From 63243cc40d478b75e9797b17228701580bab4fec Mon Sep 17 00:00:00 2001
From: Vladimir Smagin <21h@blindage.org>
Date: Mon, 17 Sep 2018 03:28:26 +0700
Subject: [PATCH] import ssh

---
 .gitignore                      |  5 +---
 ansible.cfg                     |  4 ++++
 group_vars/hetzner-nodes.yml    |  4 ++++
 group_vars/hetzner.yml          |  6 +++++
 host_vars/monitor.yml           |  3 +++
 inventory.ini                   | 15 ++++++++++++
 readme.md                       | 42 +++++++++++++++++++++++++++------
 roles/master_key/meta/main.yml  |  1 +
 roles/master_key/tasks/main.yml |  7 ++++++
 roles/preinstall/meta/main.yml  |  1 +
 roles/preinstall/tasks/main.yml | 18 ++++++++++++++
 roles/ssh_access/meta/main.yml  |  1 +
 roles/ssh_access/tasks/main.yml | 21 +++++++++++++++++
 secrets/superkey.key            | 27 +++++++++++++++++++++
 secrets/superkey.pub            |  1 +
 ssh-keys.sh                     |  3 +++
 ssh-keys.yml                    |  7 ++++++
 17 files changed, 155 insertions(+), 11 deletions(-)
 create mode 100644 ansible.cfg
 create mode 100644 group_vars/hetzner-nodes.yml
 create mode 100644 group_vars/hetzner.yml
 create mode 100644 host_vars/monitor.yml
 create mode 100644 inventory.ini
 create mode 100644 roles/master_key/meta/main.yml
 create mode 100644 roles/master_key/tasks/main.yml
 create mode 100644 roles/preinstall/meta/main.yml
 create mode 100644 roles/preinstall/tasks/main.yml
 create mode 100644 roles/ssh_access/meta/main.yml
 create mode 100644 roles/ssh_access/tasks/main.yml
 create mode 100644 secrets/superkey.key
 create mode 100644 secrets/superkey.pub
 create mode 100755 ssh-keys.sh
 create mode 100644 ssh-keys.yml

diff --git a/.gitignore b/.gitignore
index f3e408e..20fe186 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,2 @@
-*.retry
 *.log
-*.pyc
-__PYCACHE__
-
+*.retry
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..2cbf3e4
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,4 @@
+[defaults] 
+log_path=ansible.log
+nocows = 1
+hash_behaviour = merge
\ No newline at end of file
diff --git a/group_vars/hetzner-nodes.yml b/group_vars/hetzner-nodes.yml
new file mode 100644
index 0000000..f4f9875
--- /dev/null
+++ b/group_vars/hetzner-nodes.yml
@@ -0,0 +1,4 @@
+access_list:
+  git: { keypath: "../keys/project-git.pub", username: "root" }
+  dev1: { keypath: "../keys/developer1.pub", username: "root" }
+  dev2: { keypath: "../keys/developer2.pub", username: "root" }
diff --git a/group_vars/hetzner.yml b/group_vars/hetzner.yml
new file mode 100644
index 0000000..34420c6
--- /dev/null
+++ b/group_vars/hetzner.yml
@@ -0,0 +1,6 @@
+access_list:
+  admin: { keypath: "../keys/admin.pub", username: "root" }
+  techguy: { keypath: "../keys/techguy.pub", username: "root" }
+  interserver: { keypath: "../keys/interserver.pub", username: "root" }
+secret_list:
+  interserver: { keypath: "../keys/interserver.pem", username: "root" }
diff --git a/host_vars/monitor.yml b/host_vars/monitor.yml
new file mode 100644
index 0000000..c6d1eb6
--- /dev/null
+++ b/host_vars/monitor.yml
@@ -0,0 +1,3 @@
+access_list:
+  admin: { keypath: "../keys/admin.pub", username: "root" }
+  techguy: { keypath: "../keys/techguy.pub", username: "root" }
diff --git a/inventory.ini b/inventory.ini
new file mode 100644
index 0000000..a960e3f
--- /dev/null
+++ b/inventory.ini
@@ -0,0 +1,15 @@
+[monitoring]
+monitor ansible_host=44.165.225.144 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
+
+[hetzner:children]
+hetzner-balancers
+hetzner-nodes
+
+[hetzner-nodes]
+hetzner-node0 ansible_host=145.251.216.112 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
+hetzner-node1 ansible_host=154.64.4.185 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
+hetzner-node2 ansible_host=168.251.172.244 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
+
+[hetzner-balancers]
+hetzner-balancer0 ansible_host=145.251.216.154 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
+hetzner-balancer1 ansible_host=78.46.246.78 ansible_user=root ansible_ssh_private_key_file="secrets/superkey.pem"
diff --git a/readme.md b/readme.md
index a7feedb..6a134d2 100644
--- a/readme.md
+++ b/readme.md
@@ -1,13 +1,41 @@
-# My useful ansible playbooks
+# Ansible centralized keys management
 
