moved ssh to cert based

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
2025-03-25 01:09:08 +01:00
parent 924e4a2f92
commit 56f058c254
21 changed files with 160 additions and 87 deletions
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,9 +1,12 @@
 [defaults]
 # (string) Path to the Python interpreter to be used for module execution on remote targets, or an automatic discovery mode. Supported discovery modes are ``auto`` (the default), ``auto_silent``, ``auto_legacy``, and ``auto_legacy_silent``. All discovery modes employ a lookup table to use the included system Python (on distributions known to include one), falling back to a fixed ordered list of well-known Python interpreter locations if a platform-specific default is not available. The fallback behavior will issue a warning that the interpreter should be set explicitly (since interpreters installed later may change which one is used). This warning behavior can be disabled by setting ``auto_silent`` or ``auto_legacy_silent``. The value of ``auto_legacy`` provides all the same behavior, but for backwards-compatibility with older Ansible releases that always defaulted to ``/usr/bin/python``, will use that interpreter if present.
 interpreter_python=python3
 # (pathspec) Colon separated paths in which Ansible will search for Roles.
 roles_path=./roles
 # (pathlist) Comma separated list of Ansible inventory sources
-inventory=./inventory/production
+inventory=./production.ini
 # (path) The vault password file to use. Equivalent to --vault-password-file or --vault-id
 # If executable, it will be run and the resulting stdout will be used as the password.
--- a/group_vars/all/secrets.yml
+++ b/group_vars/all/secrets.yml
@@ -1,56 +1,63 @@
 $ANSIBLE_VAULT;1.1;AES256
-34623331393561623539666362643966336661326136363431666465356535343663376236663066
+62353334666233376566326532636437376331316231323234643438323138316538363739343966
-3235363061633666626133313363373336656438633566630a383230393161323862303863656464
+3637633035343637363766613038346162336437303035390a663363313565343230346363646534
-61633861323966343263363466343130306635343539326464363637383139343033656130336464
+39393835313839323534663430646461336536343764636463376262646666356465386234313635
-3163373535613961340a643335626165306663363063656339653862393533633534366331336231
+3965343062616437660a613633343839303638656464616638306234363732656139653736373262
-63393432383731633463323164333831313535373261336166326237306230326465616239306536
+63643739313466353637613738343233353738373764653762343432643430383637313137376236
-37663863663161393130373835373062393866633864373465333937633838303130386334356566
+37643033323439656161333361346638643562393031363230383033363862316162353132313161
-64303663303862623038646235303934376230393538353466393232363764366339616633343433
+61323433643933323735376163666564666264666461666234376664323661333734313231623730
-65343730663864393766313134653335396562646135306637613031333461613965666465376532
+65323839383932303436306434356334396130353236323965646564303930383765376265356438
-32643261626665396338313836633337383932616265613662383132303539623239623965333966
+35633031623036313634333534663564653863366535643466306332386166666531343262386330
-66333638643635313262616434396164313833303065303662303736303232346535613834643435
+32633530313666653462326565643163616632333835643231643063393438356265313638336662
-32316434343231363662393163353832393166643739396165313631363539663439316133616361
+36376132353931613835343030633464633561613361376264613535383830376337303539316133
-61623830613035396333303363383332653736666231343763353666356539633433373066613330
+64666164306235333663303564656364303762326262313835343233303465653934623965653933
-65656631343764323234333161636632616130353139626362343361386535313336666566636464
+62336130653938643966656665306134376237376537663533306261623132653838363034626131
