Browse Source

ssh keys deploy for users: set public keys, upload secret keys

Vladimir Smagin 2 weeks ago
parent
commit
e803525173
Signed by: Vladimir Smagin <21h@blindage.org> GPG Key ID: 29AE91B1A37721C3

+ 3
- 0
keys-ansible/ansible.cfg View File

@@ -0,0 +1,3 @@
1
+[defaults] 
2
+log_path=ansible.log
3
+nocows = 1

+ 7
- 0
keys-ansible/group_vars/hetzner-balancers.yml View File

@@ -0,0 +1,7 @@
1
+access_list:
2
+  - { keypath: "../keys/admin.pub", username: "root" }
3
+  - { keypath: "../keys/techguy.pub", username: "root" }
4
+  - { keypath: "../keys/interserver.pub", username: "root" }
5
+
6
+secret_list:
7
+  - { keypath: "../keys/interserver.pem", username: "root" }

+ 8
- 0
keys-ansible/group_vars/hetzner-nodes.yml View File

@@ -0,0 +1,8 @@
1
+access_list:
2
+  - { keypath: "../keys/interserver.pub", username: "root" }
3
+  - { keypath: "../keys/admin.pub", username: "root" }
4
+  - { keypath: "../keys/project-git.pub", username: "root" }
5
+  - { keypath: "../keys/developer1.pub", username: "root" }
6
+  - { keypath: "../keys/developer2.pub", username: "root" }
7
+
8
+secret_list:

+ 4
- 0
keys-ansible/group_vars/hetzner.yml View File

@@ -0,0 +1,4 @@
1
+access_list:
2
+  - { keypath: "../keys/admin.pub", username: "root" }
3
+  - { keypath: "../keys/techguy.pub", username: "root" }
4
+secret_list:

+ 8
- 0
keys-ansible/group_vars/monitoring.yml View File

@@ -0,0 +1,8 @@
1
+access_list:
2
+  - { keypath: "../keys/admin.pub", username: "root" }
3
+  - { keypath: "../keys/techguy.pub", username: "root" }
4
+  - { keypath: "../keys/interserver.pub", username: "root" }
5
+
6
+secret_list:
7
+  - { keypath: "../keys/interserver.pem", username: "root" }
8
+

+ 15
- 0
keys-ansible/inventory.ini View File

@@ -0,0 +1,15 @@
1
+[monitoring]
2
+monitor ansible_host=44.165.225.144 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
3
+
4
+[hetzner:children]
5
+hetzner-balancers
6
+hetzner-nodes
7
+
8
+[hetzner-nodes]
9
+hetzner-node0 ansible_host=145.251.216.112 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
10
+hetzner-node1 ansible_host=154.64.4.185 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
11
+hetzner-node2 ansible_host=168.251.172.244 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
12
+
13
+[hetzner-balancers]
14
+hetzner-balancer0 ansible_host=145.251.216.154 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
15
+hetzner-balancer1 ansible_host=78.46.246.78 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"

+ 1
- 0
keys-ansible/roles/master_key/meta/main.yml View File

@@ -0,0 +1 @@
1
+allow_duplicates: true

+ 7
- 0
keys-ansible/roles/master_key/tasks/main.yml View File

@@ -0,0 +1,7 @@
1
+---
2
+- name: Set administrative keys and delete others
3
+  authorized_key:
4
+    user: root
5
+    state: present
6
+    exclusive: True
7
+    key: "{{ lookup('file', 'secrets/superkey.pub') }}"

+ 1
- 0
keys-ansible/roles/preinstall/meta/main.yml View File

@@ -0,0 +1 @@
1
+allow_duplicates: true

+ 18
- 0
keys-ansible/roles/preinstall/tasks/main.yml View File

@@ -0,0 +1,18 @@
1
+---
2
+- name: Minimum packages for Debian-like
3
+  apt: name="{{ item }}" state=present update_cache=yes
4
+  become: yes
5
+  with_items:
6
+    - mc
7
+    - htop 
8
+  when: (ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian') and preinstall is defined
9
+
10
+- name: Minimum packages for RedHat-like
11
+  become: yes
12
+  yum: name="{{ item }}" state=present update_cache=yes
13
+  with_items:
14
+    - mc
15
+    - htop
16
+  when: (ansible_distribution == 'Red Hat' or ansible_distribution == 'Centos') and preinstall is defined
17
+
18
+

+ 1
- 0
keys-ansible/roles/ssh_access/meta/main.yml View File

@@ -0,0 +1 @@
1
+allow_duplicates: true

+ 21
- 0
keys-ansible/roles/ssh_access/tasks/main.yml View File

@@ -0,0 +1,21 @@
1
+---
2
+#- debug:
3
+#    msg: "{{ access_list }}"
4
+  
5
+- name: Set authorized keys
6
+  become: true
7
+  become_user: "{{ item.username }}"
8
+  authorized_key: user="{{ item.username }}" key="{{ lookup('file', item.keypath) }}" state=present
9
+  with_items: "{{ access_list }}"
10
+  when: access_list != None and access_list is defined
11
+
12
+#- debug:
13
+#    msg: "{{ secret_list }}"
14
+
15
+- name: Upload secret keys
16
+  become: true
17
+  become_user: "{{ item.username }}"
18
+  copy: src="{{ item.keypath }}" dest="~/.ssh/{{ item.keypath | basename }}" mode=0600
19
+  with_items: "{{ secret_list }}"
20
+  when: secret_list != None and secret_list is defined
21
+

