ansible-mail-infra/ansible/roles/20-common-20-ssh/tasks/20-ssh.yml

- name: 'Get secrets'
  no_log: 'true'
  loop_control:
    loop_var: 'server'
  with_community.hashi_vault.vault_kv2_get:
    - '{{ inventory_hostname | split(".") | reverse | join("/") }}/os/{{ reset_password_for_account }}/creds'
  ansible.builtin.set_fact:
    vault_data: '{{ server.secret }}'


- name: 'If a secret is missing fail progress'
  tags:
    - 'first_run'
    - 'never'
  include_role:
    name: '10-include-40-check-if-vault-var'
  vars:
    - inc_vault_data: '{{ vault_data }}'
    - fail_check:
      - 'initial_password'


- name: 'If first run: set SSH password'
  tags:
    - 'first_run'
    - 'never'
  no_log: 'true'
  ansible.builtin.set_fact:
    ansible_password: '{{ vault_data.initial_password }}'


- name: 'Make sure ''{{ root_home_dir_abs }}/.ssh'' exists with correct permissions'
  file:
    path: '{{ root_home_dir_abs }}/.ssh'
    state: 'directory'
    mode: 'u=rwX,go='
    owner: '{{ ansible_user }}'
    group: '{{ ansible_user }}'
    recurse: 'yes'


- name: 'Copy ''authorized_keys'' file to server'
  copy:
    src: 'root/.ssh/authorized_keys'
    dest: '{{ root_home_dir_abs }}/.ssh/authorized_keys'
    mode: '0600'
    owner: '{{ ansible_user }}'
    group: '{{ ansible_user }}'


- name: 'Copy ''known_hosts'' file to server'
  copy:
    src: 'root/.ssh/known_hosts'
    dest: '{{ root_home_dir_abs }}/.ssh/known_hosts'
    mode: '0600'
    owner: '{{ ansible_user }}'
    group: '{{ ansible_user }}'


- name: 'If on Red Hat or derivative OS: secure sshd'
  register: 'rv_secure_sshd'
  when: '(ansible_facts[''os_family''] | lower == ''redhat'')'
  blockinfile:
    block: "{{ lookup('file', 'etc/ssh/sshd_config') }}"
    dest: "/etc/ssh/sshd_config"
    state: 'present'
    insertbefore: 'BOF'
    marker: '{mark}'
    marker_begin: '####### Managed remotely via config management ####### quico-ops start'
    marker_end: '####### Managed remotely via config management ####### quico-ops end'
    validate: '/usr/sbin/sshd -T -f %s'
  notify:
    - 'Restart sshd.service'


- name: 'Flush handlers'
  meta: flush_handlers


- name: 'Reset connection'
  ansible.builtin.meta: 'reset_connection'


- name: 'Wait for SSH connection to return'
  when: '(rv_secure_sshd.changed)'
  ansible.builtin.wait_for_connection:
    connect_timeout: '1'
    delay: '1'
    sleep: '2'
feat(role): Secure SSH config 2022-06-12 00:15:27 +02:00			`- name: 'Get secrets'`
			`no_log: 'true'`
			`loop_control:`
			`loop_var: 'server'`
			`with_community.hashi_vault.vault_kv2_get:`
feat(role): Change local account password 2022-06-12 01:54:03 +02:00			`- '{{ inventory_hostname \| split(".") \| reverse \| join("/") }}/os/{{ reset_password_for_account }}/creds'`
feat(role): Secure SSH config 2022-06-12 00:15:27 +02:00			`ansible.builtin.set_fact:`
			`vault_data: '{{ server.secret }}'`



feat(role): Change local account password 2022-06-12 01:54:03 +02:00			`- name: 'If a secret is missing fail progress'`
			`tags:`
			`- 'first_run'`
			`- 'never'`
			`include_role:`
			`name: '10-include-40-check-if-vault-var'`
			`vars:`
			`- inc_vault_data: '{{ vault_data }}'`
			`- fail_check:`
			`- 'initial_password'`



feat(role): Secure SSH config 2022-06-12 00:15:27 +02:00			`- name: 'If first run: set SSH password'`
			`tags:`
			`- 'first_run'`
			`- 'never'`
			`no_log: 'true'`
			`ansible.builtin.set_fact:`
			`ansible_password: '{{ vault_data.initial_password }}'`



			`- name: 'Make sure ''{{ root_home_dir_abs }}/.ssh'' exists with correct permissions'`
			`file:`
			`path: '{{ root_home_dir_abs }}/.ssh'`
			`state: 'directory'`
			`mode: 'u=rwX,go='`
			`owner: '{{ ansible_user }}'`
			`group: '{{ ansible_user }}'`
			`recurse: 'yes'`



			`- name: 'Copy ''authorized_keys'' file to server'`
			`copy:`
			`src: 'root/.ssh/authorized_keys'`
			`dest: '{{ root_home_dir_abs }}/.ssh/authorized_keys'`
			`mode: '0600'`
			`owner: '{{ ansible_user }}'`
			`group: '{{ ansible_user }}'`



			`- name: 'Copy ''known_hosts'' file to server'`
			`copy:`
			`src: 'root/.ssh/known_hosts'`
			`dest: '{{ root_home_dir_abs }}/.ssh/known_hosts'`
			`mode: '0600'`
			`owner: '{{ ansible_user }}'`
			`group: '{{ ansible_user }}'`



			`- name: 'If on Red Hat or derivative OS: secure sshd'`
			`register: 'rv_secure_sshd'`
			`when: '(ansible_facts[''os_family''] \| lower == ''redhat'')'`
			`blockinfile:`
			`block: "{{ lookup('file', 'etc/ssh/sshd_config') }}"`
			`dest: "/etc/ssh/sshd_config"`
			`state: 'present'`
			`insertbefore: 'BOF'`
			`marker: '{mark}'`
			`marker_begin: '####### Managed remotely via config management ####### quico-ops start'`
			`marker_end: '####### Managed remotely via config management ####### quico-ops end'`
			`validate: '/usr/sbin/sshd -T -f %s'`
			`notify:`
			`- 'Restart sshd.service'`



			`- name: 'Flush handlers'`
			`meta: flush_handlers`



			`- name: 'Reset connection'`
			`ansible.builtin.meta: 'reset_connection'`



			`- name: 'Wait for SSH connection to return'`
			`when: '(rv_secure_sshd.changed)'`
			`ansible.builtin.wait_for_connection:`
			`connect_timeout: '1'`
			`delay: '1'`
			`sleep: '2'`