-Security management:
+Dicts in parent group merges with dicts in child groups. 
 
-- [Centralized SSH keys management](https://git.blindage.org/21h/ansible-library/src/branch/centralized-keys)
+Warning! Playbook will delete all public keys in root's ```.ssh/authorized_keys``` file and setup own **super** key, only after this public keys in group_vars and host_vars will be added into assigned users ```.ssh/authorized_keys``` files.
 
-System and monitoring:
+**Security issue!** You need to generate your own super key! Run ```ssh-keygen -f superkey``` and replace keys in ```secret/``` directory.
 
-- [Create systemd and upstart scripts](https://git.blindage.org/21h/ansible-library/src/branch/sys-systemd-and-upstart)
+Infrastructure:
 
-Web deployment:
+```
+--[ hetzner ]--\
+               |- hetzner-balancers
+               \- hetzner-nodes
+```
 
-- [PHP 7.1 FPM + Nginx](https://git.blindage.org/21h/ansible-library/src/branch/web-nginx-php-fpm7.1)
+All servers will be available to the administrator and assistant, servers must have own internal key for files copying. Configuring parent ```hetzner```group:
+
+```
+    access_list:
+      admin: { keypath: "../keys/admin.pub", username: "root" }
+      techguy: { keypath: "../keys/techguy.pub", username: "root" }
+      interserver: { keypath: "../keys/interserver.pub", username: "root" }
+
+    secret_list:
+      interserver: { keypath: "../keys/interserver.pem", username: "root" }
+```
+
+You want to make additional access to all nodes for developer guy. Configuring child ```hetzner-nodes``` group:
+
+```
+    access_list:
+      developer: { keypath: "../keys/developer.pub", username: "dev" }
+```
+
+No need to make additional config for ```hetzner-balancers``` because access list will be inherited, only admins accessible.
+
+---
+Copyright by Vladimir Smagin, 2018
+http://blindage.org
+21h@blindage.org
diff --git a/roles/master_key/meta/main.yml b/roles/master_key/meta/main.yml
new file mode 100644
index 0000000..5dee943
--- /dev/null
+++ b/roles/master_key/meta/main.yml
@@ -0,0 +1 @@
+allow_duplicates: true
diff --git a/roles/master_key/tasks/main.yml b/roles/master_key/tasks/main.yml
new file mode 100644
index 0000000..20e9694
--- /dev/null
+++ b/roles/master_key/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Set primary ansible key and remove others
+  authorized_key:
+    user: root
+    state: present
+    exclusive: True
