# --- # sshkey.yml # # ssh-keyscan and copy your SSH key to hosts # # Parameters: # targets: group in the inventory to use # threads: number of simultaneous executions # pubkey: file to hand off # sshport (optional): override 22/tcp/ssh for Ansible control # # Expects ANSIBLE_VAULT_FILE to be set in the environment to path the vault # - hosts: "{{ targets | default('managed') }}" order: sorted serial: "{{ threads | default('1') }}" gather_facts: false ignore_unreachable: true vars: ansible_ssh_port: "{{ sshport | default('22') }}" keyfile: "{{ pubkey | default(lookup('env','HOME') + '/.ssh/id_ed25519.pub') }}" vars_files: - "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}" tasks: - name: Get key delegate_to: localhost command: "cat {{ keyfile }}" register: key - name: Ensure known_hosts is commented delegate_to: localhost lineinfile: dest: ~/.ssh/known_hosts create: yes state: present line: "# {{ inventory_hostname + '.' + replica_domain }}" # Thanks to https://gist.github.com/shirou/6928012 - name: Ensure ssh host RSA key known delegate_to: localhost lineinfile: dest: ~/.ssh/known_hosts create: yes state: present line: "{{ ip + ',' + inventory_hostname + '.' + replica_domain + ',' + lookup('pipe', 'ssh-keyscan -trsa -p' + ansible_ssh_port + ' ' + inventory_hostname) }}" # Thanks to https://gist.github.com/shirou/6928012 - name: Ensure ssh host ED25519 key known delegate_to: localhost lineinfile: dest: ~/.ssh/known_hosts create: yes state: present line: "{{ ip + ',' + inventory_hostname + '.' + replica_domain + ',' + lookup('pipe', 'ssh-keyscan -ted25519 -p' + ansible_ssh_port + ' ' + inventory_hostname) }}" - authorized_key: user: "{{ depriv_user }}" key: "{{ key.stdout }}" state: present exclusive: true name: "Pass authorized key" vars: ansible_ssh_password: "{{ vars['passwords'][inventory_hostname] }}"