-35323434656439346262336335383366626565333765343562633236636132636532333761663535
+39346339666566633037663730313732393464306438623630326533333866636465353631373435
-31383565313436633438633336306430343733663539666631386532313836623166356332626664
+61623833393039393961633664383939623930633562383936373036616431333664376364663930
-39653762353265643861633237326662383466373539633732323833376238383963393837636466
+36326666653431326332316361336439303163643061343435643363376665616135653036663466
-66656631666131623166393731643537393161303636353932653062363137376334356238643064
+65613563356631633238303731366330303265396661303735616534653731616439613531353939
-34303666656638396263336639636135393536623037666137653132633264316431656438386432
+35386562626432616239643665663432373536623064383963306537386338636437663439313066
-34333632616265343435306365373039653036353337633563393739653632656163316636363336
+64373336373830633163633433666334393035336539363261336364376139373434316433643364
-32346638393364353634386231616639386164326531353134366639653837653236333030666139
+35353035326134626661663730383132323466343938373562336332663964393164663731633231
-64656334336231636337656233383834343763393738643362626665333362353335656131653165
+37386330363531616566663965613164663463303762363635323438366130336334323134393332
-35376330336433383262653039643131313437643265343663626363373439643932643063646439
+37313638346162633561393562666334616464303330376230633264623262336335613063653665
-37663630363839643263373630646430386536346132383564396463376361343661346661333636
+32393332396631363562643961336166666339326233366364333061303766616632323732666338
-39643961643031626462363537633263393838363262626439313838313039373035373634633462
+39363864336634356535333063343730663231303839393061366238353032643965353939656135
-38363938343932626131343966616638323632303636383034383536616164393539343635666166
+39316539333338333431383635323537653761356665343136303231633265643735623962346133
-39383434313863356434383961383139623436636230323866396366326665623863336438623335
+66313132313765643231373435653266633564316331633563623138303835616133303061333239
-33346634303639643131333933363838666336306438646335343931366437326462376438663837
+39333362323162303466383865343031663663613266643932653862623137663766343665366263
-34353938343837663930356464373332356530643231653166616331376335643832316365303164
+66303962353330653162356333343231393137613763316134663135613738666231373835616563
-32393062313638393936393863613731363233376537323834623164613231393133353635623866
+33656564343864333263646437656435363338376663636435353432643931303032306330353831
-35626337336562653265613730363961633662653331663966333430343462666535306133663835
+37623634353735373635303934653034356431346330376637656435356530656131343736636463
-64663539303765366331613666653632313233626231313264346332323266653230323332373836
+63376565333730623335386231333838353763633031663238346438643664373130343632313462
-33303564633464333064613431383230383535633362373839323334353162623433646230393838
+39343033623939653865383965653331366539643934363236663631313537323338643266313030
-33306162613739393338373361616634396636313765326465393332396537613263383339626666
+65363736653237336633343333393665333666386336666630366664313336393136383734613635
-63613162616363363138323965373966353366323463313934356530663931653565656164346363
+62366365356262643632306430626166346636343837653730626665646631373966396535666336
-37633862366436623030303233396639393434336438623433383530393836626164353064366432
+36396464626437393433656361386263613330333561643563643232333064333565626534353736
-35303532393437316162346366346636633135383938323631316563323935383561326335323438
+32653239353531343265353631623430363537396233363666393335356261323532633432376139
-30613266643232656138663431666162663330643133643263343237663565323231316239633037
