ssh key renewal

1 files changed, 174 insertions, 0 deletions

diff --git a/ssh-key-renewal.yml b/ssh-key-renewal.yml
new file mode 100644
index 0000000..788b104
--- /dev/null
+++ b/ssh-key-renewal.yml
@@ -0,0 +1,174 @@
+---
+# abstract: if we find vars.pubkey_string inside one of the ssh public host key files, we will regenerate
+# all of them.
+- hosts: "{{ runtime_hosts | default('CHANGEME') }}"
+  vars:
+    host_key_checking: false
+    pubkey_string: "CHANGEME"
+  gather_facts: false
+  tasks:
+    - name: Gather necessary facts
+      setup:
+        gather_subset:
+          - "distribution"
+          - "distribution_version"
+          - "lsb"
+          - "default_ipv4"
+          - "env"
+    - name: Set up Red Hat and derivatives
+      debug:
+        msg: "System is {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_lsb.description}}), checking in."
+      when: ansible_distribution_file_variety == "RedHat"
+      changed_when: true
+      notify: "redhat"
+    - name: Set up Debian and derivatives
+      debug:
+        msg: "System is {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_lsb.description}}), checking in."
+      when: ansible_distribution_file_variety == "Debian"
+      changed_when: true
+      notify: "debian"
+    - name: Set up SUSE and derivatives
+      debug:
+        msg: "System is {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_lsb.description}}), checking in."
+      # SuSE was "renamed" to SUSE somewhen around SLES 11 (now SLE :-} ), so we'll check for both. Even though generation 11
+      # repositories should be pretty ...deaddish by now.
+      when: ansible_distribution_file_variety == "SUSE" or ansible_distribution_file_variety == "SuSE"
+      changed_when: true
+      notify: "suse"
+    - name: Set up Arch and derivatives
+      debug:
+        msg: "System is {{ansible_distribution}} ({{ansible_distribution_file_variety}}) ({{ansible_lsb.description}}), checking in."
+      when: ansible_distribution_file_variety == "Archlinux"
+      changed_when: true
+      notify: "arch"
+  handlers:
+    - name: Distro not implemented yet
+      debug:
+        msg: ":("
+      listen:
+        - "suse"
+        - "arch"
+    - name: 'Find "{{vars.pubkey_string}}" in host keys (changed = yes, we will continue)'
+      # grep only fails if it finds nothing, so this is sufficient:
+      shell: "grep -i {{vars.pubkey_string}} /etc/ssh/ssh_host_*key.pub"
+      args:
+        warn: false
+      register: gres
+      failed_when: false
+      changed_when: gres.rc|int == 0
+      listen:
+        - "redhat"
+      notify:
+        - "redhat upd"
+      become: true
+    - name: 'Find "{{vars.pubkey_string}}" in host keys (changed = yes, we will continue)'
+      # grep only fails if it finds nothing, so this is sufficient:
+      shell: "grep -i {{vars.pubkey_string}} /etc/ssh/ssh_host_*key.pub"
+      args:
+        warn: false
+      register: gres
+      failed_when: false
+      changed_when: gres.rc|int == 0
+      listen:
+        - "debian"
+      notify:
+        - "debian upd"
+      become: true
+    # Cannot combine this way: it would only delete the public keys, the private
+    # keys never contain the comment :-)
+    # - name: Find old SSH keys
+    #   find:
+    #     paths: /etc/ssh
+    #     patterns: "^ssh_host_.*key.pub$"
+    #     use_regex: true
+    #     contains:
+    #       - "Tpl-MAVM-"
+    #       - "tpl-mavm-"
+    #   register: hkfiles
+    #   listen:
+    #     - "redhat upd"
+    #     - "debian upd"
+    #   become: true
+    - name: Gather all SSH key files
+      find:
+        paths: /etc/ssh
+        patterns: "^ssh_host_.*key.*$"
+        use_regex: true
+      register: hkfiles
+      listen:
+        - "redhat upd"
+      notify:
+        - "redhat del"
+      changed_when: hkfiles.files is defined
+    - name: Gather all SSH key files
+      find:
+        paths: /etc/ssh
+        patterns: "^ssh_host_.*key.*$"
+        use_regex: true
+      register: hkfiles
+      listen:
+        - "debian upd"
+      notify:
+        - "debian del"
+      changed_when: hkfiles.files is defined
+    - name: Remove SSH keys
+      file:
+        path: "{{item.path}}"
+        state: absent
+      with_items: "{{hkfiles.files}}"
+      listen:
+        - "redhat del"
+      notify:
+        - "redhat reg"
+      become: true
+    - name: Remove SSH keys
+      file:
+        path: "{{item.path}}"
+        state: absent
+      with_items: "{{hkfiles.files}}"
+      listen:
+        - "debian del"
+      notify:
+        - "debian reg"
+      become: true
+    - name: Trigger regeneration of SSH keys
+      shell: "/usr/sbin/dpkg-reconfigure openssh-server"
+      listen: "debian upd"
+      notify: "debian reg"
+      become: true
+    - name: Restart SSH daemon to trigger regeneration of / loading of regenerated keys
+      systemd:
+        name: "sshd"
+        state: "restarted"
+      listen:
+        - "debian reg"
+        - "redhat reg"
+      become: true
+    - name: Remove host key from the machine and user executing the playbook
+      # remote_user: root
+      known_hosts:
+        name: "{{ item }}"
+        state: absent
+      delegate_to: localhost
+      loop:
+        - "{{inventory_hostname}}"
+        - "{{ansible_default_ipv4.address}}"
+        - "{{ansible_hostname}}"
+        - "{{ansible_fqdn}}"
+        - "{{ansible_nodename}}"
+      listen:
+        - "debian reg"
+        - "redhat reg"
+    # - name: Add host key to the machine and user executing the playbook
+    #   known_hosts:
+    #     state: present
+    #     name: "{{ansible_hostname}}"
+    #   delegate_to: localhost
+    #   listen:
+    #     - "debian reg"
+    #     - "redhat reg"
+    - name: Verify SSH reachability
+      ping:
+      listen:
+        - "debian reg"
+        - "redhat reg"