+ 27
- 0
keys-ansible/secrets/superkey.key View File

@@ -0,0 +1,27 @@
1
+-----BEGIN RSA PRIVATE KEY-----
2
+MIIEpAIBAAKCAQEAwNv29GRDfroj6Ue5iPsj/E5nX7QWRPzfHIj8pMms3+YY/rt6
3
+em077AXFGQITr874Y5tnjS7joO1LnOU71D/Yy80ty4kqL56U20OBGLrFxv/swJgf
4
+QweSv9nFkj+sEONqu/kM7Ailu4sOkcAzH/aA8tLVpAyC5xf+wYhtX3twUkbSPgpG
5
+N6hV/TaNMt27moWwOMui0Hm6EYriPYBD7c7wHwgLwkksq+SLLHDqJqiWrBSRnwCv
6
+KBAIpMyqwhjLICk7LyuAZdXF+LdJXssXLnnpwl1HspkRt/QhbznRqyLqdD6pfVRv
7
+yRalZxK7xv8akYlCzzWgCHGbw98KexUBLcw8oQIDAQABAoIBAFcjS7pyjth0bANc
8
+B+Vva3v1RNnF+YXkJz6yWkxuXvCu+z4lIRqtvjRPCxXYjWKTBkGjFq+ArxKoBND3
9
+9gdZba/vnbBn4iqv4RwMrQiqYvAd9C+0y/MyOcj7MTx6Dll3F2OlDISdB5zsIIIU
10
+MEVR0ENmpWbAzGhzvARfiuNoV4CkfCMk8+1l5m0eLuFih74IW3Ka62tUx6DUIl9/
11
+KTsgFqsGY7if6RomEWJssoDWYhfVpy2PyIR9Rvs3sTSKXKlHAZIewTbiwsjsknjw
12
+8x6eJpi6KogZ2jsgmjOzAUkyAjFm5+Su7l0H58nJk6V0b4eskXGZD4nzzmUSmjEw
13
+L1MmW90CgYEA59RpCp3t0MGX5IPkKezaCXC6uvP1cUPKIcz9MrYDDzX4mWUIiKza
14
+hyPPllmV75sUk11/bMcwOlYiRlpwCRq6Wh5BV3D34/YSNF7gOyUkNrEWt04UAlSD
15
+pwEP8RMv+GXhPGfWJrhuF3zTYoWy8347LKuKgkLxDgWYwvYaJTXMVDsCgYEA1Pds
16
+Poup+X8eOOtF80w8T7joTEI4TM0h7LdJnK8Don99jG4dQdgXB/r8qsCSkjHG6nkn
17
+6qsJXEULybxuc4qD444LwNWAVVxHE6e69plW5jtzO5ZXEEMFOpBawAZDIOtiePUr
18
+ZrXp4X48o429XWBenZPJZmtCFCnd8943AEkLcNMCgYEAocEMNZMx3qllMNVxumr/
19
+Svzz3QPhKlFRVLoxpFNo2REgTu82wB5TL12mNtJ1EkSTW6suAJkOpnV43ru1VjTm
20
+94AKuVciL1V/KDlWnQ3yMZLoNaftwB516W2NUPjBTMDRIhOVUVj3v72hxCljTg+y
21
+fB2IvBC3HsB68PVEEthxpAcCgYA+3N39xFojBGvWX1RhkcJHwgwH3pAh03dNGXlI
22
+H70R7VIQ7rwCIJgDygllGbzqHHlb4vFuapgzvUnSfaWYw21U8Sv0+tCL4dY1LhCZ
23
+FAA7q5bDIwiGC1JyzAONpQuRnwmNLMln4xCreAjMOl2IP5cOKn6LleOGcilK/+/6
24
+TJVs8wKBgQDSOzTch2lQViWQhSFO2nnQ5Os7nLhQGhWLQP+L6JJiTIeAv0oITyQC
25
+IVOzsysepQYnm/bSHDXRHpzYR/Cq2FJIIPKvBIHuh60zqhpfpG97+fCibRFfWcoe
26
+DFR+2w5mcReEHjwAT5dVBfYVlLb75Zmu7P0/C4KG6DGtRNxEGSjUSw==
27
+-----END RSA PRIVATE KEY-----

+ 1
- 0
keys-ansible/secrets/superkey.pub View File

@@ -0,0 +1 @@
1
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA2/b0ZEN+uiPpR7mI+yP8TmdftBZE/N8ciPykyazf5hj+u3p6bTvsBcUZAhOvzvhjm2eNLuOg7Uuc5TvUP9jLzS3LiSovnpTbQ4EYusXG/+zAmB9DB5K/2cWSP6wQ42q7+QzsCKW7iw6RwDMf9oDy0tWkDILnF/7BiG1fe3BSRtI+CkY3qFX9No0y3buahbA4y6LQeboRiuI9gEPtzvAfCAvCSSyr5IsscOomqJasFJGfAK8oEAikzKrCGMsgKTsvK4Bl1cX4t0leyxcueenCXUeymRG39CFvOdGrIup0Pql9VG/JFqVnErvG/xqRiULPNaAIcZvD3wp7FQEtzDyh demo key. do not use it!

+ 3
- 0
keys-ansible/ssh-keys.sh View File

@@ -0,0 +1,3 @@
1
+#!/bin/bash
2
+
3
+ansible-playbook ssh-keys.yml -i inventory.ini

+ 7
- 0
keys-ansible/ssh-keys.yml View File

@@ -0,0 +1,7 @@
1
+---
2
+- hosts: all
3
+  gather_facts: True
4
+  roles:
5
+    - master_key
6
+    - preinstall
7
+    - ssh_access

Loading…
Cancel
Save