|
|
|
- block:
|
|
|
|
- name: try to connect
|
|
|
|
wait_for_connection:
|
|
|
|
timeout: 10
|
|
|
|
|
|
|
|
- set_fact:
|
|
|
|
ssh_ok: yes
|
|
|
|
|
|
|
|
rescue:
|
|
|
|
- name: save old ansible ssh args
|
|
|
|
set_fact:
|
|
|
|
old_ansible_ssh_extra_args: "{{ ansible_ssh_extra_args | d('') }}"
|
|
|
|
|
|
|
|
- name: disable key checking and enable password login
|
|
|
|
set_fact:
|
|
|
|
ssh_ok: no
|
|
|
|
host_key_checking: no
|
|
|
|
ansible_password: "{{ host_password }}"
|
|
|
|
ansible_ssh_extra_args: "{{ ansible_ssh_extra_args | d('') }} -o StrictHostKeyChecking=no"
|
|
|
|
|
|
|
|
- name: try to connect without key checking
|
|
|
|
wait_for_connection:
|
|
|
|
timeout: 10
|
|
|
|
|
|
|
|
|
|
|
|
- name: gather facts
|
|
|
|
setup:
|
|
|
|
gather_subset:
|
|
|
|
- min
|
|
|
|
- distribution
|
|
|
|
|
|
|
|
|
|
|
|
- name: generate host ssh key
|
|
|
|
include_tasks: gen_ssh_key.yml
|
|
|
|
when: (use_ssh_keys | d(true) == true) and ('containers' not in group_names)
|
|
|
|
|
|
|
|
|
|
|
|
- block:
|
|
|
|
- name: remove default dropbear keys
|
|
|
|
file:
|
|
|
|
path: "{{ (dropbear_dir, item) | path_join }}"
|
|
|
|
state: absent
|
|
|
|
loop:
|
|
|
|
- dropbear_dss_host_key
|
|
|
|
- dropbear_rsa_host_key
|
|
|
|
- dropbear_ecdsa_host_key
|
|
|
|
notify: restart dropbear
|
|
|
|
|
|
|
|
|
|
|
|
- name: generate ed25519 dropbear key if missing
|
|
|
|
command:
|
|
|
|
cmd: "dropbearkey -t ed25519 -f {{ (dropbear_dir, 'dropbear_ed25519_host_key') | path_join | quote }}"
|
|
|
|
creates: "{{ (dropbear_dir, 'dropbear_ed25519_host_key') | path_join }}"
|
|
|
|
notify: restart dropbear
|
|
|
|
|
|
|
|
|
|
|
|
- name: get remote host public key
|
|
|
|
command:
|
|
|
|
cmd: "dropbearkey -y -f {{ (dropbear_dir, 'dropbear_ed25519_host_key') | path_join | quote }}"
|
|
|
|
register: pubkey
|
|
|
|
changed_when: no
|
|
|
|
|
|
|
|
|
|
|
|
- name: get actual public key
|
|
|
|
set_fact:
|
|
|
|
host_ssh_pubkey: "{{ pubkey.stdout_lines | map('regex_search', '^ssh-ed25519.*$') | select('string') | first }}"
|
|
|
|
|
|
|
|
|
|
|
|
- name: fail if public key is missing
|
|
|
|
fail:
|
|
|
|
msg: "remote host ssh public key is missing"
|
|
|
|
when: host_ssh_pubkey | length == 0
|
|
|
|
|
|
|
|
|
|
|
|
- name: add public key to known_hosts on ansible controller
|
|
|
|
known_hosts:
|
|
|
|
key: "{{ ansible_host }} {{ host_ssh_pubkey }}"
|
|
|
|
name: "{{ ansible_host }}"
|
|
|
|
delegate_to: localhost
|
|
|
|
|
|
|
|
|
|
|
|
- name: edit dropbear conf file
|
|
|
|
lineinfile:
|
|
|
|
path: /etc/conf.d/dropbear
|
|
|
|
regexp: '^DROPBEAR_OPTS=.*$'
|
|
|
|
line: "DROPBEAR_OPTS=\"-r {{ (dropbear_dir, 'dropbear_ed25519_host_key') | path_join | quote }} -jk -T 5 -K 360 -I 7200\""
|
|
|
|
notify: restart dropbear
|
|
|
|
|
|
|
|
|
|
|
|
- name: template dropbear init file
|
|
|
|
template:
|
|
|
|
src: dropbear_init.j2
|
|
|
|
dest: /etc/init.d/dropbear
|
|
|
|
force: yes
|
|
|
|
lstrip_blocks: no
|
|
|
|
notify: restart dropbear
|
|
|
|
|
|
|
|
|
|
|
|
- name: ensure remote host has ansible key in authorized_keys file
|
|
|
|
lineinfile:
|
|
|
|
path: /root/.ssh/authorized_keys
|
|
|
|
line: "{{ host_ssh_key.public_key }}"
|
|
|
|
create: yes
|
|
|
|
mode: 0400
|
|
|
|
when: host_ssh_key is defined and host_ssh_key.public_key is defined
|
|
|
|
|
|
|
|
when: ansible_distribution == 'Alpine'
|
|
|
|
|
|
|
|
|
|
|
|
- name: flush handlers
|
|
|
|
meta: flush_handlers
|
|
|
|
|
|
|
|
|
|
|
|
- name: if key checking was disabled
|
|
|
|
block:
|
|
|
|
- name: set it back on
|
|
|
|
set_fact:
|
|
|
|
host_key_checking: yes
|
|
|
|
ansible_ssh_extra_args: "{{ old_ansible_ssh_extra_args }}"
|
|
|
|
ansible_password: "{{ None }}"
|
|
|
|
|
|
|
|
- name: try to connect
|
|
|
|
wait_for_connection:
|
|
|
|
timeout: 10
|
|
|
|
|
|
|
|
- set_fact:
|
|
|
|
ssh_ok: true
|
|
|
|
|
|
|
|
when: not ssh_ok
|
|
|
|
|
|
|
|
|
|
|
|
- name: add etc directory to backup plan
|
|
|
|
include_role:
|
|
|
|
name: backup
|
|
|
|
tasks_from: add.yml
|
|
|
|
vars:
|
|
|
|
backup_items:
|
|
|
|
- /etc
|
|
|
|
|
|
|
|
|
|
|
|
- name: alpine setup
|
|
|
|
include_tasks: alpine.yml
|
|
|
|
when: ansible_distribution == 'Alpine'
|
|
|
|
|
|
|
|
|
|
|
|
- name: debian setup
|
|
|
|
include_tasks: debian.yml
|
|
|
|
when: ansible_distribution == 'Debian'
|