You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
148 lines
3.6 KiB
148 lines
3.6 KiB
2 years ago
|
- block:
|
||
|
- name: try to connect
|
||
|
wait_for_connection:
|
||
|
timeout: 10
|
||
|
|
||
|
- set_fact:
|
||
|
ssh_ok: yes
|
||
|
|
||
|
rescue:
|
||
|
- name: save old ansible ssh args
|
||
|
set_fact:
|
||
|
old_ansible_ssh_extra_args: "{{ ansible_ssh_extra_args | d('') }}"
|
||
|
|
||
|
- name: disable key checking and enable password login
|
||
|
set_fact:
|
||
|
ssh_ok: no
|
||
|
host_key_checking: no
|
||
|
ansible_password: "{{ container_password | d(host_password) }}"
|
||
|
ansible_ssh_extra_args: "{{ ansible_ssh_extra_args | d('') }} -o StrictHostKeyChecking=no"
|
||
|
|
||
|
- name: try to connect without key checking
|
||
|
wait_for_connection:
|
||
|
timeout: 10
|
||
|
|
||
|
|
||
|
- name: gather facts
|
||
|
setup:
|
||
|
gather_subset:
|
||
|
- min
|
||
|
- distribution
|
||
|
|
||
|
|
||
|
- name: generate host ssh key
|
||
|
include_tasks: gen_ssh_key.yml
|
||
|
when: (use_ssh_keys | d(true) == true) and ('containers' not in group_names)
|
||
|
|
||
|
|
||
|
- block:
|
||
|
- name: remove default dropbear keys
|
||
|
file:
|
||
|
path: "{{ (dropbear_dir, item) | path_join }}"
|
||
|
state: absent
|
||
|
loop:
|
||
|
- dropbear_dss_host_key
|
||
|
- dropbear_rsa_host_key
|
||
|
- dropbear_ecdsa_host_key
|
||
|
notify: restart dropbear
|
||
|
|
||
|
|
||
|
- name: generate ed25519 dropbear key if missing
|
||
|
command:
|
||
|
cmd: "dropbearkey -t ed25519 -f {{ (dropbear_dir, 'dropbear_ed25519_host_key') | path_join | quote }}"
|
||
|
creates: "{{ (dropbear_dir, 'dropbear_ed25519_host_key') | path_join }}"
|
||
|
notify: restart dropbear
|
||
|
|
||
|
|
||
|
- name: get remote host public key
|
||
|
command:
|
||
|
cmd: "dropbearkey -y -f {{ (dropbear_dir, 'dropbear_ed25519_host_key') | path_join | quote }}"
|
||
|
register: pubkey
|
||
|
changed_when: no
|
||
|
|
||
|
|
||
|
- name: get actual public key
|
||
|
set_fact:
|
||
|
host_ssh_pubkey: "{{ pubkey.stdout_lines | map('regex_search', '^ssh-ed25519.*$') | select('string') | first }}"
|
||
|
|
||
|
|
||
|
- name: fail if public key is missing
|
||
|
fail:
|
||
|
msg: "remote host ssh public key is missing"
|
||
|
when: host_ssh_pubkey | length == 0
|
||
|
|
||
|
|
||
|
- name: add public key to known_hosts on ansible controller
|
||
|
known_hosts:
|
||
|
key: "{{ ansible_host }} {{ host_ssh_pubkey }}"
|
||
|
name: "{{ ansible_host }}"
|
||
|
delegate_to: localhost
|
||
|
|
||
|
|
||
|
- name: edit dropbear conf file
|
||
|
lineinfile:
|
||
|
path: /etc/conf.d/dropbear
|
||
|
regexp: '^DROPBEAR_OPTS=.*$'
|
||
|
line: "DROPBEAR_OPTS=\"-r {{ (dropbear_dir, 'dropbear_ed25519_host_key') | path_join | quote }} -jk -T 5 -K 360 -I 7200\""
|
||
|
notify: restart dropbear
|
||
|
|
||
|
|
||
|
- name: copy dropbear init file
|
||
|
copy:
|
||
|
src: dropbear_init
|
||
|
dest: /etc/init.d/dropbear
|
||
|
force: yes
|
||
|
notify: restart dropbear
|
||
|
|
||
|
|
||
|
- name: ensure remote host has ansible key in authorized_keys file
|
||
|
lineinfile:
|
||
|
path: /root/.ssh/authorized_keys
|
||
|
line: "{{ container_key.public_key }}"
|
||
|
create: yes
|
||
|
mode: 0400
|
||
|
when: container_key is defined and container_key.public_key is defined
|
||
|
|
||
|
when: ansible_distribution == 'Alpine'
|
||
|
|
||
|
|
||
|
- name: flush handlers
|
||
|
meta: flush_handlers
|
||
|
|
||
|
|
||
|
- name: if key checking was disabled
|
||
|
block:
|
||
|
- name: set it back on
|
||
|
set_fact:
|
||
|
host_key_checking: yes
|
||
|
ansible_ssh_extra_args: "{{ old_ansible_ssh_extra_args }}"
|
||
|
ansible_password: "{{ None }}"
|
||
|
|
||
|
- name: try to connect
|
||
|
wait_for_connection:
|
||
|
timeout: 10
|
||
|
|
||
|
- set_fact:
|
||
|
ssh_ok: true
|
||
|
|
||
|
when: not ssh_ok
|
||
|
|
||
|
|
||
|
- name: add etc directory to backup plan
|
||
|
include_role:
|
||
|
name: backup
|
||
|
vars:
|
||
|
function: add
|
||
|
backup_items:
|
||
|
- /etc
|
||
|
|
||
|
|
||
|
- name: alpine setup
|
||
|
include_tasks: alpine.yml
|
||
|
when: ansible_distribution == 'Alpine'
|
||
|
|
||
|
|
||
|
- name: debian setup
|
||
|
include_tasks: debian.yml
|
||
|
when: ansible_distribution == 'Debian'
|