diff --git a/deploy.yml b/deploy.yml index dafb14f..c40b4c4 100644 --- a/deploy.yml +++ b/deploy.yml @@ -15,6 +15,9 @@ - include_vars: file: certs.yml failed_when: false + - include_vars: + file: ssh_keys.yml + failed_when: false roles: - foreman_ca - foreman_certs diff --git a/roles/foreman_proxy/defaults/main.yml b/roles/foreman_proxy/defaults/main.yml new file mode 100644 index 0000000..be4162d --- /dev/null +++ b/roles/foreman_proxy/defaults/main.yml @@ -0,0 +1,2 @@ +foreman_proxy_remote_execution_ssh_dir: /var/lib/foreman-proxy/ssh +foreman_proxy_remote_execution_ssh_keypair_name: id_rsa_foreman_proxy diff --git a/roles/foreman_proxy/tasks/main.yml b/roles/foreman_proxy/tasks/main.yml index 3c80ea0..1597273 100644 --- a/roles/foreman_proxy/tasks/main.yml +++ b/roles/foreman_proxy/tasks/main.yml @@ -9,6 +9,11 @@ name: rubygem-smart_proxy_ansible state: latest +- name: 'Install smart_proxy_ansible' + yum: + name: rubygem-smart_proxy_remote_execution_ssh + state: latest + - name: 'Settings file' template: src: settings.yml.j2 @@ -46,6 +51,79 @@ content: "{{ foreman_proxy_client_ca }}" dest: /etc/foreman-proxy/foreman_ssl_ca.pem +- name: 'Create identity directory' + file: + path: "{{ foreman_proxy_remote_execution_ssh_dir }}" + state: directory + mode: '0700' + owner: foreman-proxy + group: foreman-proxy + +- name: 'Symlink proxy home .ssh to identity directory' + file: + dest: "/usr/share/foreman-proxy/.ssh" + src: "{{ foreman_proxy_remote_execution_ssh_dir }}" + owner: foreman-proxy + group: foreman-proxy + state: link + +- name: Generate /etc/ssh/ RSA host key + command: 'ssh-keygen -q -t rsa -b 4096 -f {{ foreman_proxy_remote_execution_ssh_dir }}/{{ foreman_proxy_remote_execution_ssh_keypair_name }} -C "Foreman Remote execuction key" -N ""' + args: + creates: "{{ foreman_proxy_remote_execution_ssh_dir }}/{{ foreman_proxy_remote_execution_ssh_keypair_name }}" + +- name: 'Set correct owner on private key' + file: + owner: foreman-proxy + group: foreman-proxy + path: "{{ foreman_proxy_remote_execution_ssh_dir }}/{{ foreman_proxy_remote_execution_ssh_keypair_name }}" + +- name: 'Set correct owner on public key' + file: + owner: foreman-proxy + group: foreman-proxy + path: "{{ foreman_proxy_remote_execution_ssh_dir }}/{{ foreman_proxy_remote_execution_ssh_keypair_name }}.pub" + +# ansible 2.8 only +#- name: 'Create key pair' +# openssh_keypair: +# comment: "Foreman Remote execuction key" +# group: foreman-proxy +# owner: foreman-proxy +# path: "{{ foreman_proxy_remote_execution_ssh_dir }}/{{ foreman_proxy_remote_execution_ssh_keypair_name }}" +# size: 4096 +# type: rsa + +- name: 'Read REX SSH private key' + slurp: + src: "{{ foreman_proxy_remote_execution_ssh_dir }}/{{ foreman_proxy_remote_execution_ssh_keypair_name }}" + register: foreman_rex_ssh_private_key + + +- name: 'Read REX SSH public key' + slurp: + src: "{{ foreman_proxy_remote_execution_ssh_dir }}/{{ foreman_proxy_remote_execution_ssh_keypair_name }}.pub" + register: foreman_rex_ssh_public_key + +- set_fact: + rex_ssh_keys: { + public: "{{ foreman_rex_ssh_public_key.content | b64decode }}", + private: "{{ foreman_rex_ssh_private_key.content | b64decode }}" + } + +- name: 'Write ssh keys file' + copy: + content: "{{ rex_ssh_keys | to_nice_yaml }}" + dest: ssh_keys.yml + mode: 0600 + delegate_to: localhost + +- name: 'Install REX public key to authorized keys for root' + authorized_key: + comment: Foreman Remote execuction key + key: "{{ rex_ssh_keys.public }}" + user: root + - name: 'Start foreman-proxy' service: name: foreman-proxy @@ -67,3 +145,4 @@ - name: 'Register' command: "ansible-playbook /etc/foreman-proxy/register.yaml -e foreman_admin_password={{ foreman_admin_password }}" + diff --git a/roles/foreman_setup/tasks/main.yml b/roles/foreman_setup/tasks/main.yml index 1709277..2f1ed22 100644 --- a/roles/foreman_setup/tasks/main.yml +++ b/roles/foreman_setup/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: 'Registration playbook' +- name: 'Host registration playbook' copy: src: templates/register.yaml dest: /etc/foreman/register.yaml