105 lines
3.3 KiB
YAML
105 lines
3.3 KiB
YAML
---
|
|
# Generate SSH Keys for Admin Users
|
|
|
|
- name: Create local SSH keys directory on control node
|
|
ansible.builtin.file:
|
|
path: "{{ ssh_keys_local_dir }}/{{ inventory_hostname }}"
|
|
state: directory
|
|
mode: '0700'
|
|
delegate_to: localhost
|
|
run_once: false
|
|
|
|
- name: Generate SSH key pairs on control node
|
|
community.crypto.openssh_keypair:
|
|
path: "{{ ssh_keys_local_dir }}/{{ inventory_hostname }}/{{ item.username }}_id_{{ ssh_key_type }}"
|
|
type: "{{ ssh_key_type }}"
|
|
size: "{{ ssh_key_bits if ssh_key_type == 'rsa' else omit }}"
|
|
comment: "{{ item.username }}@{{ inventory_hostname }}"
|
|
state: present
|
|
loop: "{{ admin_users }}"
|
|
loop_control:
|
|
label: "{{ item.username }}"
|
|
when:
|
|
- item.generate_keys | default(false)
|
|
- item.state | default('present') == 'present'
|
|
delegate_to: localhost
|
|
run_once: false
|
|
register: generated_keys
|
|
|
|
- name: Read generated public keys
|
|
ansible.builtin.slurp:
|
|
src: "{{ ssh_keys_local_dir }}/{{ inventory_hostname }}/{{ item.username }}_id_{{ ssh_key_type }}.pub"
|
|
loop: "{{ admin_users }}"
|
|
loop_control:
|
|
label: "{{ item.username }}"
|
|
when:
|
|
- item.generate_keys | default(false)
|
|
- item.state | default('present') == 'present'
|
|
delegate_to: localhost
|
|
run_once: false
|
|
register: public_keys
|
|
|
|
- name: Add generated public keys to authorized_keys
|
|
ansible.posix.authorized_key:
|
|
user: "{{ item.item.username }}"
|
|
key: "{{ item.content | b64decode }}"
|
|
state: present
|
|
loop: "{{ public_keys.results }}"
|
|
loop_control:
|
|
label: "{{ item.item.username }}"
|
|
when:
|
|
- not item.skipped | default(false)
|
|
- item.content is defined
|
|
|
|
- name: Create SSH key summary file
|
|
ansible.builtin.copy:
|
|
dest: "{{ ssh_keys_local_dir }}/{{ inventory_hostname }}/README.md"
|
|
content: |
|
|
# SSH Keys for {{ inventory_hostname }}
|
|
|
|
Generated: {{ ansible_date_time.iso8601 }}
|
|
|
|
## Admin Users
|
|
|
|
{% for user in admin_users %}
|
|
{% if user.generate_keys | default(false) %}
|
|
### {{ user.username }}
|
|
|
|
- **Private Key**: `{{ user.username }}_id_{{ ssh_key_type }}`
|
|
- **Public Key**: `{{ user.username }}_id_{{ ssh_key_type }}.pub`
|
|
- **Comment**: {{ user.username }}@{{ inventory_hostname }}
|
|
|
|
**Usage**:
|
|
```bash
|
|
# Copy private key to your machine
|
|
scp {{ ssh_keys_local_dir }}/{{ inventory_hostname }}/{{ user.username }}_id_{{ ssh_key_type }} ~/.ssh/
|
|
|
|
# Set correct permissions
|
|
chmod 600 ~/.ssh/{{ user.username }}_id_{{ ssh_key_type }}
|
|
|
|
# SSH to server
|
|
ssh -i ~/.ssh/{{ user.username }}_id_{{ ssh_key_type }} {{ user.username }}@{{ inventory_hostname }}
|
|
```
|
|
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
## Security Notes
|
|
|
|
- Private keys are stored on the Ansible control node only
|
|
- Public keys are deployed to the servers
|
|
- Keep private keys secure and never commit to git
|
|
- Rotate keys regularly (every 90 days recommended)
|
|
|
|
## Key Rotation
|
|
|
|
To rotate keys:
|
|
1. Generate new keys by re-running the playbook
|
|
2. Test new keys work
|
|
3. Remove old keys from authorized_keys
|
|
4. Delete old private keys securely
|
|
mode: '0600'
|
|
delegate_to: localhost
|
|
run_once: false
|
|
when: admin_users | selectattr('generate_keys', 'defined') | selectattr('generate_keys') | list | length > 0
|