summaryrefslogtreecommitdiffstats
path: root/ansible/deployment_poc
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/deployment_poc')
-rw-r--r--ansible/deployment_poc/.gitignore1
-rw-r--r--ansible/deployment_poc/playbooks/deploy.yml14
-rwxr-xr-xansible/deployment_poc/shell/configure_sshd.sh79
-rw-r--r--ansible/deployment_poc/tasks/configure_dns.yml12
-rw-r--r--ansible/deployment_poc/tasks/configure_dps.yml3
-rw-r--r--ansible/deployment_poc/tasks/configure_libvirt.yml2
-rw-r--r--ansible/deployment_poc/tasks/configure_ssh.yml65
-rw-r--r--ansible/deployment_poc/tasks/init_dns.yml2
-rw-r--r--ansible/deployment_poc/tasks/init_dps.yml1
-rw-r--r--ansible/deployment_poc/tasks/init_ssh.yml53
-rw-r--r--ansible/deployment_poc/tasks/init_vm_console.yml2
-rw-r--r--ansible/deployment_poc/tasks/netbox_evaluate_cluster.yml20
-rw-r--r--ansible/deployment_poc/tasks/netbox_evaluate_ip.yml4
-rw-r--r--ansible/deployment_poc/tasks/netbox_evaluate_prefix.yml1
-rw-r--r--ansible/deployment_poc/tasks/netbox_evaluate_site.yml1
-rw-r--r--ansible/deployment_poc/tasks/netbox_evaluate_vm.yml2
-rw-r--r--ansible/deployment_poc/tasks/netbox_query_cluster.yml1
-rw-r--r--ansible/deployment_poc/tasks/netbox_query_ip.yml4
-rw-r--r--ansible/deployment_poc/tasks/netbox_query_prefix.yml1
-rw-r--r--ansible/deployment_poc/tasks/netbox_query_site.yml1
-rw-r--r--ansible/deployment_poc/tasks/netbox_query_vm.yml1
-rw-r--r--ansible/deployment_poc/tasks/wait.yml10
-rw-r--r--ansible/deployment_poc/templates/nsd_zone.j23
23 files changed, 266 insertions, 17 deletions
diff --git a/ansible/deployment_poc/.gitignore b/ansible/deployment_poc/.gitignore
index 3dc880c..4a7710d 100644
--- a/ansible/deployment_poc/.gitignore
+++ b/ansible/deployment_poc/.gitignore
@@ -8,5 +8,6 @@ templates/generated/
variables/deploy-variables.yml
inventory.yml
*.bak
+*.example
*.old
*.tgz
diff --git a/ansible/deployment_poc/playbooks/deploy.yml b/ansible/deployment_poc/playbooks/deploy.yml
index e8b43b0..4009b26 100644
--- a/ansible/deployment_poc/playbooks/deploy.yml
+++ b/ansible/deployment_poc/playbooks/deploy.yml
@@ -74,7 +74,7 @@
block:
- import_tasks: "../tasks/netbox_query_ip.yml"
- import_tasks: "../tasks/netbox_evaluate_ip.yml"
- #no_log: true
+ no_log: true
- name: Provision virtual machine
import_tasks: "../tasks/configure_libvirt.yml"
@@ -93,7 +93,7 @@
- import_tasks: "../tasks/netbox_init_interface.yml"
- import_tasks: "../tasks/netbox_query_interface.yml"
- import_tasks: "../tasks/netbox_evaluate_interface.yml"
- #no_log: true
+ no_log: true
- name: Define IP address object in NetBox
block:
@@ -103,8 +103,14 @@
- name: Start VM and attach console
import_tasks: "../tasks/init_vm_console.yml"
-# - name: Wait for guest OS installation
-# import_tasks: "../tasks/wait.yml"
+ - name: Initialize SSH CA
+ import_tasks: "../tasks/init_ssh.yml"
+
+ - name: Wait for guest OS installation
+ import_tasks: "../tasks/wait.yml"
+
+ - name: Configure SSH
+ import_tasks: "../tasks/configure_ssh.yml"
always:
diff --git a/ansible/deployment_poc/shell/configure_sshd.sh b/ansible/deployment_poc/shell/configure_sshd.sh
new file mode 100755
index 0000000..2cf3ac4
--- /dev/null
+++ b/ansible/deployment_poc/shell/configure_sshd.sh
@@ -0,0 +1,79 @@
+#!/bin/sh
+#
+# Deploys SSH client configuration for nodes with CA signed host certificates and CA based user authentication. Standalone nodes may not use this script.
