From 2ce8450b893ad9f8a119a1ff24dcc7eb4ba78b82 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 13 Feb 2022 16:56:12 +0100 Subject: Bulk update Signed-off-by: Georg Pfuetzenreuter --- ansible/deployment_poc/.gitignore | 1 + ansible/deployment_poc/playbooks/deploy.yml | 14 ++-- ansible/deployment_poc/shell/configure_sshd.sh | 79 ++++++++++++++++++++++ ansible/deployment_poc/tasks/configure_dns.yml | 12 ++++ ansible/deployment_poc/tasks/configure_dps.yml | 3 +- ansible/deployment_poc/tasks/configure_libvirt.yml | 2 +- ansible/deployment_poc/tasks/configure_ssh.yml | 65 ++++++++++++++++++ ansible/deployment_poc/tasks/init_dns.yml | 2 + ansible/deployment_poc/tasks/init_dps.yml | 1 + ansible/deployment_poc/tasks/init_ssh.yml | 53 +++++++++++++++ ansible/deployment_poc/tasks/init_vm_console.yml | 2 + .../tasks/netbox_evaluate_cluster.yml | 20 ++++-- .../deployment_poc/tasks/netbox_evaluate_ip.yml | 4 ++ .../tasks/netbox_evaluate_prefix.yml | 1 + .../deployment_poc/tasks/netbox_evaluate_site.yml | 1 + .../deployment_poc/tasks/netbox_evaluate_vm.yml | 2 + .../deployment_poc/tasks/netbox_query_cluster.yml | 1 + ansible/deployment_poc/tasks/netbox_query_ip.yml | 4 ++ .../deployment_poc/tasks/netbox_query_prefix.yml | 1 + ansible/deployment_poc/tasks/netbox_query_site.yml | 1 + ansible/deployment_poc/tasks/netbox_query_vm.yml | 1 + ansible/deployment_poc/tasks/wait.yml | 10 ++- ansible/deployment_poc/templates/nsd_zone.j2 | 3 +- 23 files changed, 266 insertions(+), 17 deletions(-) create mode 100755 ansible/deployment_poc/shell/configure_sshd.sh create mode 100644 ansible/deployment_poc/tasks/configure_ssh.yml create mode 100644 ansible/deployment_poc/tasks/init_ssh.yml diff --git a/ansible/deployment_poc/.gitignore b/ansible/deployment_poc/.gitignore index 3dc880c..4a7710d 100644 --- a/ansible/deployment_poc/.gitignore +++ b/ansible/deployment_poc/.gitignore @@ -8,5 +8,6 @@ templates/generated/ variables/deploy-variables.yml inventory.yml *.bak +*.example *.old *.tgz diff --git a/ansible/deployment_poc/playbooks/deploy.yml b/ansible/deployment_poc/playbooks/deploy.yml index e8b43b0..4009b26 100644 --- a/ansible/deployment_poc/playbooks/deploy.yml +++ b/ansible/deployment_poc/playbooks/deploy.yml @@ -74,7 +74,7 @@ block: - import_tasks: "../tasks/netbox_query_ip.yml" - import_tasks: "../tasks/netbox_evaluate_ip.yml" - #no_log: true + no_log: true - name: Provision virtual machine import_tasks: "../tasks/configure_libvirt.yml" @@ -93,7 +93,7 @@ - import_tasks: "../tasks/netbox_init_interface.yml" - import_tasks: "../tasks/netbox_query_interface.yml" - import_tasks: "../tasks/netbox_evaluate_interface.yml" - #no_log: true + no_log: true - name: Define IP address object in NetBox block: @@ -103,8 +103,14 @@ - name: Start VM and attach console import_tasks: "../tasks/init_vm_console.yml" -# - name: Wait for guest OS installation -# import_tasks: "../tasks/wait.yml" + - name: Initialize SSH CA + import_tasks: "../tasks/init_ssh.yml" + + - name: Wait for guest OS installation + import_tasks: "../tasks/wait.yml" + + - name: Configure SSH + import_tasks: "../tasks/configure_ssh.yml" always: diff --git a/ansible/deployment_poc/shell/configure_sshd.sh b/ansible/deployment_poc/shell/configure_sshd.sh new file mode 100755 index 0000000..2cf3ac4 --- /dev/null +++ b/ansible/deployment_poc/shell/configure_sshd.sh @@ -0,0 +1,79 @@ +#!