+33663266303631383936623332313833616262616635356139336165323662656131643334633563
-39323732386236396136633539383335646634306139643533666636633131623566333137376236
+39396538383661306564333239383131623039303835323636326532653331346135343065363533
-39616134306463613864353135313636343365643437323465643862303137663937376233306261
+32616533643662643365383132666438383237396362653465666264346333383133653738643166
-31383862356535646563383438396363323838613237623034656561396163376433663262366137
+61393561396535343230343665363235326561666565376165323262396638626631363032643865
-63323562346633303162666530616534386539383238366139376263326265343138373139393432
+66656439626339653837353133626133326234333036386563353532383764613261326130363361
-35643335363139373139666230626363386232316536306431653964376333366235303763336135
+39663233656538356334326530366132346339666161386433393431663262646433353430366532
-65623231336638643034373932376263636336653561646664366138643031316438316465353363
+31336661316562323534356632616633363862366163346532613433393434323639313733656562
-38386539363631393433313664323135646562313537376236653635303263633230383866653039
+37633962613630336661623733626237613365623436346662376135646563353735623030303064
-66636534336234363438363139366531653237323137613961383831376665626365393462363834
+34303064323635306465326638633665333639306564343034646262326466323539643437646239
-36333965366463636233643433616431376436323535396238363933326363333661326462353161
+65343865646137336564356438623739323639336437626564393337343232313563353762333561
-66626435373938633832393662313161663336613862343332643766333633653866316464653735
+65633265386132666635303831653236346165623537343638326639383436326633323163643765
-31356135363662633961386264613836323435323836386635336338353663333137336666323531
+63336439643465313039653362373538333834666432383533376233643031323665303161336630
-36663731336664633763633634613136663866363530613264356431326539316530326161313362
+34643462376262363530633933393631343662393631356338316538333366303966623936633163
-62616539356537353261343464356334636134396664353463623163313765633432653932346136
+31643663616536626538323033396564656432373938383637373831306432353034383630323133
-32326239373333643461333733646264353238356134613037663836643131316664653539643839
+66646339636335623835636638653533323365323132383134636264396465393463353234363839
-30613235623933356565336630323939633266613164306262386666363137666661666131613962
+62323236386235303830393930346632366331653632306633376335643232633432386536663630
-61623930663536646462343264336535353634373833316537613839396566376466653736333830
+35393035303162666563653137613639636561396666623665323832636364336232333165336135
-33376663613063326230346439626237373232656665633832373364653931663361666432303166
+36626465393762373064353561333939626638613335323066666366326539316438363736373331
-663564323132383864336332363139393534
+64303538663863613135303531326465666636386364356635316265373533366434323330323266
 39613464343138616235663035316538636137396532373365393866376666343631626333306436
 66383734303032343131356466333264393739663834393836376236656634373832356363343639
 61306436366665616438636539386363616166633536316533386332383632366265313161643965
 31386463323438336165383764396166393530623537666662353735646535653938383031333331
 32646431366166373264326564326630313634333639646662376165643861616139336231373432
 30666165373861343965333264303632623766633763376339353366313839336537616131616436
 6236303866623939313466633635633136383232363034376236
--- a/group_vars/docker/vars.yml
+++ b/group_vars/docker/vars.yml
@@ -111,7 +111,7 @@ services:
      - VERSION=docker
  - name: jellyfin
    vm:
-      - docker-host02
+      - docker-host01
    container_name: jellyfin
    image: jellyfin/jellyfin
    restart: "unless-stopped"
@@ -142,7 +142,7 @@ services:
