blob: 788b104812cf36d8dd76827c0ad7d90014817343 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
---
# abstract: if we find vars.pubkey_string inside one of the ssh public host key files, we will regenerate
# all of them.
- hosts: "{{ runtime_hosts | default('CHANGEME') }}"
vars:
host_key_checking: false
pubkey_string: "CHANGEME"
gather_facts: false
tasks:
- name: Gather necessary facts
setup:
gather_subset:
- "distribution"
- "distribution_version"
- "lsb"
- "default_ipv4"
- "env"
- name: Set up Red Hat and derivatives
debug:
msg: "System is {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_lsb.description}}), checking in."
when: ansible_distribution_file_variety == "RedHat"
changed_when: true
notify: "redhat"
- name: Set up Debian and derivatives
debug:
msg: "System is {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_lsb.description}}), checking in."
when: ansible_distribution_file_variety == "Debian"
changed_when: true
notify: "debian"
- name: Set up SUSE and derivatives
debug:
msg: "System is {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_lsb.description}}), checking in."
# SuSE was "renamed" to SUSE somewhen around SLES 11 (now SLE :-} ), so we'll check for both. Even though generation 11
# repositories should be pretty ...deaddish by now.
when: ansible_distribution_file_variety == "SUSE" or ansible_distribution_file_variety == "SuSE"
changed_when: true
notify: "suse"
- name: Set up Arch and derivatives
debug:
msg: "System is {{ansible_distribution}} ({{ansible_distribution_file_variety}}) ({{ansible_lsb.description}}), checking in."
when: ansible_distribution_file_variety == "Archlinux"
changed_when: true
notify: "arch"
handlers:
- name: Distro not implemented yet
debug:
msg: ":("
listen:
- "suse"
- "arch"
- name: 'Find "{{vars.pubkey_string}}" in host keys (changed = yes, we will continue)'
# grep only fails if it finds nothing, so this is sufficient:
shell: "grep -i {{vars.pubkey_string}} /etc/ssh/ssh_host_*key.pub"
args:
warn: false
register: gres
failed_when: false
changed_when: gres.rc|int == 0
listen:
- "redhat"
notify:
- "redhat upd"
become: true
- name: 'Find "{{vars.pubkey_string}}" in host keys (changed = yes, we will continue)'
# grep only fails if it finds nothing, so this is sufficient:
shell: "grep -i {{vars.pubkey_string}} /etc/ssh/ssh_host_*key.pub"
args:
warn: false
register: gres
failed_when: false
changed_when: gres.rc|int == 0
listen:
- "debian"
notify:
- "debian upd"
become: true
# Cannot combine this way: it would only delete the public keys, the private
# keys never contain the comment :-)
# - name: Find old SSH keys
# find:
# paths: /etc/ssh
# patterns: "^ssh_host_.*key.pub$"
# use_regex: true
# contains:
# - "Tpl-MAVM-"
# - "tpl-mavm-"
# register: hkfiles
# listen:
# - "redhat upd"
# - "debian upd"
# become: true
- name: Gather all SSH key files
find:
paths: /etc/ssh
patterns: "^ssh_host_.*key.*$"
use_regex: true
register: hkfiles
listen:
- "redhat upd"
notify:
- "redhat del"
changed_when: hkfiles.files is defined
- name: Gather all SSH key files
find:
paths: /etc/ssh
patterns: "^ssh_host_.*key.*$"
use_regex: true
register: hkfiles
listen:
- "debian upd"
notify:
- "debian del"
changed_when: hkfiles.files is defined
- name: Remove SSH keys
file:
path: "{{item.path}}"
state: absent
with_items: "{{hkfiles.files}}"
listen:
- "redhat del"
notify:
- "redhat reg"
become: true
- name: Remove SSH keys
file:
path: "{{item.path}}"
state: absent
with_items: "{{hkfiles.files}}"
listen:
- "debian del"
notify:
- "debian reg"
become: true
- name: Trigger regeneration of SSH keys
shell: "/usr/sbin/dpkg-reconfigure openssh-server"
listen: "debian upd"
notify: "debian reg"
become: true
- name: Restart SSH daemon to trigger regeneration of / loading of regenerated keys
systemd:
name: "sshd"
state: "restarted"
listen:
- "debian reg"
- "redhat reg"
become: true
- name: Remove host key from the machine and user executing the playbook
# remote_user: root
known_hosts:
name: "{{ item }}"
state: absent
delegate_to: localhost
loop:
- "{{inventory_hostname}}"
- "{{ansible_default_ipv4.address}}"
- "{{ansible_hostname}}"
- "{{ansible_fqdn}}"
- "{{ansible_nodename}}"
listen:
- "debian reg"
- "redhat reg"
# - name: Add host key to the machine and user executing the playbook
# known_hosts:
# state: present
# name: "{{ansible_hostname}}"
# delegate_to: localhost
# listen:
# - "debian reg"
# - "redhat reg"
- name: Verify SSH reachability
ping:
listen:
- "debian reg"
- "redhat reg"
|