/bin/sh +# +# Deploys SSH client configuration for nodes with CA signed host certificates and CA based user authentication. Standalone nodes may not use this script. +# Currently only designed for systemd based GNU/Linux distributions and OpenBSD. To-Do: support Sys-V init and Lukem RC based systems. To-Do 2: port this to Ansible deployment_poc. +# +# Author: Georg Pfuetzenreuter +# Last edit: 13/02/2022 + +PUBKEY="$1" + + +get_ip_address () { + case $KERNEL in + "OpenBSD" ) ifconfig | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}' | head -n1 + ;; + "Linux" ) ip addr show eth0 | awk '$1 == "inet" {gsub(/\/.*$/, "", $2); print $2}' + ;; + esac + +} +HOSTNAME=$(hostname -s) +KERNEL=$(uname) +IP_ADDRESS="$(get_ip_address)" +if [ "$KERNEL" = "OpenBSD" ] || [ "$KERNEL" = "Linux" ]; then + if [ -f /etc/ssh/$HOSTNAME ] && [ -f /etc/ssh/$HOSTNAME-cert.pub ]; then + if [ ! -d /etc/ssh/old ]; then + mkdir /etc/ssh/old + fi + if [ -f /etc/ssh/ssh_known_hosts ]; then + mv /etc/ssh/ssh_known_hosts /etc/ssh/old/ + fi + #if compgen -G "/etc/ssh/ssh_host_*" > /dev/null; then + #mv /etc/ssh/ssh_host_* /etc/ssh/old/ + #fi + if [ -f /etc/ssh/ssh_host_rsa_key ]; then + mv /etc/ssh/ssh_host_* /etc/ssh/old/ + fi + mv /etc/ssh/sshd_config /etc/ssh/old/ + if [ -f /etc/ssh/ssh_config ]; then + mv /etc/ssh/ssh_config /etc/ssh/old/ + fi + cat <<'EOF_SSHD_CONFIG' >/etc/ssh/sshd_config +ListenAddress %%IP_ADDRESS%% +Protocol 2 +SyslogFacility AUTH +LogLevel FATAL + +HostKey /etc/ssh/%%HOSTNAME%% +HostCertificate /etc/ssh/%%HOSTNAME%%-cert.pub +TrustedUserCAKeys /etc/ssh/user_ca +PasswordAuthentication no +ChallengeResponseAuthentication no +AuthenticationMethods publickey + +LoginGraceTime 1m +PermitRootLogin no +StrictModes yes +MaxAuthTries 1 +MaxSessions 3 + +X11Forwarding no +PrintMotd yes +PrintLastLog yes +EOF_SSHD_CONFIG + sed -i -e "s/%%IP_ADDRESS%%/$IP_ADDRESS/" -e "s/%%HOSTNAME%%/$HOSTNAME/" /etc/ssh/sshd_config + echo "$PUBKEY" > /etc/ssh/user_ca + case $KERNEL in + "OpenBSD" ) rcctl reload sshd + ;; + "Linux" ) systemctl reload sshd + ;; + esac + echo "OK" + else + echo "Missing host certificate and public key, copy them to /etc/ssh/ for me." + fi +else + echo "Unsupported operating system, please configure sshd manually." +fi diff --git a/ansible/deployment_poc/tasks/configure_dns.yml b/ansible/deployment_poc/tasks/configure_dns.yml index 6f1896c..9a28800 100644 --- a/ansible/deployment_poc/tasks/configure_dns.yml +++ b/ansible/deployment_poc/tasks/configure_dns.yml @@ -5,6 +5,8 @@ set_fact: dns_fqdn: "{{ lookup('community.general.dig', dns_ip + '/PTR') }}" vm_fqdn: "{{ vm_name + '.' + namespace }}" + tags: + - init_ssh - name: Gather DNS hostname and zonename set_fact: @@ -23,6 +25,16 @@ path: "/var/nsd/zones/master/{{ zone }}.zone" when: dns_os == 'openbsd-x86_64' delegate_to: "{{ dns_host }}" + + - name: Reload DNS zone + ansible.builtin.command: + argv: + - /usr/bin/doas + - nsd-control + - reload + - "{{ zone }}" + when: dhcp_os == 'openbsd-x86_64' + delegate_to: "{{ dns_host }}" - name: Insert DNS static host mapping vyos.vyos.vyos_config: diff --git a/ansible/deployment_poc/tasks/configure_dps.yml b/ansible/deployment_poc/tasks/configure_dps.yml index 1b610b0..3b56eef 100644 --- a/ansible/deployment_poc/tasks/configure_dps.yml +++ b/ansible/deployment_poc/tasks/configure_dps.yml @@ -37,9 +37,10 @@ mode: '0444' when: dp_os == 'openbsd-x86_64' - - name: Generate LUKS passphrase + - name: Generate LUKS passphrase #does not quite belong here set_fact: luks_passphrase: "{{ lookup('password', '/dev/null', length=15, chars=hexdigits, seed=inventory_hostname) }}" + no_log: true - name: Prepare unattended installation ansible.builtin.template: diff --git a/ansible/deployment_poc/tasks/configure_libvirt.yml b/ansible/deployment_poc/tasks/configure_libvirt.yml index 3b20529..bbcc80e 100644 --- a/ansible/deployment_poc/tasks/configure_libvirt.yml +++ b/ansible/deployment_poc/tasks/configure_libvirt.yml @@ -51,7 +51,7 @@ - name: Create domain template ansible.builtin.template: src: "../templates/libvirt-template.xml.j2" - dest: "../templates/libvirt-{{ inventory_hostname }}.xml" + dest: "../templates/generated/libvirt-{{ inventory_hostname }}.xml" group: lysergic mode: '0660' diff --git a/ansible/deployment_poc/tasks/configure_ssh.yml b/ansible/deployment_poc/tasks/configure_ssh.yml new file mode 100644 index 0000000..d47b004 --- /dev/null +++ b/ansible/deployment_poc/tasks/configure_ssh.yml @@ -0,0 +1,65 @@ +--- +- name: Configure SSH server + block: + - name: Switch user + set_fact: + ansible_user_original: "{{ lookup('env', 'USER') }}" + ansible_ssh_private_key_file_original: "{{ ansible_ssh_private_key_file }}" + ansible_user: install + ansible_ssh_private_key_file: "{{ installkey }}" + + - name: Test 1 + ansible.builtin.raw: whoami + vars: + - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + + - name: Install SSH host certificate + ansible.builtin.copy: + checksum: "{{ stat_ssh_cert.stat.checksum }}" + dest: "/etc/ssh/{{ vm_name }}" + group: root + local_follow: no + mode: 0400 + owner: root + src: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}" + become: yes + become_method: sudo + become_user: root + vars: + - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + + - name: Install SSH host key + ansible.builtin.copy: + checksum: "{{ stat_ssh_spk.stat.checksum }}" + dest: "/etc/ssh/{{ vm_name }}-cert.pub" + group: root + local_follow: no + mode: 0444 + owner: root + src: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub" + become: yes + become_method: sudo + become_user: root + vars: + - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + + - name: Install sshd configuration + ansible.builtin.script: + cmd: "../shell/configure_sshd.sh '{{ ca_pk }}'" + become: yes + become_method: sudo + become_user: root + vars: + - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + + - name: Switch user + set_fact: + ansible_user: "{{ ansible_user_original }}" + ansible_ssh_private_key_file: "{{ ansible_ssh_private_key_file_original }}" + + - name: Test 2 + ansible.builtin.raw: whoami + + tags: + - init_ssh + diff --git a/ansible/deployment_poc/tasks/init_dns.yml b/ansible/deployment_poc/tasks/init_dns.yml index d3259b9..3e8893f 100644 --- a/ansible/deployment_poc/tasks/init_dns.yml +++ b/ansible/deployment_poc/tasks/init_dns.yml @@ -4,4 +4,6 @@ vars: dns_ip: "{{ item }}" with_items: "{{ dns_servers }}" + tags: + - init_ssh diff --git a/ansible/deployment_poc/tasks/init_dps.yml b/ansible/deployment_poc/tasks/init_dps.yml index 43742b6..8cd2b5e 100644 --- a/ansible/deployment_poc/tasks/init_dps.yml +++ b/ansible/deployment_poc/tasks/init_dps.yml @@ -6,4 +6,5 @@ with_items: "{{ deployment_servers }}" tags: - init_dp + - init_ssh diff --git a/ansible/deployment_poc/tasks/init_ssh.yml b/ansible/deployment_poc/tasks/init_ssh.yml new file mode 100644 index 0000000..386c517 --- /dev/null +++ b/ansible/deployment_poc/tasks/init_ssh.yml @@ -0,0 +1,53 @@ +--- +- name: Initialize SSH host keys + block: + - name: Generate SSH host keypair + ansible.builtin.command: + argv: + - ssh-keygen + - -f + - "{{ ssh_ca_path }}/host_keys/{{ vm_name }}" + - -t + - ed25519 + - -C + - "{{ vm_fqdn }}" + - -N + - "" + creates: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}" + + - name: Evaluate certificate + ansible.builtin.stat: + path: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}" + get_attributes: no + register: stat_ssh_cert + +# - name: Sign SSH host key +# ansible.builtin.command: +# argv: +# - ssh-keygen +# - -s +# - "{{ ssh_ca_path }}/{{ tenant }}" +# - -I +# - "{{ ssh_ca_prefix }} - {{ vm_fqdn }}" +# - -hn +# - "{{ vm_fqdn }}" +# - "{{ ssh_ca_path }}/host_keys/{{ vm_name }}.pub" +# creates: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub" + + - name: Sign SSH host key + ansible.builtin.expect: + command: ssh-keygen -s "{{ ssh_ca_path }}/{{ tenant }}" -I "{{ ssh_ca_prefix }} - {{ vm_fqdn }}" -hn "{{ vm_fqdn }}" "{{ ssh_ca_path }}/host_keys/{{ vm_name }}.pub" + responses: + Enter passphrase: "{{ ca_pp }}" + timeout: 3 + creates: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub" + + - name: Evaluate public key + ansible.builtin.stat: + path: "{{ ssh_ca_path }}/host_keys/{{ vm_name }}-cert.pub" + get_attributes: no + register: stat_ssh_spk + + delegate_to: localhost + tags: + - init_ssh diff --git a/ansible/deployment_poc/tasks/init_vm_console.yml b/ansible/deployment_poc/tasks/init_vm_console.yml index 1007c90..a74fde6 100644 --- a/ansible/deployment_poc/tasks/init_vm_console.yml +++ b/ansible/deployment_poc/tasks/init_vm_console.yml @@ -35,5 +35,7 @@ - "{{ vm_name }}" delegate_to: localhost + tags: + - init_ssh diff --git a/ansible/deployment_poc/tasks/netbox_evaluate_cluster.yml b/ansible/deployment_poc/tasks/netbox_evaluate_cluster.yml index