    environment:
  - name: hass
    vm:
-      - docker-host02
+      - docker-host01
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    restart: unless-stopped
@@ -319,7 +319,7 @@ services:
        external: 8080
  - name: git
    vm:
-      - docker-host02
+      - docker-host01
    container_name: gitea
    image: gitea/gitea:1.23.1-rootless
    restart: unless-stopped
--- a/group_vars/proxmox/vars.yml
+++ b/group_vars/proxmox/vars.yml
@@ -0,0 +1,13 @@
 proxmox_api_user: root
 proxmox_api_host: 192.168.20.12
 proxmox_api_password: "{{ vault.pve.aya01.root.sudo }}"
 proxmox_vms:
  - name: "test-vm-00"
    hostname: "test-vm-00"
    node:
      - "aya01"
    ostemplate: ""
 proxmox_lxcs:
  - name: "test-lxc-00"
--- a/host_vars/docker-host00.yml
+++ b/host_vars/docker-host00.yml
@@ -1,10 +1,11 @@
 ---
-ansible_user: "{{ user }}"
+# Configure this in ~/.ssh/config*
-ansible_host: 192.168.20.34
+# ansible_user: "{{ user }}"
-ansible_port: 22
+# ansible_host: 192.168.20.34
-ansible_ssh_private_key_file: "{{ pk_path }}"
+# ansible_port: 22
 # ansible_ssh_private_key_file: "{{ pk_path }}"
 ansible_become_pass: "{{ vault.docker.host00.sudo }}"
 host:
  hostname: "docker-host00"
-  ip: "{{ ansible_host }}"
+  ip: "192.168.20.34"
--- a/host_vars/docker-host01.yml
+++ b/host_vars/docker-host01.yml
@@ -1,10 +1,11 @@
 ---
-ansible_user: "{{ user }}"
+# Configure this in ~/.ssh/config*
-ansible_host: 192.168.20.35
+# ansible_user: "{{ user }}"
-ansible_port: 22
+# ansible_host: 192.168.20.35
-ansible_ssh_private_key_file: "{{ pk_path }}"
+# ansible_port: 22
 # ansible_ssh_private_key_file: "{{ pk_path }}"
 ansible_become_pass: "{{ vault.docker.host01.sudo }}"
 host:
  hostname: "docker-host01"
-  ip: "{{ ansible_host }}"
+  ip: "192.168.20.35"
--- a/host_vars/docker-host02.yml
+++ b/host_vars/docker-host02.yml
@@ -1,10 +1,11 @@
 ---
-ansible_user: "{{ user }}"
+# Configure this in ~/.ssh/config*
-ansible_host: 192.168.20.36
+# ansible_user: "{{ user }}"
-ansible_port: 22
+# ansible_host: 192.168.20.36
-ansible_ssh_private_key_file: "{{ pk_path }}"
+# ansible_port: 22
 # ansible_ssh_private_key_file: "{{ pk_path }}"
 ansible_become_pass: "{{ vault.docker.host02.sudo }}"
 host:
  hostname: "docker-host02"
-  ip: "{{ ansible_host }}"
+  ip: "192.168.20.36"
--- a/host_vars/docker-lb.yml
+++ b/host_vars/docker-lb.yml
@@ -1,10 +1,10 @@
 ---
-ansible_user: "{{ user }}"
+# ansible_user: "{{ user }}"
-ansible_host: 192.168.20.37
+# ansible_host: 192.168.20.37
-ansible_port: 22
+# ansible_port: 22
-ansible_ssh_private_key_file: "{{ pk_path }}"
+# ansible_ssh_private_key_file: "{{ pk_path }}"
 ansible_become_pass: "{{ vault.docker.lb.sudo }}"
 host:
  hostname: "docker-lb"
-  ip: "{{ ansible_host }}"
+  ip: "192.168.20.37"
--- a/playbooks/docker-host.yml
+++ b/playbooks/docker-host.yml
@@ -1,7 +1,7 @@
 ---
 - name: Set up Servers
  hosts: docker_host
-  gather_facts: yes
+  gather_facts: true
  vars_files:
    - secrets.yml
  roles:
--- a/playbooks/docker-lb.yml
+++ b/playbooks/docker-lb.yml
@@ -1,7 +1,7 @@
 ---
 - name: Set up reverse proxy for docker
  hosts: docker_lb
-  gather_facts: yes
+  gather_facts: true
  vars_files:
    - secrets.yml
  roles:
--- a/playbooks/docker.yml
+++ b/playbooks/docker.yml
@@ -0,0 +1,5 @@
 ---
 - name: Setup Docker Hosts
  ansible.builtin.import_playbook: docker-host.yml
 - name: Setup Docker load balancer
  ansible.builtin.import_playbook: docker-lb.yml
--- a/playbooks/proxmox.yml
+++ b/playbooks/proxmox.yml
@@ -0,0 +1,10 @@
 ---
 - name: Run proxmox vm playbook
  hosts: proxmox
  gather_facts: true
  vars_files:
    - secrets.yml
  roles:
    - role: proxmox_vm
      tags:
        - proxmox_vm
--- a/inventory/production
+++ b/inventory/production
@@ -1,4 +1,7 @@
 [proxmox]
 127.0.0.1 ansible_connection=local
 [proxmox:children]
 aya01
 lulu
 inko
--- a/requirements.txt