+# Currently only designed for systemd based GNU/Linux distributions and OpenBSD. To-Do: support Sys-V init and Lukem RC based systems. To-Do 2: port this to Ansible deployment_poc.
+#
+# Author: Georg Pfuetzenreuter <georg@lysergic.dev>
+# Last edit: 13/02/2022
+
+PUBKEY="$1"
+
+
+get_ip_address () {
+ case $KERNEL in
+ "OpenBSD" ) ifconfig | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}' | head -n1
+ ;;
+ "Linux" ) ip addr show eth0 | awk '$1 == "inet" {gsub(/\/.*$/, "", $2); print $2}'
+ ;;
+ esac
+
+}
+HOSTNAME=$(hostname -s)
+KERNEL=$(uname)
+IP_ADDRESS="$(get_ip_address)"
+if [ "$KERNEL" = "OpenBSD" ] || [ "$KERNEL" = "Linux" ]; then
+ if [ -f /etc/ssh/$HOSTNAME ] && [ -f /etc/ssh/$HOSTNAME-cert.pub ]; then
+ if [ ! -d /etc/ssh/old ]; then
+ mkdir /etc/ssh/old
+ fi
+ if [ -f /etc/ssh/ssh_known_hosts ]; then
+ mv /etc/ssh/ssh_known_hosts /etc/ssh/old/
+ fi
+ #if compgen -G "/etc/ssh/ssh_host_*" > /dev/null; then
+ #mv /etc/ssh/ssh_host_* /etc/ssh/old/
+ #fi
+ if [ -f /etc/ssh/ssh_host_rsa_key ]; then
+ mv /etc/ssh/ssh_host_* /etc/ssh/old/
+ fi
+ mv /etc/ssh/sshd_config /etc/ssh/old/
+ if [ -f /etc/ssh/ssh_config ]; then
+ mv /etc/ssh/ssh_config /etc/ssh/old/
+ fi
+ cat <<'EOF_SSHD_CONFIG' >/etc/ssh/sshd_config
+ListenAddress %%IP_ADDRESS%%
+Protocol 2
+SyslogFacility AUTH
+LogLevel FATAL
+
+HostKey /etc/ssh/%%HOSTNAME%%
+HostCertificate /etc/ssh/%%HOSTNAME%%-cert.pub
+TrustedUserCAKeys /etc/ssh/user_ca
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+AuthenticationMethods publickey
+
+LoginGraceTime 1m
+PermitRootLogin no
+StrictModes yes
+MaxAuthTries 1
+MaxSessions 3
+
+X11Forwarding no
+PrintMotd yes
+PrintLastLog yes
+EOF_SSHD_CONFIG
+ sed -i -e "s/%%IP_ADDRESS%%/$IP_ADDRESS/" -e "s/%%HOSTNAME%%/$HOSTNAME/" /etc/ssh/sshd_config
+ echo "$PUBKEY" > /etc/ssh/user_ca
+ case $KERNEL in
+ "OpenBSD" ) rcctl reload sshd
+ ;;
+ "Linux" ) systemctl reload sshd
+ ;;
+ esac
+ echo "OK"
+ else
+ echo "Missing host certificate and public key, copy them to /etc/ssh/ for me."
+ fi
+else
+ echo "Unsupported operating system, please configure sshd manually."
