PRE reconstruction #1

aybarsm · Sep 24, 2024 · fecdfa2 · fecdfa2
1 parent 0a63de5
commit fecdfa2
Show file tree

Hide file tree

Showing 59 changed files with 853 additions and 433 deletions.
diff --git a/plugins/modules/proxmox_acl.py b/plugins/modules/proxmox_acl.py
@@ -72,8 +72,8 @@
 '''
 
 from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.pvesh import ProxmoxShellError
-import ansible.module_utils.pvesh as pvesh
+from ansible_collections.aybarsm.linux.plugins.module_utils.pvesh import ProxmoxShellError
+import ansible_collections.aybarsm.linux.plugins.module_utils.pvesh as pvesh
 
 class ProxmoxACL(object):
     def __init__(self, module):

diff --git a/plugins/modules/proxmox_group.py b/plugins/modules/proxmox_group.py
@@ -61,8 +61,8 @@
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils._text import to_text
-from ansible.module_utils.pvesh import ProxmoxShellError
-import ansible.module_utils.pvesh as pvesh
+from ansible_collections.aybarsm.linux.plugins.module_utils.pvesh import ProxmoxShellError
+import ansible_collections.aybarsm.linux.plugins.module_utils.pvesh as pvesh
 
 class ProxmoxGroup(object):
     def __init__(self, module):

diff --git a/plugins/modules/proxmox_pool.py b/plugins/modules/proxmox_pool.py
@@ -61,8 +61,8 @@
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils._text import to_text
-from ansible.module_utils.pvesh import ProxmoxShellError
-import ansible.module_utils.pvesh as pvesh
+from ansible_collections.aybarsm.linux.plugins.module_utils.pvesh import ProxmoxShellError
+import ansible_collections.aybarsm.linux.plugins.module_utils.pvesh as pvesh
 
 class ProxmoxPool(object):
     def __init__(self, module):

diff --git a/plugins/modules/proxmox_role.py b/plugins/modules/proxmox_role.py
@@ -49,8 +49,8 @@
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils._text import to_text
-from ansible.module_utils.pvesh import ProxmoxShellError
-import ansible.module_utils.pvesh as pvesh
+from ansible_collections.aybarsm.linux.plugins.module_utils.pvesh import ProxmoxShellError
+import ansible_collections.aybarsm.linux.plugins.module_utils.pvesh as pvesh
 
 class ProxmoxRole(object):
     def __init__(self, module):

diff --git a/plugins/modules/proxmox_user.py b/plugins/modules/proxmox_user.py
@@ -121,8 +121,8 @@
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils._text import to_text
-from ansible.module_utils.pvesh import ProxmoxShellError
-import ansible.module_utils.pvesh as pvesh
+from ansible_collections.aybarsm.linux.plugins.module_utils.pvesh import ProxmoxShellError
+import ansible_collections.aybarsm.linux.plugins.module_utils.pvesh as pvesh
 
 class ProxmoxUser(object):
     def __init__(self, module):

diff --git a/roles/ansible/defaults/main.yml b/roles/ansible/defaults/main.yml
diff --git a/roles/ansible/handlers/main.yml b/roles/ansible/handlers/main.yml
diff --git a/roles/ansible/meta/main.yml b/roles/ansible/meta/main.yml
diff --git a/roles/ansible/tasks/main.yml b/roles/ansible/tasks/main.yml
diff --git a/roles/ansible/tasks/update_local_facts.yml b/roles/ansible/tasks/update_local_facts.yml
diff --git a/roles/ansible/templates/aybarsm_linux.json.fact.j2 b/roles/ansible/templates/aybarsm_linux.json.fact.j2
diff --git a/roles/ansible/vars/main.yml b/roles/ansible/vars/main.yml
diff --git a/roles/auth/defaults/main.yml b/roles/auth/defaults/main.yml
@@ -18,7 +18,8 @@ auth__ssh_dir: /etc/ssh
 # If smart enabled and auth__sshd_validate provided then a dummy command task will run to trigger ssh service handlers as provided.
 # This is a workaround to avoid using changed_when in the template module to prevent misleading output.
 auth__ssh_changes_strategy:
-  module: service
+  # module: service
+  module: None
   immediate: true
   smart: true
   name: ssh.service
@@ -30,16 +31,22 @@ auth__sshd_config_dir: "{{ auth__ssh_dir }}/sshd_config.d"
 auth__sshd_config_file: "{{ auth__sshd_config_dir }}/50-ansible.conf"
 auth__sshd_config_template: etc/ssh/sshd_config.d/50-ansible.conf.j2
 auth__sshd_config_backup: true
+auth__sshd_config_cleanup: false
 auth__ssh_config_dir: "{{ auth__ssh_dir }}/ssh_config.d"
 auth__ssh_config_file: "{{ auth__ssh_config_dir }}/50-ansible.conf"
 auth__ssh_config_template: etc/ssh/ssh_config.d/50-ansible.conf.j2
 auth__ssh_config_backup: true
+auth__ssh_config_cleanup: false
+auth__renew_ssh_host_keys_once: false
+auth__ssh_host_keys_use_regex: true
+auth__ssh_host_keys_patterns: '^ssh_host_.*_key'
 ##### END: SSH Config #####
 
