known-hosts: revisit the role (#610)

* remove README.rst * avoid duplicate entries in the destination file * avoid comments in the destination file * make use of static entries possible It's now possible to add a known_hosts parameter to the host_vars to set static known hosts entries for a specific host. When this parameter is set ssh-keygen will not be used to generate the known hosts entries on the fly. ``` known_hosts: - ssh-rsa AAAAB3NzaC1y... - ecdsa-sha2-nistp256 AAAAE2VjZHN... - ssh-ed25519 AAAAC3NzaC1... ``` * make use of extra entries possible It's now possible to add a known_hosts_extra parameter as extra var e.g. in environments/configuration.yml to add additional entries. ``` known_hosts_extra: - testbed-node-1.testbed.osism.xyz ssh-rsa AAAAB3Nza... ``` Signed-off-by: Christian Berendt <berendt@osism.tech>
osism · Mar 26, 2024 · f3fea2a · f3fea2a
1 parent d7e18fe
commit f3fea2a
Show file tree

Hide file tree

Showing 5 changed files with 80 additions and 29 deletions.
diff --git a/roles/known_hosts/README.rst b/roles/known_hosts/README.rst
diff --git a/roles/known_hosts/defaults/main.yml b/roles/known_hosts/defaults/main.yml
@@ -11,3 +11,6 @@ operator_group: "{{ operator_user }}"
 known_hosts_group_name: all
 known_hosts_list: "{{ groups[known_hosts_group_name] }}"
 known_hosts_destination: "/home/{{ operator_user }}/.ssh"
+
+known_hosts: []
+known_hosts_extra: []
diff --git a/roles/known_hosts/tasks/main.yml b/roles/known_hosts/tasks/main.yml
@@ -1,14 +1,56 @@
 ---
-- name: Run ssh-keyscan for all hosts (hostname)
-  ansible.builtin.shell: "ssh-keyscan {{ item }}  >> {{ known_hosts_destination }}/known_hosts"
+- name: Run ssh-keyscan for all hosts with hostname
+  ansible.builtin.command: "ssh-keyscan {{ item }}"
   loop: "{{ known_hosts_list }}"
   changed_when: false
+  when:
+    - hostvars[item]['known_hosts'] is not defined
+  register: result
 
-- name: Run ssh-keyscan for all hosts (ansible_host)
-  ansible.builtin.shell: "ssh-keyscan {{ hostvars[item]['ansible_host'] }}  >> {{ known_hosts_destination }}/known_hosts"
+- name: Write scanned known_hosts entries for all hosts with hostname
+  ansible.builtin.include_tasks:
+    file: write-scanned.yml
+  loop: "{{ result['results'] }}"
+  loop_control:
+    label: "Scanned entries of {{ item['item'] }}"
+  when:
+    - result is defined
+
+- name: Run ssh-keyscan for all hosts with ansible_host
+  ansible.builtin.command: "ssh-keyscan {{ hostvars[item]['ansible_host'] }}"
   loop: "{{ known_hosts_list }}"
   changed_when: false
-  when: hostvars[item]['ansible_host'] is defined
+  when:
+    - hostvars[item]['ansible_host'] is defined
+    - hostvars[item]['known_hosts'] is not defined
+  register: result
+
+- name: Write scanned known_hosts entries for all hosts with ansible_host
+  ansible.builtin.include_tasks:
+    file: write-scanned.yml
+  loop: "{{ result['results'] }}"
+  loop_control:
+    label: "Scanned entries of {{ item['item'] }}"
+  when:
+    - result is defined
+
+- name: Write static known_hosts entries
+  ansible.builtin.include_tasks:
+    file: write-static.yml
+  loop: "{{ known_hosts_list }}"
+  when:
+    - hostvars[item]['known_hosts'] is defined
+    - hostvars[item]['known_hosts'] | length
+
+- name: Write extra known_hosts entries
+  ansible.builtin.known_hosts:
+    path: "{{ known_hosts_destination }}/known_hosts"
+    name: "{{ item.split(' ') | first }}"
+    key: "{{ item }}"
+  loop: "{{ known_hosts_extra }}"
+  when:
+    - known_hosts_extra is defined
+    - known_hosts_extra | length
 
 - name: Set file permissions
   ansible.builtin.file:

diff --git a/roles/known_hosts/tasks/write-scanned.yml b/roles/known_hosts/tasks/write-scanned.yml
@@ -0,0 +1,12 @@
+---
+- name: Write scanned known_hosts entries
+  ansible.builtin.known_hosts:
+    path: "{{ known_hosts_destination }}/known_hosts"
+    name: "{{ inner_item.split(' ') | first }}"
+    key: "{{ inner_item }}"
+  loop: "{{ item['stdout_lines'] }}"
+  loop_control:
+    loop_var: inner_item
+  when:
+    - item['stdout_lines'] is defined
+    - item['stdout_lines'] | length
diff --git a/roles/known_hosts/tasks/write-static.yml b/roles/known_hosts/tasks/write-static.yml
@@ -0,0 +1,18 @@
+---
+- name: Write static known_hosts entries with hostname
+  ansible.builtin.known_hosts:
+    path: "{{ known_hosts_destination }}/known_hosts"
+    name: "{{ item }}"
+    key: "{{ item }} {{ inner_item }}"
+  loop_control:
+    loop_var: inner_item
+  loop: "{{ hostvars[item]['known_hosts'] }}"
+
+- name: Write static known_hosts entries with ansible_host
+  ansible.builtin.known_hosts:
+    path: "{{ known_hosts_destination }}/known_hosts"
+    name: "{{ hostvars[item]['ansible_host'] }}"
+    key: "{{ hostvars[item]['ansible_host'] }} {{ inner_item }}"
+  loop_control:
+    loop_var: inner_item
+  loop: "{{ hostvars[item]['known_hosts'] }}"