+fi
diff --git a/ansible/deployment_poc/tasks/configure_dns.yml b/ansible/deployment_poc/tasks/configure_dns.yml
index 6f1896c..9a28800 100644
--- a/ansible/deployment_poc/tasks/configure_dns.yml
+++ b/ansible/deployment_poc/tasks/configure_dns.yml
@@ -5,6 +5,8 @@
set_fact:
dns_fqdn: "{{ lookup('community.general.dig', dns_ip + '/PTR') }}"
vm_fqdn: "{{ vm_name + '.' + namespace }}"
+ tags:
+ - init_ssh
- name: Gather DNS hostname and zonename
set_fact:
@@ -23,6 +25,16 @@
path: "/var/nsd/zones/master/{{ zone }}.zone"
when: dns_os == 'openbsd-x86_64'
delegate_to: "{{ dns_host }}"
+
+ - name: Reload DNS zone
+ ansible.builtin.command:
+ argv:
+ - /usr/bin/doas
+ - nsd-control
+ - reload
+ - "{{ zone }}"
+ when: dhcp_os == 'openbsd-x86_64'
+ delegate_to: "{{ dns_host }}"
- name: Insert DNS static host mapping
vyos.vyos.vyos_config:
diff --git a/ansible/deployment_poc/tasks/configure_dps.yml b/ansible/deployment_poc/tasks/configure_dps.yml
index 1b610b0..3b56eef 100644
--- a/ansible/deployment_poc/tasks/configure_dps.yml
+++ b/ansible/deployment_poc/tasks/configure_dps.yml
@@ -37,9 +37,10 @@
mode: '0444'
when: dp_os == 'openbsd-x86_64'
- - name: Generate LUKS passphrase
+ - name: Generate LUKS passphrase #does not quite belong here
set_fact:
luks_passphrase: "{{ lookup('password', '/dev/null', length=15, chars=hexdigits, seed=inventory_hostname) }}"
+ no_log: true
- name: Prepare unattended installation
ansible.builtin.template:
diff --git a/ansible/deployment_poc/tasks/configure_libvirt.yml b/ansible/deployment_poc/tasks/configure_libvirt.yml
index 3b20529..bbcc80e 100644
--- a/ansible/deployment_poc/tasks/configure_libvirt.yml
+++ b/ansible/deployment_poc/tasks/configure_libvirt.yml
@@ -51,7 +51,7 @@
- name: Create domain template
ansible.builtin.template:
src: "../templates/libvirt-template.xml.j2"
- dest: "../templates/libvirt-{{ inventory_hostname }}.xml"
+ dest: "../templates/generated/libvirt-{{ inventory_hostname }}.xml"
group: lysergic
mode: '0660'
diff --git a/ansible/deployment_poc/tasks/configure_ssh.yml b/ansible/deployment_poc/tasks/configure_ssh.yml
new file mode 100644
index 0000000..d47b004
--- /dev/null
+++ b/ansible/deployment_poc/tasks/configure_ssh.yml
@@ -0,0 +1,65 @@
+---
+- name: Configure SSH server
+ block:
+ - name: Switch user
+ set_fact:
+ ansible_user_original: "{{ lookup('env', 'USER') }}"
+ ansible_ssh_private_key_file_original: "{{ ansible_ssh_private_key_file }}"
+ ansible_user: install
+ ansible_ssh_private_key_file: "{{ installkey }}"
+
+ - name: Test 1
+ ansible.builtin.raw: whoami
+ vars:
+ - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
+
+ - name: Install SSH host certificate
+ ansible.builtin.copy:
+ checksum: "{{ stat_ssh_cert.stat.checksum }}"
+ dest: "/etc/ssh/{{ vm_name }}"
+ group: root
+ local_follow: no
+ mode: 0400
+ owner: root
+ src: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
+ become: yes
+ become_method: sudo
+ become_user: root
+ vars:
+ - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
+
+ - name: Install SSH host key
+ ansible.builtin.copy:
+ checksum: "{{ stat_ssh_spk.stat.checksum }}"
+ dest: "/etc/ssh/{{ vm_name }}-cert.pub"
