Modified the role + Updated the LICENSE
This commit is contained in:
parent
29c77bb77c
commit
f26e8fa49c
29
.travis.yml
29
.travis.yml
@ -1,29 +0,0 @@
|
|||||||
---
|
|
||||||
language: python
|
|
||||||
python: "2.7"
|
|
||||||
|
|
||||||
# Use the new container infrastructure
|
|
||||||
sudo: false
|
|
||||||
|
|
||||||
# Install ansible
|
|
||||||
addons:
|
|
||||||
apt:
|
|
||||||
packages:
|
|
||||||
- python-pip
|
|
||||||
|
|
||||||
install:
|
|
||||||
# Install ansible
|
|
||||||
- pip install ansible
|
|
||||||
|
|
||||||
# Check ansible version
|
|
||||||
- ansible --version
|
|
||||||
|
|
||||||
# Create ansible.cfg with correct roles_path
|
|
||||||
- printf '[defaults]\nroles_path=../' >ansible.cfg
|
|
||||||
|
|
||||||
script:
|
|
||||||
# Basic role syntax check
|
|
||||||
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
|
|
||||||
|
|
||||||
notifications:
|
|
||||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
|
3
LICENSE
3
LICENSE
@ -1,5 +1,6 @@
|
|||||||
MIT License
|
MIT License
|
||||||
|
|
||||||
|
Copyright (c) 2023 Opnxng
|
||||||
Copyright (c) 2017 Nyambati Thomas
|
Copyright (c) 2017 Nyambati Thomas
|
||||||
|
|
||||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
@ -18,4 +19,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|||||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||||
SOFTWARE.
|
SOFTWARE.
|
107
README.md
107
README.md
@ -1,103 +1,28 @@
|
|||||||
# SSH Key Rotation
|
# SSH Key Rotation
|
||||||
|
|
||||||
# [![Build Status](https://travis-ci.org/nyambati/ssh-key-rotation.svg?branch=master)](https://travis-ci.org/nyambati/ssh-key-rotation)
|
This is Ansible role that enables you to rotate ssh keys on your remote servers. Forked from [nyambati/ssh-key-rotation](https://github.com/nyambati/ssh-key-rotation/tree/master). By default, this role generates an ed25519 key pair with the Ansible group and the current date as its name.
|
||||||
|
|
||||||
This is ansible role that enables you to rotate ssh keys on your remote servers. You can find this role on [ansible galaxy](https://galaxy.ansible.com/nyambati/ssh-key-rotation)
|
|
||||||
|
|
||||||
## Requirements
|
|
||||||
|
|
||||||
This modules depends on ansible 2.2.X
|
|
||||||
|
|
||||||
## Role Variables
|
|
||||||
|
|
||||||
For this role to work it requires the following variables:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
# Removes the existing public keys when set to yes
|
|
||||||
is_exclusive: no
|
|
||||||
|
|
||||||
should_manage_dir: no
|
|
||||||
|
|
||||||
# The location to where the authorized_keys file existing
|
|
||||||
# .shh/authorized_keys is the deafult value
|
|
||||||
authorized_keys_path: .ssh/authorized_keys
|
|
||||||
|
|
||||||
# This is the passphrase used to encrypt your new ssh key
|
|
||||||
passphrase: 83g!8bfu5M5yy84x
|
|
||||||
|
|
||||||
# The number of bits you want to assign the key
|
|
||||||
ssh_key_bits: 2048
|
|
||||||
|
|
||||||
# The comment that accompanies the key
|
|
||||||
ssh_key_comment: domain@example.com
|
|
||||||
|
|
||||||
# The user of the host keys are added to
|
|
||||||
ssh_host_user: ubuntu
|
|
||||||
|
|
||||||
# The location to store the keys to. (warning it should not begin with /)
|
|
||||||
ssh_key_path: ".ssh/new-ssh-key"
|
|
||||||
|
|
||||||
# if you already have generated you keys add the following variables.
|
|
||||||
|
|
||||||
# Set to true by default
|
|
||||||
generate_new_key: True
|
|
||||||
ssh_connection_key: "some key"
|
|
||||||
|
|
||||||
# add this if you want to add deployment key for your server,
|
|
||||||
ssh_deployment_key: "deployment key"
|
|
||||||
```
|
|
||||||
|
|
||||||
The above variables and values are the default inputs to this role. You can check the default folder. Make sure you upate them with your own.