 ##### BEGIN: SUDOERS Config #####
 auth__sudoers_dir: /etc/sudoers.d
 auth__sudoers_file: "{{ auth__sudoers_dir }}/50-ansible"
 auth__sudoers_template: etc/sudoers.d/50-ansible.j2
+auth__sudoers_cleanup: false
 # Uncomment the following line to validate the sudoers file
 # auth__sudoers_validate: "/usr/sbin/visudo -c -f %s"
 ##### END: SUDOERS Config #####

diff --git a/roles/auth/handlers/main.yml b/roles/auth/handlers/main.yml
@@ -2,13 +2,13 @@
 - name: Effect systemd service for ssh changes
   become: true
   ansible.builtin.systemd_service:
-    daemon_reexec: "{{ service.daemon_reexec | default(omit) | bool }}"
-    daemon_reload: "{{ service.daemon_reload | default(omit) | bool }}"
-    enabled: "{{ service.enabled | default(omit) | bool }}"
-    force: "{{ service.force | default(omit) | bool }}"
-    masked: "{{ service.masked | default(omit) | bool }}"
+    daemon_reexec: "{{ service.daemon_reexec | default(omit) }}"
+    daemon_reload: "{{ service.daemon_reload | default(omit) }}"
+    enabled: "{{ service.enabled | default(omit) }}"
+    force: "{{ service.force | default(omit) }}"
+    masked: "{{ service.masked | default(omit) }}"
     name: "{{ service.name | default('ssh.service') }}"
-    no_block : "{{ service.no_block | default(omit) | bool }}"
+    no_block : "{{ service.no_block | default(omit) }}"
     scope: "{{ service.scope | default(omit) }}"
     state: "{{ service.state | default(omit) }}"
   vars:

diff --git a/roles/auth/meta/main.yml b/roles/auth/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+  - role: aybarsm.helper.ansible
diff --git a/roles/auth/tasks/authorized_keys.yml b/roles/auth/tasks/authorized_keys.yml
@@ -3,12 +3,14 @@
   set_fact:
     auth__authorized_keys_all: "{{ (auth__authorized_keys_all | default([])) + ssh_keys_distribute }}"
   vars:
-    distribute_query: "*.auth__users_apply.results[*] | [] | [?contains(not_null(item.distribute_ssh_key,``),`{{ inventory_hostname }}`)].{user: name, key: ssh_public_key}"
     ssh_keys_distribute: "{{ dict(hostvars) |
-      aybarsm.helper.only_with(ansible_play_batch | difference([inventory_hostname])) |
-      community.general.json_query(distribute_query) | default([]) }}"
+      aybarsm.helper.only_with(ansible_play_batch) |
+      community.general.json_query(__auth__key_distribute_query) | default([]) }}"
   register: auth__users__ssh_key_distribution
-  when: ssh_keys_distribute | length > 0
+  when:
+    - auth__users_apply.results is defined
+    - auth__users_apply.results | length > 0
+    - ssh_keys_distribute | length > 0
 
 - name: Retrieve passwd database in check mode for authorized keys
   become: true
@@ -23,15 +25,15 @@
   become: true
   ansible.posix.authorized_key:
     comment: "{{ item.comment | default(omit) }}"
-    exclusive: "{{ item.exclusive | default(omit) | bool }}"
-    follow: "{{ item.follow | default(omit) | bool }}"
+    exclusive: "{{ item.exclusive | default(omit) }}"
+    follow: "{{ item.follow | default(omit) }}"
     key: "{{ item.key }}"
     key_options: "{{ item.key_options | default(omit) }}"
-    manage_dir: "{{ item.manage_dir | default(omit) | bool }}"
+    manage_dir: "{{ item.manage_dir | default(omit) }}"
     path: "{{ item.path | default(omit) }}"
     state: "{{ item.state | default(omit) }}"
     user: "{{ item.user }}"
-    validate_certs: "{{ item.validate_certs | default(omit) | bool }}"
+    validate_certs: "{{ item.validate_certs | default(omit) }}"
   loop: "{{ auth__authorized_keys_all }}"
   register: auth__authorized_keys_apply
   when:

diff --git a/roles/auth/tasks/groups.yml b/roles/auth/tasks/groups.yml
@@ -2,13 +2,13 @@
 - name: Apply groups configuration
   become: true
   ansible.builtin.group:
-    force: "{{ item.force | default(omit) | bool }}"
+    force: "{{ item.force | default(omit) }}"
     gid: "{{ item.gid | default(omit) }}"
-    local: "{{ item.local | default(omit) | bool }}"
+    local: "{{ item.local | default(omit) }}"
     name: "{{ item.name }}"
-    non_unique: "{{ item.non_unique | default(omit) | bool }}"
+    non_unique: "{{ item.non_unique | default(omit) }}"
     state: "{{ item.state | default(omit) }}"
-    system: "{{ item.system | default(omit) | bool }}"
+    system: "{{ item.system | default(omit) }}"
   loop: "{{ auth__groups_all }}"
   register: auth__groups_apply
   when:

diff --git a/roles/auth/tasks/main.yml b/roles/auth/tasks/main.yml
@@ -24,6 +24,14 @@
     - auth__role_enabled | default(false) | bool
     - auth__manage_authorized_keys | default(false) | bool
 
+# TODO: Renew SSH host keys only once
+- name: Include ssh renew host keys tasks
+  ansible.builtin.include_tasks:
+    file: ssh_renew_host_keys.yml
+  when:
+    - auth__role_enabled | default(false) | bool
+    - auth__renew_ssh_host_keys_once | default(false) | bool
+
 - name: Include ssh config tasks
   ansible.builtin.include_tasks:
     file: ssh.yml