diff --git a/README.md b/README.md index 12edbfa..49e786b 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,10 @@ Yet another ansible's playbook repository * Common * provides **common** configuration * https://github.com/nojhan/liquidprompt <3 +* SSH keys + * provides ssh keys deployement and blacklist + * possibility to use dictionnaries to list keys + * possibility to deploy different pools of keys on different servers with ansible hash_behaviour = merge * Update * allow install all update on hosts (tag normal) * allow update specific packages from list (tags packages) @@ -77,7 +81,8 @@ Yet another ansible's playbook repository ```yaml --- -admin_ssh_keys: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZXK3ufonx+zNQ1x6cSWuUWckB/xf9sKZ+mRgY5SPXzqrxSkqNSmr9JQ6xzvhxKEVcFWsi50op1WWtRo3HG3p3+EHKXeCyzt5QnczDlVOoQbB8kgI0byKcvXux1inL4/Q4DbVLUbDFnynD/C5aAyYMYePahMxR+AQr60DD+7Ty6pcEVih1wwHIlxWziY1EF6sEzQwz/PiTxWIZkKHl/WPGagS9Pp/5nQfdZy0AS/JqbzNyMEg51+XedADuqseV4GXDzrzDYLJXJFv1PFVJxRWLrjChKrUMqyszUySkZMr5YSPXlsV0bi+0xivYEsXvIkLORV96JTZosYbV+0aFKDPv root@debian +admin_ssh_keys: + 0: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZXK3ufonx+zNQ1x6cSWuUWckB/xf9sKZ+mRgY5SPXzqrxSkqNSmr9JQ6xzvhxKEVcFWsi50op1WWtRo3HG3p3+EHKXeCyzt5QnczDlVOoQbB8kgI0byKcvXux1inL4/Q4DbVLUbDFnynD/C5aAyYMYePahMxR+AQr60DD+7Ty6pcEVih1wwHIlxWziY1EF6sEzQwz/PiTxWIZkKHl/WPGagS9Pp/5nQfdZy0AS/JqbzNyMEg51+XedADuqseV4GXDzrzDYLJXJFv1PFVJxRWLrjChKrUMqyszUySkZMr5YSPXlsV0bi+0xivYEsXvIkLORV96JTZosYbV+0aFKDPv root@debian default_packages_debian: htop diff --git a/postint-full.yml b/postint-full.yml index 3593949..c1dfe94 100644 --- a/postint-full.yml +++ b/postint-full.yml @@ -8,6 +8,7 @@ roles: - common + - ssh-keys - xymon-client - rudder-node diff --git a/postint.yml b/postint.yml index 186f9e8..14f5391 100644 --- a/postint.yml +++ b/postint.yml @@ -8,5 +8,6 @@ roles: - common + - ssh-keys # vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab: diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index de551ce..2ae5ce6 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -10,10 +10,6 @@ when: ansible_distribution == 'Debian' # Check mandatory variables -- name: Check vars - fail: msg="Missing variable admin_ssh_keys" - when: admin_ssh_keys is not defined - - name: Check vars fail: msg="Missing variable default_packages_debian" when: default_packages_debian is not defined @@ -30,12 +26,6 @@ fail: msg="Missing variable disable_ipv6" when: disable_ipv6 is not defined -# SSH -- name: Deploy SSH keys - tags: ssh_keys - authorized_key: user=root key="{{item}}" - with_items: "{{ admin_ssh_keys }}" - # Packages - name: Install default packages Debian. diff --git a/roles/ssh-keys/tasks/main.yml b/roles/ssh-keys/tasks/main.yml new file mode 100644 index 0000000..04bb33c --- /dev/null +++ b/roles/ssh-keys/tasks/main.yml @@ -0,0 +1,34 @@ +--- +# Synchronization des clefs SSH avec option de suppression via admin_blacklist_ssh_keys +# En utilisant la variable hash_behaviour = merge dans la configuration ansible, +# permet de deployer differentes clefs sur differentes serveurs en mergeant les dictionnaire + +- name: Check vars + fail: + msg: "Missing variable admin_ssh_keys" + tags: ssh_keys + when: admin_ssh_keys is not defined + +- name: Install libselinux-python needed for centos + tags: ssh_keys + yum: + name: libselinux-python + state: installed + when: ansible_distribution == 'CentOS' + +- name: Remove old SSH keys + tags: ssh_keys + authorized_key: + user: root + key: "{{ item.value }}" + state: absent + with_dict: "{{ admin_blacklist_ssh_keys }}" + when: admin_blacklist_ssh_keys is defined + +- name: Deploy SSH keys + tags: ssh_keys + authorized_key: + user: root + key: "{{ item.value }}" + state: present + with_dict: "{{ admin_ssh_keys }}" \ No newline at end of file