|
|
||||||
|
|
||||||
Installation
|
|
||||||
|
|
||||||
You can install this role from ansible galaxy by running
|
|
||||||
|
|
||||||
```bash
|
|
||||||
$ ansible-galaxy install nyambati.ssh-key-rotation
|
|
||||||
```
|
|
||||||
|
|
||||||
## Example Playbook
|
## Example Playbook
|
||||||
|
|
||||||
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
|
|
||||||
|
|
||||||
```
|
```
|
||||||
---
|
---
|
||||||
- hosts: all
|
- name: SSH Keys Rotation
|
||||||
remote_user: vagrant
|
hosts: all
|
||||||
|
remote_user: user
|
||||||
vars:
|
vars:
|
||||||
host_user: vagrant
|
is_exclusive: no
|
||||||
ssh_key_path: .ssh/some-new-secure
|
ssh_host_user: user
|
||||||
|
vars_prompt:
|
||||||
|
- name: passphrase
|
||||||
|
prompt: "Enter the passphrase"
|
||||||
|
private: true
|
||||||
|
- name: confirm_passphrase
|
||||||
|
prompt: "Confirm the passphrase"
|
||||||
|
private: true
|
||||||
roles:
|
roles:
|
||||||
- nyambati.ssh-key-rotation
|
- ssh-key-rotation
|
||||||
|
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## License
|
## Original Author
|
||||||
|
|
||||||
MIT License
|
Thomas Nyambati <thomasnyambati@gmail.com>
|
||||||
|
|
||||||
Copyright (c) 2017 Nyambati Thomas <thomasnyambati@gmal.com>
|
|
||||||
|
|
||||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
||||||
of this software and associated documentation files (the "Software"), to deal
|
|
||||||
in the Software without restriction, including without limitation the rights
|
|
||||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
||||||
copies of the Software, and to permit persons to whom the Software is
|
|
||||||
furnished to do so, subject to the following conditions:
|
|
||||||
|
|
||||||
The above copyright notice and this permission notice shall be included in all
|
|
||||||
copies or substantial portions of the Software.
|
|
||||||
|
|
||||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
||||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
||||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
||||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
||||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
||||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
||||||
SOFTWARE.
|
|
||||||
|
|
||||||
## Author Information
|
|
||||||
|
|
||||||
Thomas Nyambati <thomasnyambati@gmail.com>
|
|
@ -1,12 +1,36 @@
|
|||||||
---
|
---
|
||||||
# defaults file for ssh-key-rotation
|
# defaults file for ssh-key-rotation
|
||||||
is_exclusive: no
|
|
||||||
should_manage_dir: no
|
|
||||||
authorized_keys_path: '{{ ansible_env.HOME }}/.ssh/authorized_keys'
|
|
||||||
passphrase: 83g!8bfu5M5yy84x
|
|
||||||
ssh_key_bits: 2048
|
|
||||||
ssh_key_comment: domain@example.com
|
|
||||||
ssh_host_user: vagrant
|
|
||||||
ssh_key_path: ".ssh/new-ssh-key"
|
|
||||||
generate_new_key: True
|
|
||||||
|
|
||||||
|
# Removes the existing public keys when set to yes
|
||||||
|
is_exclusive: yes
|
||||||
|
should_manage_dir: no
|
||||||
|
|
||||||
|
# The location to store the keys to. (warning it should not begin with /)
|
||||||
|
ssh_key_path: ".ssh/{{ group_names[0] }}-{{ansible_date_time.date}}"
|
||||||
|
|
||||||
|
# The location to where the authorized_keys file existing
|
||||||
|
authorized_keys_path: ".ssh/authorized_keys"
|
||||||
|
|
||||||
|
# Set key algorithm
|
||||||
|
ssh_key_algorithm: ed25519
|
||||||
|
# ssh_key_algorithm: rsa -b 2048
|
||||||
|
|
||||||
|
# The comment that accompanies the key
|
||||||
|
ssh_key_comment: "{{ group_names[0] }}-{{ansible_date_time.date}}"
|
||||||
|
|
||||||
|
# The user of the host keys are added to
|
||||||
|
ssh_host_user: user
|
||||||
|
|
||||||
|
# Set to true by default
|
||||||
|
generate_new_key: true
|
||||||
|
|
||||||
|
# ----------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Ask passphrase on prompt instead
|
||||||
|
# passphrase: 83g!8bfu5M5yy84x
|
||||||
|
|
