Last active
February 23, 2016 07:40
-
-
Save chrisblossom/8690833 to your computer and use it in GitHub Desktop.
Dynamically set ansible ansible_ssh_port and ansible_ssh_user
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# 1) Be sure to set the following variables for all hosts: | |
# vars: | |
# oldsshport: 22 | |
# sshport: 555 | |
# 2) Might fail without setting remote_tmp = /tmp/ansible/$USER in your ansible.cfg. Includes a fix for this setting below. | |
# 3) Once host is setup most of the checks are skipped and works very quickly. | |
# 4) Be sure to set non-standard shells in a different playbook later. Stick with /bin/bash until you can run apt install. | |
# 5) Assumes root user has sshkey setup already. Not sure how to utilize the --ask-pass option. For now, use ssh-copy-id prior to running playbook on new host for root user (if needed). | |
# Test new ssh port | |
- name: ssh test nc {{ sshport }} | |
local_action: shell nc -z -w5 {{ inventory_hostname }} {{ sshport }} | |
register: nc_ssh_port | |
failed_when: nc_ssh_port.stdout.find('failed') != -1 | |
changed_when: nc_ssh_port.stdout == "" | |
ignore_errors: yes | |
# Set port to new port if connection success | |
- name: set ansible_ssh_port | |
set_fact: ansible_ssh_port={{ sshport }} | |
when: nc_ssh_port|success | |
# Fail back to old port if new ssh port fails | |
- name: ssh test nc port {{ oldsshport }} | |
local_action: shell nc -z -w5 {{ inventory_hostname }} {{ oldsshport }} | |
register: nc_ssh_default | |
changed_when: nc_ssh_default.stdout == "" | |
ignore_errors: yes | |
when: nc_ssh_port|changed | |
# Set ansible to old port since new failed | |
- name: set ansible_ssh_port to {{ oldsshport }} | |
set_fact: ansible_ssh_port={{ oldsshport }} | |
when: nc_ssh_default|success and nc_ssh_port|changed | |
# Check if root user can ssh | |
- name: find user | |
local_action: shell ssh -o StrictHostKeyChecking=no -o BatchMode=yes -o ConnectTimeout=5 -p {{ ansible_ssh_port }} root@{{ inventory_hostname }} exit | |
register: ssh_as_root | |
failed_when: ssh_as_root.stdout.find('failed') != -1 | |
changed_when: ssh_as_root.stderr.find('Permission denied') == -1 | |
# If root user success, set this up to change later | |
- name: first user | |
set_fact: first_user={{ ansible_ssh_user }} | |
when: ssh_as_root|changed | |
# Set ssh user to root | |
- name: root user | |
set_fact: ansible_ssh_user=root | |
when: ssh_as_root|changed | |
# ANSIBLE FIX: /tmp/ansible isn't world-writable for setting remote_tmp = /tmp/ansible/$USER in ansible.cfg | |
- name: /tmp/ansible/ directory exists with 0777 permission | |
file: path=/tmp/ansible/ owner=root group=root mode=0777 recurse=no state=directory | |
changed_when: False | |
sudo: yes | |
# Setup user accounts | |
- include: users.yml | |
# Set ssh user back to default user (that was setup in users.yml) | |
- name: ansible_ssh_user back to default | |
set_fact: ansible_ssh_user={{ first_user }} | |
when: ssh_as_root|changed | |
# Reconfigure ssh with new port (also recommended to disable non-ssh key logins and disable root logins) | |
- name: sshd.conf | |
template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 | |
register: sshd_config | |
sudo: yes | |
# Force changes immediately to ssh | |
- name: restart ssh | |
service: name=ssh state=restarted | |
when: sshd_config|changed | |
sudo: yes | |
# Use updated ssh port | |
- name: set ansible_ssh_port | |
set_fact: ansible_ssh_port={{ sshport }} | |
when: nc_ssh_port|changed | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment