diff --git a/README.md b/README.md index d1377db..7980344 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,15 @@ ssh_host_user: ubuntu # The location to store the keys to. (warning it should not begin with /) ssh_key_path: ".ssh/new-ssh-key" +# if you already have generated you keys add the following variables. + +# Set to true by default +generate_new_key: True +ssh_connection_key: "some key" + +# add this if you want to add deployment key for your server, +ssh_deployment_key: "deployment key" + ``` The above variables and values are the default inputs to this role. You can check the default folder. Make sure you upate them with your own. diff --git a/defaults/main.yml b/defaults/main.yml index 1467d80..182b3ea 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -# defaugalts file for ssh-key-rotation +# defaults file for ssh-key-rotation is_exclusive: no should_manage_dir: no authorized_keys_path: '{{ ansible_env.HOME }}/.ssh/authorized_keys' @@ -8,4 +8,5 @@ ssh_key_bits: 2048 ssh_key_comment: domain@example.com ssh_host_user: vagrant ssh_key_path: ".ssh/new-ssh-key" +generate_new_key: True diff --git a/meta/main.yml b/meta/main.yml index 0664b94..3acfcb2 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,22 +1,15 @@ galaxy_info: author: Thomas Nyambati description: Ansible role that enables you to rotate ssh keys on your remote servers - company: your company (optional) - - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - # Some suggested licenses: - # - BSD (default) - # - MIT - # - GPLv2 - # - GPLv3 - # - Apache - # - CC-BY - license: license (GPLv2, CC-BY, etc) - + company: Andela Kenya Ltd + license: MIT min_ansible_version: 2.2 + platforms: + - name: Ubuntu + versions: + - trusty galaxy_tags: [] + categories: + - system dependencies: [] diff --git a/tasks/generate_key.yml b/tasks/generate_key.yml new file mode 100644 index 0000000..9cbcfa5 --- /dev/null +++ b/tasks/generate_key.yml @@ -0,0 +1,17 @@ +# tasks file for ssh-key-rotation +- name: Generate a new ssh Key + command: + ssh-keygen + -t rsa + -b {{ ssh_key_bits }} + -N "{{ passphrase }}" -q + -f {{ lookup('env','HOME')}}/{{ ssh_key_path }} + -C {{ ssh_key_comment }} + when: inventory_hostname == play_hosts[0] + args: + creates: "{{ lookup('env','HOME') + '/' + ssh_key_path }}" + delegate_to: localhost + +- name: Store then value of the ssh key path + set_fact: + ssh_connection_key: "{{ lookup('file', lookup('env','HOME') + '/' + ssh_key_path + '.pub') }}" diff --git a/tasks/main.yml b/tasks/main.yml index e461b20..13fa244 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,32 +1,37 @@ --- -# tasks file for ssh-key-rotation -- name: Generate New ssh Keys - command: - ssh-keygen - -t rsa - -b {{ ssh_key_bits }} - -N "{{ passphrase }}" -q - -f {{ lookup('env','HOME')}}/{{ ssh_key_path }} - -C {{ ssh_key_comment }} - when: inventory_hostname == play_hosts[0] - args: - creates: "{{ lookup('env','HOME')}}/{{ ssh_key_path }}" - delegate_to: localhost +- include: generate_key.yml + when: generate_new_key | default(True) -- name: Store then value of the ssh key path - set_fact: key_path={{ lookup('env','HOME')}}/{{ ssh_key_path }} +- name: Ensure that ssh connection key is defined + assert: + that: ssh_connection_key is defined - name: Set Authorized key(s) to the authorized keys file become: yes become_user: root + when: ssh_connection_key is defined authorized_key: exclusive: '{{ is_exclusive }}' user: '{{ ssh_host_user }}' state: present path: '{{ authorized_keys_path }}' manage_dir: '{{ should_manage_dir }}' - key: "{{ lookup('file', key_path + '.pub') }}" + key: "{{ ssh_connection_key }}" + +- name: copy + when: generate_new_key != true + copy: + content: "{{ ssh_connection_key }}" + dest: "{{ ssh_key_path }}" + +- name: Add deployment key + when: ssh_deployment_key is defined + become: yes + become_user: root + authorized_key: + user: '{{ ssh_host_user }}' + state: present + path: '{{ authorized_keys_path }}' + manage_dir: '{{ should_manage_dir }}' + key: "{{ ssh_deployment_key }}" -- name: Test if the new ssh key is allowed to make connections - shell: ssh {{ssh_host_user }}@{{ inventory_hostname }} "echo success" - delegate_to: localhost