||||||
|
# add this if you want to add connection key for your server
|
||||||
|
# ssh_connection_key: "some key"
|
||||||
|
|
||||||
|
# add this if you want to add deployment key for your server
|
||||||
|
# ssh_deployment_key: "deployment key"
|
@ -1,15 +0,0 @@
|
|||||||
galaxy_info:
|
|
||||||
author: Thomas Nyambati
|
|
||||||
description: Ansible role that enables you to rotate ssh keys on your remote servers
|
|
||||||
company: Andela Kenya Ltd
|
|
||||||
license: MIT
|
|
||||||
min_ansible_version: 2.2
|
|
||||||
platforms:
|
|
||||||
- name: Ubuntu
|
|
||||||
versions:
|
|
||||||
- trusty
|
|
||||||
galaxy_tags: []
|
|
||||||
categories:
|
|
||||||
- system
|
|
||||||
dependencies: []
|
|
||||||
|
|
@ -2,16 +2,15 @@
|
|||||||
- name: Generate a new ssh Key
|
- name: Generate a new ssh Key
|
||||||
command:
|
command:
|
||||||
ssh-keygen
|
ssh-keygen
|
||||||
-t rsa
|
-t {{ ssh_key_algorithm }}
|
||||||
-b {{ ssh_key_bits }}
|
|
||||||
-N "{{ passphrase }}" -q
|
-N "{{ passphrase }}" -q
|
||||||
-f {{ lookup('env','HOME')}}/{{ ssh_key_path }}
|
-f /home/{{ ssh_host_user }}/{{ ssh_key_path }}
|
||||||
-C {{ ssh_key_comment }}
|
-C {{ ssh_key_comment }}
|
||||||
when: inventory_hostname == play_hosts[0]
|
when: inventory_hostname == play_hosts[0]
|
||||||
args:
|
args:
|
||||||
creates: "{{ lookup('env','HOME') + '/' + ssh_key_path }}"
|
creates: "/home/{{ ssh_host_user }}/{{ ssh_key_path }}"
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
|
||||||
- name: Store then value of the ssh key path
|
- name: Store then value of the ssh key path
|
||||||
set_fact:
|
set_fact:
|
||||||
ssh_connection_key: "{{ lookup('file', lookup('env','HOME') + '/' + ssh_key_path + '.pub') }}"
|
ssh_connection_key: "{{ lookup('file', '/' + 'home' + '/' + ssh_host_user + '/' + ssh_key_path + '.pub') }}"
|
@ -1,4 +1,11 @@
|
|||||||
---
|
---
|
||||||
|
- name: Check if the passphrase inputs match
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "{{ passphrase == confirm_passphrase }}"
|
||||||
|
fail_msg: "Passphrase inputs do not match"
|
||||||
|
when: passphrase != confirm_passphrase
|
||||||
|
|
||||||
- import_tasks: generate_key.yml
|
- import_tasks: generate_key.yml
|
||||||
when: generate_new_key | default(True)
|
when: generate_new_key | default(True)
|
||||||
|
|
||||||
@ -7,14 +14,13 @@
|
|||||||
that: ssh_connection_key is defined
|
that: ssh_connection_key is defined
|
||||||
|
|
||||||
- name: Set Authorized key(s) to the authorized keys file
|
- name: Set Authorized key(s) to the authorized keys file
|
||||||
become: yes
|
become: true
|
||||||
become_user: root
|
|
||||||
when: ssh_connection_key is defined
|
when: ssh_connection_key is defined
|
||||||
authorized_key:
|
authorized_key:
|
||||||
exclusive: '{{ is_exclusive }}'
|
exclusive: '{{ is_exclusive }}'
|
||||||
user: '{{ ssh_host_user }}'
|
user: '{{ ssh_host_user }}'
|
||||||
state: present
|
state: present
|
||||||
path: '{{ authorized_keys_path }}'
|
path: '/home/{{ ssh_host_user }}/{{ authorized_keys_path }}'
|
||||||
manage_dir: '{{ should_manage_dir }}'
|
manage_dir: '{{ should_manage_dir }}'
|
||||||
key: "{{ ssh_connection_key }}"
|
key: "{{ ssh_connection_key }}"
|
||||||
|
|
||||||
@ -31,7 +37,7 @@
|
|||||||
authorized_key:
|
authorized_key:
|
||||||
user: '{{ ssh_host_user }}'
|
user: '{{ ssh_host_user }}'
|
||||||
state: present
|
state: present
|
||||||
path: '{{ authorized_keys_path }}'
|
path: '/home/{{ ssh_host_user }}/{{ authorized_keys_path }}'
|
||||||
manage_dir: '{{ should_manage_dir }}'
|
manage_dir: '{{ should_manage_dir }}'
|
||||||
key: "{{ ssh_deployment_key }}"
|
key: "{{ ssh_deployment_key }}"
|
||||||
|
|
||||||
|
@ -1 +0,0 @@
|
|||||||
localhost
|
|
@ -1,5 +0,0 @@
|
|||||||
---
|
|
||||||
- hosts: localhost
|
|
||||||
remote_user: root
|
|
||||||
roles:
|
|
||||||
- ssh-key-rotation
|
|
Loading…
Reference in New Issue
Block a user