+    key: "{{ lookup('file', 'secrets/superkey.pub') }}"
diff --git a/roles/preinstall/meta/main.yml b/roles/preinstall/meta/main.yml
new file mode 100644
index 0000000..5dee943
--- /dev/null
+++ b/roles/preinstall/meta/main.yml
@@ -0,0 +1 @@
+allow_duplicates: true
diff --git a/roles/preinstall/tasks/main.yml b/roles/preinstall/tasks/main.yml
new file mode 100644
index 0000000..4f43db8
--- /dev/null
+++ b/roles/preinstall/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+- name: Minimum packages for Debian-like
+  apt: name="{{ item }}" state=present update_cache=yes
+  become: yes
+  with_items:
+    - mc
+    - htop 
+  when: (ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian') and preinstall is defined
+
+- name: Minimum packages for RedHat-like
+  become: yes
+  yum: name="{{ item }}" state=present update_cache=yes
+  with_items:
+    - mc
+    - htop
+  when: (ansible_distribution == 'Red Hat' or ansible_distribution == 'Centos') and preinstall is defined
+
+
diff --git a/roles/ssh_access/meta/main.yml b/roles/ssh_access/meta/main.yml
new file mode 100644
index 0000000..5dee943
--- /dev/null
+++ b/roles/ssh_access/meta/main.yml
@@ -0,0 +1 @@
+allow_duplicates: true
diff --git a/roles/ssh_access/tasks/main.yml b/roles/ssh_access/tasks/main.yml
new file mode 100644
index 0000000..77a348f
--- /dev/null
+++ b/roles/ssh_access/tasks/main.yml
@@ -0,0 +1,21 @@
+---
+#- debug:
+#    msg: "{{ access_list }}"
+  
+- name: Set public keys
+  become: true
+  become_user: "{{ item.value.username }}"
+  authorized_key: user="{{ item.value.username }}" key="{{ lookup('file', item.value.keypath) }}" state=present
+  with_dict: "{{ access_list }}"
+  when: access_list != None and access_list is defined
+
+#- debug:
+#    msg: "{{ secret_list }}"
+
+- name: Upload secret keys
+  become: true
+  become_user: "{{ item.value.username }}"
+  copy: src="{{ item.value.keypath }}" dest="~/.ssh/{{ item.value.keypath | basename }}" mode=0600
+  with_dict: "{{ secret_list }}"
+  when: secret_list != None and secret_list is defined
+
diff --git a/secrets/superkey.key b/secrets/superkey.key
new file mode 100644
index 0000000..26b4144
--- /dev/null
+++ b/secrets/superkey.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAwNv29GRDfroj6Ue5iPsj/E5nX7QWRPzfHIj8pMms3+YY/rt6
+em077AXFGQITr874Y5tnjS7joO1LnOU71D/Yy80ty4kqL56U20OBGLrFxv/swJgf
+QweSv9nFkj+sEONqu/kM7Ailu4sOkcAzH/aA8tLVpAyC5xf+wYhtX3twUkbSPgpG
+N6hV/TaNMt27moWwOMui0Hm6EYriPYBD7c7wHwgLwkksq+SLLHDqJqiWrBSRnwCv
