|
3 | 3 | hosts: overcloud,seed,seed-hypervisor,infra-vms |
4 | 4 | gather_facts: false |
5 | 5 | vars: |
6 | | - new_key_type: ed25519 |
7 | 6 | ansible_ssh_common_args: "-o StrictHostKeyChecking=no" |
8 | 7 | rekey_users: |
9 | 8 | - stack |
10 | 9 | - kolla |
11 | | - existing_key_path: "~/.ssh/id_rsa" |
12 | | - rekey_remove_existing_key: true |
| 10 | + rekey_remove_existing_key: false |
13 | 11 | tasks: |
14 | | - - name: Stat existing key file |
| 12 | + - name: Stat existing private key file |
15 | 13 | ansible.builtin.stat: |
16 | | - path: "{{ existing_key_path }}" |
| 14 | + path: "{{ ssh_private_key_path }}" |
17 | 15 | register: stat_result |
18 | 16 | delegate_to: localhost |
19 | 17 | run_once: true |
20 | 18 |
|
21 | | - - name: Fail when existing key does not exist |
| 19 | + - name: Fail when existing private key does not exist |
22 | 20 | ansible.builtin.fail: |
23 | | - msg: "No existing key file found. Check existing_key_path is set correctly." |
| 21 | + msg: "No existing private key file found. Check ssh_private_key_path and is set correctly." |
| 22 | + when: |
| 23 | + - not stat_result.stat.exists |
| 24 | + delegate_to: localhost |
| 25 | + run_once: true |
| 26 | + |
| 27 | + - name: Stat existing public key file |
| 28 | + ansible.builtin.stat: |
| 29 | + path: "{{ ssh_public_key_path }}" |
| 30 | + register: stat_result |
| 31 | + delegate_to: localhost |
| 32 | + run_once: true |
| 33 | + |
| 34 | + - name: Fail when existing public key does not exist |
| 35 | + ansible.builtin.fail: |
| 36 | + msg: "No existing public key file found. Check ssh_public_key_path and is set correctly." |
24 | 37 | when: |
25 | 38 | - not stat_result.stat.exists |
26 | 39 | delegate_to: localhost |
27 | 40 | run_once: true |
28 | 41 |
|
29 | 42 | - name: Generate a new SSH key |
30 | 43 | community.crypto.openssh_keypair: |
31 | | - path: "~/.ssh/id_{{ new_key_type }}_new" |
32 | | - type: "{{ new_key_type }}" |
| 44 | + path: "{{ ssh_private_key_path }}_new" |
| 45 | + type: "{{ ssh_key_type }}" |
33 | 46 | delegate_to: localhost |
34 | 47 | run_once: true |
35 | 48 |
|
36 | 49 | - name: Set new authorized keys |
37 | 50 | vars: |
38 | | - lookup_path: "~/.ssh/id_{{ new_key_type }}_new.pub" |
| 51 | + lookup_path: "{{ ssh_private_key_path }}_new.pub" |
39 | 52 | ansible.posix.authorized_key: |
40 | 53 | user: "{{ item }}" |
41 | 54 | state: present |
|
44 | 57 | become: true |
45 | 58 |
|
46 | 59 | - name: Locally deprecate existing key (private) |
47 | | - command: "mv {{ existing_key_path }} {{ existing_key_path }}_old" |
| 60 | + command: "mv {{ ssh_private_key_path }} {{ ssh_private_key_path }}_old" |
48 | 61 | delegate_to: localhost |
49 | 62 | run_once: true |
50 | 63 |
|
51 | 64 | - name: Locally deprecate existing key (public) |
52 | | - command: "mv {{ existing_key_path }}.pub {{ existing_key_path }}_old.pub" |
| 65 | + command: "mv {{ ssh_public_key_path }} {{ ssh_public_key_path }}_old" |
53 | 66 | delegate_to: localhost |
54 | 67 | run_once: true |
55 | 68 |
|
56 | 69 | - name: Locally promote new key (private) |
57 | | - command: "mv ~/.ssh/id_{{ new_key_type }}_new ~/.ssh/id_{{ new_key_type }}" |
| 70 | + command: "mv {{ ssh_private_key_path }}_new {{ ssh_private_key_path }}" |
58 | 71 | delegate_to: localhost |
59 | 72 | run_once: true |
60 | 73 |
|
61 | 74 | - name: Locally promote new key (public) |
62 | | - command: " mv ~/.ssh/id_{{ new_key_type }}_new.pub ~/.ssh/id_{{ new_key_type }}.pub" |
| 75 | + command: "mv {{ ssh_private_key_path }}_new.pub {{ ssh_public_key_path }}" |
63 | 76 | delegate_to: localhost |
64 | 77 | run_once: true |
65 | 78 |
|
66 | 79 | - name: Remove old key from hosts |
67 | 80 | vars: |
68 | | - lookup_path: "{{ existing_key_path }}_old.pub" |
| 81 | + lookup_path: "{{ ssh_public_key_path }}_old" |
69 | 82 | ansible.posix.authorized_key: |
70 | 83 | user: "{{ item }}" |
71 | 84 | state: absent |
|
0 commit comments