+ group: root
+ local_follow: no
+ mode: 0444
+ owner: root
+ src: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
+ become: yes
+ become_method: sudo
+ become_user: root
+ vars:
+ - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
+
+ - name: Install sshd configuration
+ ansible.builtin.script:
+ cmd: "../shell/configure_sshd.sh '{{ ca_pk }}'"
+ become: yes
+ become_method: sudo
+ become_user: root
+ vars:
+ - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
+
+ - name: Switch user
+ set_fact:
+ ansible_user: "{{ ansible_user_original }}"
+ ansible_ssh_private_key_file: "{{ ansible_ssh_private_key_file_original }}"
+
+ - name: Test 2
+ ansible.builtin.raw: whoami
+
+ tags:
+ - init_ssh
+
diff --git a/ansible/deployment_poc/tasks/init_dns.yml b/ansible/deployment_poc/tasks/init_dns.yml
index d3259b9..3e8893f 100644
--- a/ansible/deployment_poc/tasks/init_dns.yml
+++ b/ansible/deployment_poc/tasks/init_dns.yml
@@ -4,4 +4,6 @@
vars:
dns_ip: "{{ item }}"
with_items: "{{ dns_servers }}"
+ tags:
+ - init_ssh
diff --git a/ansible/deployment_poc/tasks/init_dps.yml b/ansible/deployment_poc/tasks/init_dps.yml
index 43742b6..8cd2b5e 100644
--- a/ansible/deployment_poc/tasks/init_dps.yml
+++ b/ansible/deployment_poc/tasks/init_dps.yml
@@ -6,4 +6,5 @@
with_items: "{{ deployment_servers }}"
tags:
- init_dp
+ - init_ssh
diff --git a/ansible/deployment_poc/tasks/init_ssh.yml b/ansible/deployment_poc/tasks/init_ssh.yml
new file mode 100644
index 0000000..386c517
--- /dev/null
+++ b/ansible/deployment_poc/tasks/init_ssh.yml
@@ -0,0 +1,53 @@
+---
+- name: Initialize SSH host keys
+ block:
+ - name: Generate SSH host keypair
+ ansible.builtin.command:
+ argv:
+ - ssh-keygen
+ - -f
+ - "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
+ - -t
+ - ed25519
+ - -C
+ - "{{ vm_fqdn }}"
+ - -N
+ - ""
+ creates: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
+
+ - name: Evaluate certificate
+ ansible.builtin.stat:
+ path: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}"
+ get_attributes: no
+ register: stat_ssh_cert
+
+# - name: Sign SSH host key
+# ansible.builtin.command:
+# argv:
+# - ssh-keygen
+# - -s
+# - "{{ ssh_ca_path }}/{{ tenant }}"
+# - -I
+# - "{{ ssh_ca_prefix }} - {{ vm_fqdn }}"
+# - -hn
+# - "{{ vm_fqdn }}"
+# - "{{ ssh_ca_path }}/host_keys/{{ vm_name }}.pub"
+# creates: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
+
+ - name: Sign SSH host key
+ ansible.builtin.expect:
+ command: ssh-keygen -s "{{ ssh_ca_path }}/{{ tenant }}" -I "{{ ssh_ca_prefix }} - {{ vm_fqdn }}" -hn "{{ vm_fqdn }}" "{{ ssh_ca_path }}/host_keys/{{ vm_name }}.pub"
+ responses:
+ Enter passphrase: "{{ ca_pp }}"
+ timeout: 3
+ creates: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
+
+ - name: Evaluate public key
+ ansible.builtin.stat:
+ path: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub"
+ get_attributes: no
+ register: stat_ssh_spk
+
+ delegate_to: localhost
+ tags:
+ - init_ssh
diff --git a/ansible/deployment_poc/tasks/init_vm_console.yml b/ansible/deployment_poc/tasks/init_vm_console.yml
index 1007c90..a74fde6 100644
--- a/ansible/deployment_poc/tasks/init_vm_console.yml