+++ b/requirements.txt
@@ -0,0 +1,6 @@
 certifi==2025.1.31
 charset-normalizer==3.4.1
 idna==3.10
 proxmoxer==2.2.0
 requests==2.32.3
 urllib3==2.3.0
--- a/roles/common/files/ssh/vault-ca.pub
+++ b/roles/common/files/ssh/vault-ca.pub
@@ -0,0 +1 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxIbkko72kVSfYDjJpiMH9SjHUGqBn3MbBvmotsPQhybFgnnkBpX/3fM9olP+Z6PGsmbOEs0fOjPS6uY5hjKcKsyHdZfS6cA4wjY/DL8fwATAW5FCDBtMpdg2/sb8j9jutHHs4sQeRBolVwKcv+ZAaJNnOzNHwxVUfT9bNwShthnAFjkY7oZo657FRomlkDJjmGQuratP0veKA8jYzqqPWwWidTGQerLYTyJ3Z8pbQa5eN7svrvabjjDLbVTDESE8st9WEmwvAwoj7Kz+WovCy0Uz7LRFVmaRiapM8SXtPPUC0xfyzAB3NxwBtxizdUMlShvLcL6cujcUBMulVMpsqEaOESTpmVTrMJhnJPZG/3j9ziGoYIa6hMj1J9/qLQ5dDNVVXMxw99G31x0LJoy12IE90P4Cahux8iN0Cp4oB4+B6/qledxs1fcRzsnQY/ickjKhqcJwgHzsnwjDkeYRaYte5x4f/gJ77kA20nPto7mxr2mhWot/i9B1KlMURVXOH/q4nrzhJ0hPJpM0UtzQ58TmzE4Osf/B5yoe8V//6XnelbmG/nKCIzg12d7PvaLjbFMn8IgOwDMRlip+vpyadRr/+pCawrfo4vLF7BsnJ84aoByIpbwaysgaYHtjfZWImorMVkgviC4O6Hn9/ZiLNze2A9DaNUnLVJ0nYNbmv9Q==
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@@ -10,8 +10,7 @@
 - name: Copy pubkey
  ansible.builtin.copy:
-    content: "{{ pubkey }}"
+    src: files/ssh/vault-ca.pub
-    dest: "/home/{{ user }}/.ssh/authorized_keys"
+    dest: "/etc/ssh/vault-ca.pub"
    owner: "{{ user }}"
    group: "{{ user }}"
    mode: "644"
  become: true
--- a/roles/common/templates/ssh/sshd_config
+++ b/roles/common/templates/ssh/sshd_config
@@ -1,4 +1,3 @@
 Include /etc/ssh/sshd_config.d/*.conf
 Protocol 2
 PermitRootLogin no
 MaxAuthTries 3
@@ -13,6 +12,7 @@ X11Forwarding no
 PrintMotd no
 TCPKeepAlive no
 ClientAliveCountMax 2
 TrustedUserCAKeys /etc/ssh/vault-ca.pub
 UseDNS yes
 AcceptEnv LANG LC_*
 Subsystem	sftp	/usr/lib/openssh/sftp-server
--- a/roles/proxmox_vm/tasks/create_vm.yml
+++ b/roles/proxmox_vm/tasks/create_vm.yml
@@ -0,0 +1,7 @@
 ---
 # - name: Create VM
 #   community.general.proxmox:
 #     api_host: "{{ api_host }}"
 #     api_user: "{{ api_user }}"
 #     api_password: "{{ vault.proxmox.api_password }}"
 #     node: "{{  }}"
--- a/roles/proxmox_vm/tasks/get_info.yml
+++ b/roles/proxmox_vm/tasks/get_info.yml
@@ -0,0 +1,11 @@
 ---
 - name: List existing nodes
  community.general.proxmox_node_info:
    api_host: "{{ proxmox_api_host }}"
    api_user: "{{ proxmox_api_user }}@pam"
    api_password: "{{ proxmox_api_password }}"
  register: proxmox_nodes
 - name: Print info
  ansible.builtin.debug:
    msg: "{{ proxmox_nodes }}"
--- a/roles/proxmox_vm/tasks/main.yml
+++ b/roles/proxmox_vm/tasks/main.yml
@@ -0,0 +1,5 @@
 ---
 - name: Get info
  ansible.builtin.include_tasks: get_info.yml
 # - name: Create vm
 #   ansible.builtin.include_tasks: create_vm.yml
--- a/roles/reverse_proxy/templates/Caddyfile.j2
+++ b/roles/reverse_proxy/templates/Caddyfile.j2
@@ -10,7 +10,7 @@
 {% if http_port %}
 {{ service.name }}.{{ domain }} {
    {% for vm in service.vm %}
-    reverse_proxy {{ hostvars[vm].ansible_host }}:{{ http_port[0] }}
+    reverse_proxy {{ hostvars[vm].host.ip }}:{{ http_port[0] }}
    {% endfor %}
    log {
        output file /var/log/caddy/{{ service.name }}.log
		`@@ -0,0 +1 @@`
							ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxIbkko72kVSfYDjJpiMH9SjHUGqBn3MbBvmotsPQhybFgnnkBpX/3fM9olP+Z6PGsmbOEs0fOjPS6uY5hjKcKsyHdZfS6cA4wjY/DL8fwATAW5FCDBtMpdg2/sb8j9jutHHs4sQeRBolVwKcv+ZAaJNnOzNHwxVUfT9bNwShthnAFjkY7oZo657FRomlkDJjmGQuratP0veKA8jYzqqPWwWidTGQerLYTyJ3Z8pbQa5eN7svrvabjjDLbVTDESE8st9WEmwvAwoj7Kz+WovCy0Uz7LRFVmaRiapM8SXtPPUC0xfyzAB3NxwBtxizdUMlShvLcL6cujcUBMulVMpsqEaOESTpmVTrMJhnJPZG/3j9ziGoYIa6hMj1J9/qLQ5dDNVVXMxw99G31x0LJoy12IE90P4Cahux8iN0Cp4oB4+B6/qledxs1fcRzsnQY/ickjKhqcJwgHzsnwjDkeYRaYte5x4f/gJ77kA20nPto7mxr2mhWot/i9B1KlMURVXOH/q4nrzhJ0hPJpM0UtzQ58TmzE4Osf/B5yoe8V//6XnelbmG/nKCIzg12d7PvaLjbFMn8IgOwDMRlip+vpyadRr/+pCawrfo4vLF7BsnJ84aoByIpbwaysgaYHtjfZWImorMVkgviC4O6Hn9/ZiLNze2A9DaNUnLVJ0nYNbmv9Q==