Per Device SSH-Keys

ansible/inventory.yaml

@@ -27,6 +27,7 @@ all:
     service_base: "{{ playbook_dir }}/services"
     wg_keepalive: 30
     ansible_ssh_extra_args: "-o UserKnownHostsFile=./known_hosts"
+    ansible_ssh_private_key_file: "{{ lookup('ansible.builtin.env', 'SSH_KEY_' ~ inventory_hostname | mandatory | regex_replace('[^A-Za-z0-9]', '_')) }}"
   children:
     unprovisioned:
       hosts:

ansible/plays/common.yaml

@@ -13,13 +13,23 @@
         owner: root
         group: root
         mode: '0755'
-    - name: Deploy CI SSH-Key
+    - name: Obtain Machine Pubkey
+      delegate_to: localhost
+      become: false
+      changed_when: false
+      register: pubkey
+      community.crypto.openssl_publickey:
+        format: OpenSSH
+        path: "/tmp/{{ inventory_hostname }}.pub"
+        privatekey_path: "{{ ansible_ssh_private_key_file }}"
+        return_content: true
+    - name: Deploy Machine SSH-Key
       ansible.posix.authorized_key:
         user: "{{ ansible_user }}"
         state: present
         manage_dir: false
         path: "/etc/ssh/authorized_keys/{{ ansible_user }}"
-        key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/2H7n27J7/xFAyQpE7r29UxTP5jttLRe6RhAC/Ndam drone-deploy"
+        key: "{{ pubkey.publickey }} drone-machine-deploy"
     - name: Deploy Common SSH-Keys
       ansible.posix.authorized_key:
         user: "{{ ansible_user }}"
@@ -292,3 +302,5 @@
     - setup_wireguard
     - setup_vpn
   ansible.builtin.import_playbook: vpn.yaml
+
+# vim: ft=yaml.ansible

ansible/secrets.yml

@@ -1,2 +1,6 @@
 ---
 ANSIBLE_VAULT_PASSWORD_FILE: !file:var ansible/vault
+SSH_KEY_thonkpad_ka_chaoswg_org: !var:file machine/thonkpad.ka.chaoswg.org/ssh_key
+SSH_KEY_host_nc_chaoswg_org: !var:file machine/host.nc.chaoswg.org/ssh_key
+SSH_KEY_mon1_hel1_chaoswg_org: !var:file machine/mon1.hel1.chaoswg.org/ssh_key
+SSH_KEY_infra_unruhig_eu: !var:file machine/infra.unruhig.eu/ssh_key

ansible/tasks/create_ssh_keys.yaml

@@ -0,0 +1,25 @@
+# Onboarding: This playbook generates per-device ssh keys and places them in passage for later use.
+---
+- name: Generate SSH Keys
+  hosts: all
+  tasks:
+    - name: Check for ssh key present
+      shell: "passage machine/{{ inventory_hostname }}/ssh_key"
+      delegate_to: localhost
+      register: ssh_key
+      failed_when: false
+      changed_when: false
+    - name: Generate ssh_key
+      shell: "openssl genpkey -algorithm ed25519 | passage insert --multiline machine/{{ inventory_hostname }}/ssh_key"
+      delegate_to: localhost
+      when: ssh_key.rc != 0
+      register: new_ssh_key
+    - name: Add entry to secrets.yml
+      delegate_to: localhost
+      lineinfile:
+        state: present
+        path: ../secrets.yml
+        regexp: "^SSH_KEY_{{ inventory_hostname | mandatory | regex_replace('[^A-Za-z0-9]', '_') }}:"
+        line: "SSH_KEY_{{ inventory_hostname | mandatory | regex_replace('[^A-Za-z0-9]', '_') }}: !var:file machine/{{ inventory_hostname }}/ssh_key"
+
+# vim: ft=yaml.ansible

ansible/tasks/regenerate-known-hosts.yaml

@@ -4,6 +4,6 @@
   gather_facts: true
   tasks:
     - name: Run Keyscan
-      shell: "ssh-keyscan {{ groups['all'] | map('extract', hostvars, 'inventory_hostname') | list | join(' ') }} | sort >| known_hosts"
+      shell: "ssh-keyscan {{ groups['all'] | map('extract', hostvars, 'inventory_hostname') | list | join(' ') }} | sort >| ../known_hosts"