+++ b/ansible/deployment_poc/tasks/init_vm_console.yml
@@ -35,5 +35,7 @@
- "{{ vm_name }}"
delegate_to: localhost
+ tags:
+ - init_ssh
diff --git a/ansible/deployment_poc/tasks/netbox_evaluate_cluster.yml b/ansible/deployment_poc/tasks/netbox_evaluate_cluster.yml
index f53eef1..e811291 100644
--- a/ansible/deployment_poc/tasks/netbox_evaluate_cluster.yml
+++ b/ansible/deployment_poc/tasks/netbox_evaluate_cluster.yml
@@ -28,17 +28,23 @@
when: host_status != 'active'
- name: Evaluate cluster host configuration
- set_fact:
- storage: "{{ host_choice.config_context.storage[0] }}"
- deployment_servers: "{{ host_choice.config_context.deployment_servers }}"
- dhcp_servers: "{{ host_choice.config_context.dhcp_servers }}"
- dns_servers: "{{ host_choice.config_context.dns_servers }}"
- namespace: "{{ host_choice.config_context.namespace }}"
- gateway: "{{ host_choice.config_context.gateway }}"
+ block:
+ - name: Cluster derived variables 1/2
+ set_fact:
+ storage: "{{ host_choice.config_context.storage[0] }}"
+ deployment_servers: "{{ host_choice.config_context.deployment_servers }}"
+ dhcp_servers: "{{ host_choice.config_context.dhcp_servers }}"
+ dns_servers: "{{ host_choice.config_context.dns_servers }}"
+ namespace: "{{ host_choice.config_context.namespace }}"
+ gateway: "{{ host_choice.config_context.gateway }}"
+ - name: Cluster derived variables 2/2
+ set_fact:
+ namespace_short: "{{ namespace.split('.')[0] }}"
when: host_status == 'active'
tags:
- init_dp
+ - init_ssh
rescue:
- name: Check retry counter
diff --git a/ansible/deployment_poc/tasks/netbox_evaluate_ip.yml b/ansible/deployment_poc/tasks/netbox_evaluate_ip.yml
index fd0399e..47ce9dc 100644
--- a/ansible/deployment_poc/tasks/netbox_evaluate_ip.yml
+++ b/ansible/deployment_poc/tasks/netbox_evaluate_ip.yml
@@ -6,6 +6,9 @@
ip_address_type: "existing"
ipid: "{{ nb_ip_1.json.results[0].id }}"
when: "nb_ip_1.status|int == 200 and nb_ip_1.json.count|int != 0 and (nb_ip_1.json.results[0].status is defined and nb_ip_1.json.results[0].status.value == 'active')"
+ tags:
+ - init_dp
+ - init_ssh
- name: Define new IP address
set_fact:
@@ -15,3 +18,4 @@
when: "nb_ip_2.status is defined and nb_ip_2.status|int == 200"
tags:
- init_dp
+ - init_ssh
diff --git a/ansible/deployment_poc/tasks/netbox_evaluate_prefix.yml b/ansible/deployment_poc/tasks/netbox_evaluate_prefix.yml
index e07aed9..6437d93 100644
--- a/ansible/deployment_poc/tasks/netbox_evaluate_prefix.yml
+++ b/ansible/deployment_poc/tasks/netbox_evaluate_prefix.yml
@@ -5,4 +5,5 @@
prefix_display: "{{ nb_prefix.json.results[0].display }}"
tags:
- init_dp
+ - init_ssh
diff --git a/ansible/deployment_poc/tasks/netbox_evaluate_site.yml b/ansible/deployment_poc/tasks/netbox_evaluate_site.yml
index d09d2cd..2e69e99 100644
--- a/ansible/deployment_poc/tasks/netbox_evaluate_site.yml
+++ b/ansible/deployment_poc/tasks/netbox_evaluate_site.yml
@@ -4,4 +4,5 @@
site_id: "{{ nb_site.json.results[0].id }}"
tags:
- init_dp
+ - init_ssh
diff --git a/ansible/deployment_poc/tasks/netbox_evaluate_vm.yml b/ansible/deployment_poc/tasks/netbox_evaluate_vm.yml
index c320bce..f0f584c 100644
--- a/ansible/deployment_poc/tasks/netbox_evaluate_vm.yml