+KBAIpMyqwhjLICk7LyuAZdXF+LdJXssXLnnpwl1HspkRt/QhbznRqyLqdD6pfVRv
+yRalZxK7xv8akYlCzzWgCHGbw98KexUBLcw8oQIDAQABAoIBAFcjS7pyjth0bANc
+B+Vva3v1RNnF+YXkJz6yWkxuXvCu+z4lIRqtvjRPCxXYjWKTBkGjFq+ArxKoBND3
+9gdZba/vnbBn4iqv4RwMrQiqYvAd9C+0y/MyOcj7MTx6Dll3F2OlDISdB5zsIIIU
+MEVR0ENmpWbAzGhzvARfiuNoV4CkfCMk8+1l5m0eLuFih74IW3Ka62tUx6DUIl9/
+KTsgFqsGY7if6RomEWJssoDWYhfVpy2PyIR9Rvs3sTSKXKlHAZIewTbiwsjsknjw
+8x6eJpi6KogZ2jsgmjOzAUkyAjFm5+Su7l0H58nJk6V0b4eskXGZD4nzzmUSmjEw
+L1MmW90CgYEA59RpCp3t0MGX5IPkKezaCXC6uvP1cUPKIcz9MrYDDzX4mWUIiKza
+hyPPllmV75sUk11/bMcwOlYiRlpwCRq6Wh5BV3D34/YSNF7gOyUkNrEWt04UAlSD
+pwEP8RMv+GXhPGfWJrhuF3zTYoWy8347LKuKgkLxDgWYwvYaJTXMVDsCgYEA1Pds
+Poup+X8eOOtF80w8T7joTEI4TM0h7LdJnK8Don99jG4dQdgXB/r8qsCSkjHG6nkn
+6qsJXEULybxuc4qD444LwNWAVVxHE6e69plW5jtzO5ZXEEMFOpBawAZDIOtiePUr
+ZrXp4X48o429XWBenZPJZmtCFCnd8943AEkLcNMCgYEAocEMNZMx3qllMNVxumr/
+Svzz3QPhKlFRVLoxpFNo2REgTu82wB5TL12mNtJ1EkSTW6suAJkOpnV43ru1VjTm
+94AKuVciL1V/KDlWnQ3yMZLoNaftwB516W2NUPjBTMDRIhOVUVj3v72hxCljTg+y
+fB2IvBC3HsB68PVEEthxpAcCgYA+3N39xFojBGvWX1RhkcJHwgwH3pAh03dNGXlI
+H70R7VIQ7rwCIJgDygllGbzqHHlb4vFuapgzvUnSfaWYw21U8Sv0+tCL4dY1LhCZ
+FAA7q5bDIwiGC1JyzAONpQuRnwmNLMln4xCreAjMOl2IP5cOKn6LleOGcilK/+/6
+TJVs8wKBgQDSOzTch2lQViWQhSFO2nnQ5Os7nLhQGhWLQP+L6JJiTIeAv0oITyQC
+IVOzsysepQYnm/bSHDXRHpzYR/Cq2FJIIPKvBIHuh60zqhpfpG97+fCibRFfWcoe
+DFR+2w5mcReEHjwAT5dVBfYVlLb75Zmu7P0/C4KG6DGtRNxEGSjUSw==
+-----END RSA PRIVATE KEY-----
diff --git a/secrets/superkey.pub b/secrets/superkey.pub
new file mode 100644
index 0000000..cfefb08
--- /dev/null
+++ b/secrets/superkey.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA2/b0ZEN+uiPpR7mI+yP8TmdftBZE/N8ciPykyazf5hj+u3p6bTvsBcUZAhOvzvhjm2eNLuOg7Uuc5TvUP9jLzS3LiSovnpTbQ4EYusXG/+zAmB9DB5K/2cWSP6wQ42q7+QzsCKW7iw6RwDMf9oDy0tWkDILnF/7BiG1fe3BSRtI+CkY3qFX9No0y3buahbA4y6LQeboRiuI9gEPtzvAfCAvCSSyr5IsscOomqJasFJGfAK8oEAikzKrCGMsgKTsvK4Bl1cX4t0leyxcueenCXUeymRG39CFvOdGrIup0Pql9VG/JFqVnErvG/xqRiULPNaAIcZvD3wp7FQEtzDyh demo key. do not use it!
diff --git a/ssh-keys.sh b/ssh-keys.sh
new file mode 100755
index 0000000..efbf7bc
--- /dev/null
+++ b/ssh-keys.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+ansible-playbook ssh-keys.yml -i inventory.ini
diff --git a/ssh-keys.yml b/ssh-keys.yml
new file mode 100644
index 0000000..e6c1893
--- /dev/null
+++ b/ssh-keys.yml
@@ -0,0 +1,7 @@
+---
+- hosts: all
+  gather_facts: True
+  roles:
+    - master_key
+    - preinstall
+    - ssh_access