From 61cbc4abdda2eb4f7ab16c11a44d23b224ebd880 Mon Sep 17 00:00:00 2001
From: David Kilias <david.kilias@gmail.com>
Date: Fri, 4 Nov 2022 22:53:56 +0100
Subject: [PATCH] add a playbook to configure ssh to use the ssh gateway for
 the internal systems

---
 README.md               | 11 +++++++++++
 inventory.yml           | 14 ++++++++++++++
 setup-ssh.yml           | 24 ++++++++++++++++++++++++
 templates/ssh_config.j2 | 27 +++++++++++++++++++++++++++
 4 files changed, 76 insertions(+)
 create mode 100644 setup-ssh.yml
 create mode 100644 templates/ssh_config.j2

diff --git a/README.md b/README.md
index a86e336..1044bce 100644
--- a/README.md
+++ b/README.md
@@ -7,16 +7,27 @@ ansible -i inventory.yml all --list-hosts
 ```
 
 ## Setup
+
 ```bash
 ansible-galaxy install -r requirements.yml
 ```
 
+## Setup SSH Access to hosts
+
+```bash
+LOGUSER=<loguser>
+SSH_KEY=<absolute/path/to/ssh/private/key>
+ansible-playbook setup-ssh.yml --ask-vault-pass -e "setup_ssh_logname=$LOGUSER" -e "setup_ssh_key=$SSH_KEY"
+```
+
 ## Edit vault encrypted vars files
+
 ```bash
 ansible-vault edit group_vars/all/vault
 ```
 
 ## Call with
+
 ```bash
 ansible-playbook -i inventory.yml --ask-vault-pass main.yml
 ```
diff --git a/inventory.yml b/inventory.yml
index aa19ed6..f115eb5 100644
--- a/inventory.yml
+++ b/inventory.yml
@@ -19,3 +19,17 @@ all:
         krypton.n39.eu:
         oganesson.n39.eu:
         holmium.n39.eu:
+    ssh_jump:
+      hosts:
+        pottwal.n39.eu:
+        unicorn.n39.eu:
+        radon.n39.eu:
+        krypton.n39.eu:
+        oganesson.n39.eu:
+        holmium.n39.eu:
+        platon.n39.eu:
+        beaker.n39.eu:
+        wittgenstein.n39.eu:
+    ssh_no_jump:
+      hosts:
+        tau.netz39.de:
\ No newline at end of file
diff --git a/setup-ssh.yml b/setup-ssh.yml
new file mode 100644
index 0000000..2d8c594
--- /dev/null
+++ b/setup-ssh.yml
@@ -0,0 +1,24 @@
+---
+- name: configure local ssh to access n39 hosts
+  hosts: localhost
+
+  tasks:
+    - name: ensure {{ lookup('env', 'HOME') }}/.ssh/config.d/ dir is present
+      ansible.builtin.file:
+        path: "{{ lookup('env', 'HOME') }}/.ssh/config.d/"
+        state: directory
+      delegate_to: localhost
+
+    - name: template ssh config for access to internal systems
+      ansible.builtin.template:
+        src: templates/ssh_config.j2
+        dest: "{{ lookup('env', 'HOME') }}/.ssh/config.d/n39_config"
+      delegate_to: localhost
+
+    - name: ensure that n39 access config is included
+      ansible.builtin.lineinfile:
+        path: ~/.ssh/config
+        insertbefore: BOF
+        regexp: '^Include'
+        line: Include config.d/n39_config
+      delegate_to: localhost
\ No newline at end of file
diff --git a/templates/ssh_config.j2 b/templates/ssh_config.j2
new file mode 100644
index 0000000..7c48c9f
--- /dev/null
+++ b/templates/ssh_config.j2
@@ -0,0 +1,27 @@
+# {{ ansible_managed }}
+Host ssh.n39.eu
+  Hostname ssh.n39.eu
+  IdentityFile {{ setup_ssh_key }}
+  IdentitiesOnly yes
+  User {{ setup_ssh_logname }}
+  Port 22
+
+{% for host in groups['ssh_jump'] %}
+Host {{ host }}
+  Hostname {{ host }}
+  IdentityFile {{ setup_ssh_key }}
+  IdentitiesOnly yes
+  User {{ setup_ssh_logname }}
+  ProxyJump ssh.n39.eu
+  Port 22
+
+{% endfor %}
+{% for host in groups['ssh_no_jump'] %}
+Host {{ host }}
+  Hostname {{ host }}
+  IdentityFile {{ setup_ssh_key }}
+  IdentitiesOnly yes
+  User {{ setup_ssh_logname }}
+  Port 22
+
+{% endfor %}
\ No newline at end of file