114 lines
3.2 KiB
YAML
114 lines
3.2 KiB
YAML
- name: Generate user key pair
|
|
openssh_keypair:
|
|
path: /etc/ssh/ssh_user_ed25519_key
|
|
type: ed25519
|
|
comment: "{{ ansible_fqdn }}"
|
|
register: user_key
|
|
|
|
- name: Check whether user certificate exists
|
|
stat:
|
|
path: /etc/ssh/ssh_user_ed25519_key-cert.pub
|
|
register: cert_stat
|
|
|
|
- name: Generate SSH user certificate
|
|
command:
|
|
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh user hyp_user \"{{ user_key.public_key }}\" {{ ansible_fqdn }} \"hypervisor\"'"
|
|
register: user_certificate
|
|
delegate_to: localhost
|
|
when: not cert_stat.stat.exists
|
|
|
|
- name: Place user certificate
|
|
copy:
|
|
dest: /etc/ssh/ssh_user_ed25519_key-cert.pub
|
|
content: "{{ user_certificate.stdout }}"
|
|
mode: 0644
|
|
when: not cert_stat.stat.exists
|
|
|
|
- name: Enable user certificate
|
|
copy:
|
|
src: "{{ role_path }}/files/ssh_user_certificate.conf"
|
|
dest: /etc/ssh/ssh_config.d/user_certificate.conf
|
|
|
|
- name: Install Borg
|
|
apt:
|
|
pkg:
|
|
- borgbackup
|
|
- borgmatic
|
|
|
|
- name: Copy Borgmatic script
|
|
template:
|
|
src: "{{ role_path }}/files/backup.yml"
|
|
dest: /root/backup.yml
|
|
|
|
- name: Copy start_vms.sh
|
|
copy:
|
|
src: "{{ role_path }}/files/start_vms.sh"
|
|
dest: /root/start_vms.sh
|
|
mode: preserve
|
|
|
|
- name: Copy stop_vms.sh
|
|
copy:
|
|
src: "{{ role_path }}/files/stop_vms.sh"
|
|
dest: /root/stop_vms.sh
|
|
mode: preserve
|
|
|
|
- name: Copy systemd backup unit
|
|
copy:
|
|
src: "{{ role_path }}/files/backup.service"
|
|
dest: /etc/systemd/system/backup.service
|
|
notify: systemd daemon reload
|
|
|
|
- name: Copy systemd backup timer
|
|
copy:
|
|
src: "{{ role_path }}/files/backup.timer"
|
|
dest: /etc/systemd/system/backup.timer
|
|
notify: systemd daemon reload
|
|
|
|
- name: Enable backup timer
|
|
systemd:
|
|
name: backup.timer
|
|
enabled: true
|
|
state: started
|
|
|
|
- name: Add SSH host CA known host
|
|
known_hosts:
|
|
key: '@cert-authority *.dmz ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ'
|
|
name: '@cert-authority *.dmz'
|
|
path: /etc/ssh/ssh_known_hosts
|
|
|
|
- name: Add SSH host CA known host
|
|
known_hosts:
|
|
key: '@cert-authority *.hyp ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb Host Certficate Authority for HYP'
|
|
name: '@cert-authority *.hyp'
|
|
path: /etc/ssh/ssh_known_hosts
|
|
|
|
- name: Generate host key pair
|
|
openssh_keypair:
|
|
path: /etc/ssh/ssh_host_ed25519_key
|
|
type: ed25519
|
|
comment: "{{ ansible_host }}"
|
|
register: host_key
|
|
|
|
- name: Check whether host certificate exists
|
|
stat:
|
|
path: /etc/ssh/ssh_host_ed25519_key-cert.pub
|
|
register: cert_stat
|
|
|
|
- name: Generate SSH host certificate
|
|
command:
|
|
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh host hyp_host \"{{ host_key.public_key }}\" {{ ansible_host }}'"
|
|
register: host_certificate
|
|
delegate_to: localhost
|
|
when: not cert_stat.stat.exists
|
|
|
|
- name: Place host certificate
|
|
copy:
|
|
dest: /etc/ssh/ssh_host_ed25519_key-cert.pub
|
|
content: "{{ host_certificate.stdout }}"
|
|
mode: 0644
|
|
when: not cert_stat.stat.exists
|
|
|
|
- name: Enable host certificate
|
|
copy:
|
|
dest: /etc/ssh/sshd_config.d/sshd_host_certificate.conf
|
|
content: "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"
|