f53eef1..e811291 100644 --- a/ansible/deployment_poc/tasks/netbox_evaluate_cluster.yml +++ b/ansible/deployment_poc/tasks/netbox_evaluate_cluster.yml @@ -28,17 +28,23 @@ when: host_status != 'active' - name: Evaluate cluster host configuration - set_fact: - storage: "{{ host_choice.config_context.storage[0] }}" - deployment_servers: "{{ host_choice.config_context.deployment_servers }}" - dhcp_servers: "{{ host_choice.config_context.dhcp_servers }}" - dns_servers: "{{ host_choice.config_context.dns_servers }}" - namespace: "{{ host_choice.config_context.namespace }}" - gateway: "{{ host_choice.config_context.gateway }}" + block: + - name: Cluster derived variables 1/2 + set_fact: + storage: "{{ host_choice.config_context.storage[0] }}" + deployment_servers: "{{ host_choice.config_context.deployment_servers }}" + dhcp_servers: "{{ host_choice.config_context.dhcp_servers }}" + dns_servers: "{{ host_choice.config_context.dns_servers }}" + namespace: "{{ host_choice.config_context.namespace }}" + gateway: "{{ host_choice.config_context.gateway }}" + - name: Cluster derived variables 2/2 + set_fact: + namespace_short: "{{ namespace.split('.')[0] }}" when: host_status == 'active' tags: - init_dp + - init_ssh rescue: - name: Check retry counter diff --git a/ansible/deployment_poc/tasks/netbox_evaluate_ip.yml b/ansible/deployment_poc/tasks/netbox_evaluate_ip.yml index fd0399e..47ce9dc 100644 --- a/ansible/deployment_poc/tasks/netbox_evaluate_ip.yml +++ b/ansible/deployment_poc/tasks/netbox_evaluate_ip.yml @@ -6,6 +6,9 @@ ip_address_type: "existing" ipid: "{{ nb_ip_1.json.results[0].id }}" when: "nb_ip_1.status|int == 200 and nb_ip_1.json.count|int != 0 and (nb_ip_1.json.results[0].status is defined and nb_ip_1.json.results[0].status.value == 'active')" + tags: + - init_dp + - init_ssh - name: Define new IP address set_fact: @@ -15,3 +18,4 @@ when: "nb_ip_2.status is defined and nb_ip_2.status|int == 200" tags: - init_dp + - init_ssh diff --git a/ansible/deployment_poc/tasks/netbox_evaluate_prefix.yml b/ansible/deployment_poc/tasks/netbox_evaluate_prefix.yml index e07aed9..6437d93 100644 --- a/ansible/deployment_poc/tasks/netbox_evaluate_prefix.yml +++ b/ansible/deployment_poc/tasks/netbox_evaluate_prefix.yml @@ -5,4 +5,5 @@ prefix_display: "{{ nb_prefix.json.results[0].display }}" tags: - init_dp + - init_ssh diff --git a/ansible/deployment_poc/tasks/netbox_evaluate_site.yml b/ansible/deployment_poc/tasks/netbox_evaluate_site.yml index d09d2cd..2e69e99 100644 --- a/ansible/deployment_poc/tasks/netbox_evaluate_site.yml +++ b/ansible/deployment_poc/tasks/netbox_evaluate_site.yml @@ -4,4 +4,5 @@ site_id: "{{ nb_site.json.results[0].id }}" tags: - init_dp + - init_ssh diff --git a/ansible/deployment_poc/tasks/netbox_evaluate_vm.yml b/ansible/deployment_poc/tasks/netbox_evaluate_vm.yml index c320bce..f0f584c 100644 --- a/ansible/deployment_poc/tasks/netbox_evaluate_vm.yml +++ b/ansible/deployment_poc/tasks/netbox_evaluate_vm.yml @@ -12,6 +12,7 @@ # disk: "{{ nb_vm.json.results[0].disk }}" tags: - init_dp + - init_ssh - name: Pick metadata set_fact: @@ -24,4 +25,5 @@ # #tags: "{{ nb_vm.json.results[0].tags | sum(start=[]) | map(attribute='slug') }}" tags: - init_dp + - init_ssh diff --git a/ansible/deployment_poc/tasks/netbox_query_cluster.yml b/ansible/deployment_poc/tasks/netbox_query_cluster.yml index a5b6fe0..61fbc16 100644 --- a/ansible/deployment_poc/tasks/netbox_query_cluster.yml +++ b/ansible/deployment_poc/tasks/netbox_query_cluster.yml @@ -13,3 +13,4 @@ delegate_to: localhost tags: - init_dp + - init_ssh diff --git a/ansible/deployment_poc/tasks/netbox_query_ip.yml b/ansible/deployment_poc/tasks/netbox_query_ip.yml index a4cea59..f807e4f 100644 --- a/ansible/deployment_poc/tasks/netbox_query_ip.yml +++ b/ansible/deployment_poc/tasks/netbox_query_ip.yml @@ -11,6 +11,9 @@ Authorization: "Token {{ token }}" register: nb_ip_1 delegate_to: localhost + tags: + - init_dp + - init_ssh - name: Query available address ansible.builtin.uri: @@ -27,4 +30,5 @@ when: "nb_ip_1.json.count|int == 0 or (nb_ip_1.json.results[0].status is defined and nb_ip_1.json.results[0].status.value != 'active')" tags: - init_dp + - init_ssh diff --git a/ansible/deployment_poc/tasks/netbox_query_prefix.yml b/ansible/deployment_poc/tasks/netbox_query_prefix.yml index b039d7d..6a99d67 100644 --- a/ansible/deployment_poc/tasks/netbox_query_prefix.yml +++ b/ansible/deployment_poc/tasks/netbox_query_prefix.yml @@ -13,4 +13,5 @@ delegate_to: localhost tags: - init_dp + - init_ssh diff --git a/ansible/deployment_poc/tasks/netbox_query_site.yml b/ansible/deployment_poc/tasks/netbox_query_site.yml index 65ec180..29956b7 100644 --- a/ansible/deployment_poc/tasks/netbox_query_site.yml +++ b/ansible/deployment_poc/tasks/netbox_query_site.yml @@ -13,4 +13,5 @@ delegate_to: localhost tags: - init_dp + - init_ssh diff --git a/ansible/deployment_poc/tasks/netbox_query_vm.yml b/ansible/deployment_poc/tasks/netbox_query_vm.yml index bdf6acb..e7702ba 100644 --- a/ansible/deployment_poc/tasks/netbox_query_vm.yml +++ b/ansible/deployment_poc/tasks/netbox_query_vm.yml @@ -14,4 +14,5 @@ delegate_to: localhost tags: - init_dp + - init_ssh diff --git a/ansible/deployment_poc/tasks/wait.yml b/ansible/deployment_poc/tasks/wait.yml index 3f35e55..7d516ce 100644 --- a/ansible/deployment_poc/tasks/wait.yml +++ b/ansible/deployment_poc/tasks/wait.yml @@ -1,10 +1,14 @@ --- - name: Wait for guest to become alive wait_for: - delay: 240 + #delay: 240 connect_timeout: 3 sleep: 15 port: 22 - host: '{{ vm_fqdn }}' + host: '{{ ip_address }}' search_regex: OpenSSH - connection: local + timeout: 900 + #connection: local + delegate_to: localhost + tags: + - init_ssh diff --git a/ansible/deployment_poc/templates/nsd_zone.j2 b/ansible/deployment_poc/templates/nsd_zone.j2 index ddc44ab..2cd206c 100644 --- a/ansible/deployment_poc/templates/nsd_zone.j2 +++ b/ansible/deployment_poc/templates/nsd_zone.j2 @@ -1 +1,2 @@ -{{ vm_name }} IN A {{ ip_address }} +{{ vm_name }} IN A {{ ip_address }} +{{ vm_name }}.{{ namespace_short }} IN A {{ ip_address }} -- cgit v1.2.3