99 lines
2.3 KiB
YAML
99 lines
2.3 KiB
YAML
- name: 'Get secrets'
|
|
no_log: 'true'
|
|
loop_control:
|
|
loop_var: 'server'
|
|
with_community.hashi_vault.vault_kv2_get:
|
|
- '{{ inventory_hostname | split(".") | reverse | join("/") }}/os/{{ reset_password_for_account }}/creds'
|
|
ansible.builtin.set_fact:
|
|
vault_data: '{{ server.secret }}'
|
|
|
|
|
|
|
|
- name: 'If a secret is missing fail progress'
|
|
tags:
|
|
- 'first_run'
|
|
- 'never'
|
|
include_role:
|
|
name: '10-include-40-check-if-vault-var'
|
|
vars:
|
|
- inc_vault_data: '{{ vault_data }}'
|
|
- fail_check:
|
|
- 'initial_password'
|
|
|
|
|
|
|
|
- name: 'If first run: set SSH password'
|
|
tags:
|
|
- 'first_run'
|
|
- 'never'
|
|
no_log: 'true'
|
|
ansible.builtin.set_fact:
|
|
ansible_password: '{{ vault_data.initial_password }}'
|
|
|
|
|
|
|
|
- name: 'Make sure ''{{ root_home_dir_abs }}/.ssh'' exists with correct permissions'
|
|
file:
|
|
path: '{{ root_home_dir_abs }}/.ssh'
|
|
state: 'directory'
|
|
mode: 'u=rwX,go='
|
|
owner: '{{ ansible_user }}'
|
|
group: '{{ ansible_user }}'
|
|
recurse: 'yes'
|
|
|
|
|
|
|
|
- name: 'Copy ''authorized_keys'' file to server'
|
|
copy:
|
|
src: 'root/.ssh/authorized_keys'
|
|
dest: '{{ root_home_dir_abs }}/.ssh/authorized_keys'
|
|
mode: '0600'
|
|
owner: '{{ ansible_user }}'
|
|
group: '{{ ansible_user }}'
|
|
|
|
|
|
|
|
- name: 'Copy ''known_hosts'' file to server'
|
|
copy:
|
|
src: 'root/.ssh/known_hosts'
|
|
dest: '{{ root_home_dir_abs }}/.ssh/known_hosts'
|
|
mode: '0600'
|
|
owner: '{{ ansible_user }}'
|
|
group: '{{ ansible_user }}'
|
|
|
|
|
|
|
|
- name: 'If on Red Hat or derivative OS: secure sshd'
|
|
register: 'rv_secure_sshd'
|
|
when: '(ansible_facts[''os_family''] | lower == ''redhat'')'
|
|
blockinfile:
|
|
block: "{{ lookup('file', 'etc/ssh/sshd_config') }}"
|
|
dest: "/etc/ssh/sshd_config"
|
|
state: 'present'
|
|
insertbefore: 'BOF'
|
|
marker: '{mark}'
|
|
marker_begin: '####### Managed remotely via config management ####### quico-ops start'
|
|
marker_end: '####### Managed remotely via config management ####### quico-ops end'
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify:
|
|
- 'Restart sshd.service'
|
|
|
|
|
|
|
|
- name: 'Flush handlers'
|
|
meta: flush_handlers
|
|
|
|
|
|
|
|
- name: 'Reset connection'
|
|
ansible.builtin.meta: 'reset_connection'
|
|
|
|
|
|
|
|
- name: 'Wait for SSH connection to return'
|
|
when: '(rv_secure_sshd.changed)'
|
|
ansible.builtin.wait_for_connection:
|
|
connect_timeout: '1'
|
|
delay: '1'
|
|
sleep: '2'
|