+++ b/ansible/deployment_poc/tasks/netbox_evaluate_vm.yml
@@ -12,6 +12,7 @@
# disk: "{{ nb_vm.json.results[0].disk }}"
tags:
- init_dp
+ - init_ssh
- name: Pick metadata
set_fact:
@@ -24,4 +25,5 @@
# #tags: "{{ nb_vm.json.results[0].tags | sum(start=[]) | map(attribute='slug') }}"
tags:
- init_dp
+ - init_ssh
diff --git a/ansible/deployment_poc/tasks/netbox_query_cluster.yml b/ansible/deployment_poc/tasks/netbox_query_cluster.yml
index a5b6fe0..61fbc16 100644
--- a/ansible/deployment_poc/tasks/netbox_query_cluster.yml
+++ b/ansible/deployment_poc/tasks/netbox_query_cluster.yml
@@ -13,3 +13,4 @@
delegate_to: localhost
tags:
- init_dp
+ - init_ssh
diff --git a/ansible/deployment_poc/tasks/netbox_query_ip.yml b/ansible/deployment_poc/tasks/netbox_query_ip.yml
index a4cea59..f807e4f 100644
--- a/ansible/deployment_poc/tasks/netbox_query_ip.yml
+++ b/ansible/deployment_poc/tasks/netbox_query_ip.yml
@@ -11,6 +11,9 @@
Authorization: "Token {{ token }}"
register: nb_ip_1
delegate_to: localhost
+ tags:
+ - init_dp
+ - init_ssh
- name: Query available address
ansible.builtin.uri:
@@ -27,4 +30,5 @@
when: "nb_ip_1.json.count|int == 0 or (nb_ip_1.json.results[0].status is defined and nb_ip_1.json.results[0].status.value != 'active')"
tags:
- init_dp
+ - init_ssh
diff --git a/ansible/deployment_poc/tasks/netbox_query_prefix.yml b/ansible/deployment_poc/tasks/netbox_query_prefix.yml
index b039d7d..6a99d67 100644
--- a/ansible/deployment_poc/tasks/netbox_query_prefix.yml
+++ b/ansible/deployment_poc/tasks/netbox_query_prefix.yml
@@ -13,4 +13,5 @@
delegate_to: localhost
tags:
- init_dp
+ - init_ssh
diff --git a/ansible/deployment_poc/tasks/netbox_query_site.yml b/ansible/deployment_poc/tasks/netbox_query_site.yml
index 65ec180..29956b7 100644
--- a/ansible/deployment_poc/tasks/netbox_query_site.yml
+++ b/ansible/deployment_poc/tasks/netbox_query_site.yml
@@ -13,4 +13,5 @@
delegate_to: localhost
tags:
- init_dp
+ - init_ssh
diff --git a/ansible/deployment_poc/tasks/netbox_query_vm.yml b/ansible/deployment_poc/tasks/netbox_query_vm.yml
index bdf6acb..e7702ba 100644
--- a/ansible/deployment_poc/tasks/netbox_query_vm.yml
+++ b/ansible/deployment_poc/tasks/netbox_query_vm.yml
@@ -14,4 +14,5 @@
delegate_to: localhost
tags:
- init_dp
+ - init_ssh
diff --git a/ansible/deployment_poc/tasks/wait.yml b/ansible/deployment_poc/tasks/wait.yml
index 3f35e55..7d516ce 100644
--- a/ansible/deployment_poc/tasks/wait.yml
+++ b/ansible/deployment_poc/tasks/wait.yml
@@ -1,10 +1,14 @@
---
- name: Wait for guest to become alive
wait_for:
- delay: 240
+ #delay: 240
connect_timeout: 3
sleep: 15
port: 22
- host: '{{ vm_fqdn }}'
+ host: '{{ ip_address }}'
search_regex: OpenSSH
- connection: local
+ timeout: 900
+ #connection: local
+ delegate_to: localhost
+ tags:
+ - init_ssh
diff --git a/ansible/deployment_poc/templates/nsd_zone.j2 b/ansible/deployment_poc/templates/nsd_zone.j2
index ddc44ab..2cd206c 100644
--- a/ansible/deployment_poc/templates/nsd_zone.j2
+++ b/ansible/deployment_poc/templates/nsd_zone.j2
@@ -1 +1,2 @@
-{{ vm_name }} IN A {{ ip_address }}
+{{ vm_name }} IN A {{ ip_address }}
+{{ vm_name }}.{{ namespace_short }} IN A {{ ip_address }}