # - "redhat upd" # - "debian upd" # become: true - name: Gather all SSH key files find: paths: /etc/ssh patterns: "^ssh_host_.*key.*$" use_regex: true register: hkfiles listen: - "redhat upd" notify: - "redhat del" changed_when: hkfiles.files is defined - name: Gather all SSH key files find: paths: /etc/ssh patterns: "^ssh_host_.*key.*$" use_regex: true register: hkfiles listen: - "debian upd" notify: - "debian del" changed_when: hkfiles.files is defined - name: Remove SSH keys file: path: "{{item.path}}" state: absent with_items: "{{hkfiles.files}}" listen: - "redhat del" notify: - "redhat reg" become: true - name: Remove SSH keys file: path: "{{item.path}}" state: absent with_items: "{{hkfiles.files}}" listen: - "debian del" notify: - "debian reg" become: true - name: Trigger regeneration of SSH keys shell: "/usr/sbin/dpkg-reconfigure openssh-server" listen: "debian upd" notify: "debian reg" become: true - name: Restart SSH daemon to trigger regeneration of / loading of regenerated keys systemd: name: "sshd" state: "restarted" listen: - "debian reg" - "redhat reg" become: true - name: Remove host key from the machine and user executing the playbook # remote_user: root known_hosts: name: "{{ item }}" state: absent delegate_to: localhost loop: - "{{inventory_hostname}}" - "{{ansible_default_ipv4.address}}" - "{{ansible_hostname}}" - "{{ansible_fqdn}}" - "{{ansible_nodename}}" listen: - "debian reg" - "redhat reg" # - name: Add host key to the machine and user executing the playbook # known_hosts: # state: present # name: "{{ansible_hostname}}" # delegate_to: localhost # listen: # - "debian reg" # - "redhat reg" - name: Verify SSH reachability ping: listen: - "debian reg" - "redhat reg"