From 61cbc4abdda2eb4f7ab16c11a44d23b224ebd880 Mon Sep 17 00:00:00 2001 From: David Kilias Date: Fri, 4 Nov 2022 22:53:56 +0100 Subject: [PATCH] add a playbook to configure ssh to use the ssh gateway for the internal systems --- README.md | 11 +++++++++++ inventory.yml | 14 ++++++++++++++ setup-ssh.yml | 24 ++++++++++++++++++++++++ templates/ssh_config.j2 | 27 +++++++++++++++++++++++++++ 4 files changed, 76 insertions(+) create mode 100644 setup-ssh.yml create mode 100644 templates/ssh_config.j2 diff --git a/README.md b/README.md index a86e336..1044bce 100644 --- a/README.md +++ b/README.md @@ -7,16 +7,27 @@ ansible -i inventory.yml all --list-hosts ``` ## Setup + ```bash ansible-galaxy install -r requirements.yml ``` +## Setup SSH Access to hosts + +```bash +LOGUSER= +SSH_KEY= +ansible-playbook setup-ssh.yml --ask-vault-pass -e "setup_ssh_logname=$LOGUSER" -e "setup_ssh_key=$SSH_KEY" +``` + ## Edit vault encrypted vars files + ```bash ansible-vault edit group_vars/all/vault ``` ## Call with + ```bash ansible-playbook -i inventory.yml --ask-vault-pass main.yml ``` diff --git a/inventory.yml b/inventory.yml index aa19ed6..f115eb5 100644 --- a/inventory.yml +++ b/inventory.yml @@ -19,3 +19,17 @@ all: krypton.n39.eu: oganesson.n39.eu: holmium.n39.eu: + ssh_jump: + hosts: + pottwal.n39.eu: + unicorn.n39.eu: + radon.n39.eu: + krypton.n39.eu: + oganesson.n39.eu: + holmium.n39.eu: + platon.n39.eu: + beaker.n39.eu: + wittgenstein.n39.eu: + ssh_no_jump: + hosts: + tau.netz39.de: \ No newline at end of file diff --git a/setup-ssh.yml b/setup-ssh.yml new file mode 100644 index 0000000..2d8c594 --- /dev/null +++ b/setup-ssh.yml @@ -0,0 +1,24 @@ +--- +- name: configure local ssh to access n39 hosts + hosts: localhost + + tasks: + - name: ensure {{ lookup('env', 'HOME') }}/.ssh/config.d/ dir is present + ansible.builtin.file: + path: "{{ lookup('env', 'HOME') }}/.ssh/config.d/" + state: directory + delegate_to: localhost + + - name: template ssh config for access to internal systems + ansible.builtin.template: + src: templates/ssh_config.j2 + dest: "{{ lookup('env', 'HOME') }}/.ssh/config.d/n39_config" + delegate_to: localhost + + - name: ensure that n39 access config is included + ansible.builtin.lineinfile: + path: ~/.ssh/config + insertbefore: BOF + regexp: '^Include' + line: Include config.d/n39_config + delegate_to: localhost \ No newline at end of file diff --git a/templates/ssh_config.j2 b/templates/ssh_config.j2 new file mode 100644 index 0000000..7c48c9f --- /dev/null +++ b/templates/ssh_config.j2 @@ -0,0 +1,27 @@ +# {{ ansible_managed }} +Host ssh.n39.eu + Hostname ssh.n39.eu + IdentityFile {{ setup_ssh_key }} + IdentitiesOnly yes + User {{ setup_ssh_logname }} + Port 22 + +{% for host in groups['ssh_jump'] %} +Host {{ host }} + Hostname {{ host }} + IdentityFile {{ setup_ssh_key }} + IdentitiesOnly yes + User {{ setup_ssh_logname }} + ProxyJump ssh.n39.eu + Port 22 + +{% endfor %} +{% for host in groups['ssh_no_jump'] %} +Host {{ host }} + Hostname {{ host }} + IdentityFile {{ setup_ssh_key }} + IdentitiesOnly yes + User {{ setup_ssh_logname }} + Port 22 + +{% endfor %} \ No newline at end of file