Improve configuration step

metno · Feb 5, 2025 · 3d719f3 · 3d719f3
1 parent cdb6601
commit 3d719f3
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 8 deletions.
diff --git a/ansible/README.md b/ansible/README.md
@@ -87,7 +87,6 @@ ansible-playbook -i inventory.yml configure.yml (-e primary=...)
 ```
 
 The option inside parethesis is optional. The `configure.yml` file defines a default that can be overridden here.
-Note that you need to enter `yes` twice to when prompted during the `Gather facts` phase to connect to the VMs.
 The floating IP association can time out, but this is ignored as it is a known bug.
 The parts to do with the floating IP that belongs to the primary (ipalias) are based on this [repo](https://gitlab.met.no/ansible-roles/ipalias/-/tree/master?ref_type=heads).
 

diff --git a/ansible/configure.yml b/ansible/configure.yml
@@ -1,5 +1,13 @@
 ---
-- name: Configure VMs for replication
+- name: Configure ssh
+  hosts: servers
+  remote_user: ubuntu
+  gather_facts: false
+  tags: ssh
+  roles:
+    - role: ssh
+
+- name: Configure postgres for replication
   hosts: servers
   remote_user: ubuntu
   gather_facts: true
@@ -9,7 +17,6 @@
     primary: lard-a # or provide via cmd '-e primary=...'
 
   roles:
-    - role: ssh
     - role: pg
       vars:
         pg_version: 17

diff --git a/ansible/roles/pg/tasks/configure/install_postgres.yml b/ansible/roles/pg/tasks/configure/install_postgres.yml
@@ -7,6 +7,7 @@
 
 - name: Add postgres repository into sources list
   ansible.builtin.apt_repository:
+    # NOTE: ansible_distribution_release requires gather facts true!
     repo: "deb https://apt.postgresql.org/pub/repos/apt {{ ansible_distribution_release }}-pgdg main"
     state: present
   become: true

diff --git a/ansible/roles/pg/tasks/main.yml b/ansible/roles/pg/tasks/main.yml
@@ -19,6 +19,7 @@
 # This needs to be done after postgres installation
 - name: Share postgres SSH keys
   ansible.builtin.import_tasks: configure/ssh.yml
+  tags: ssh
 
 - name: Create primary
   when: ansible_host == pg_primary_ip

diff --git a/ansible/roles/ssh/tasks/main.yml b/ansible/roles/ssh/tasks/main.yml
@@ -1,13 +1,25 @@
 ---
-# TODO: kinda useless, since this is done automatically when you gather_facts the first time
+- name: Get hostkey
+  ansible.builtin.shell: |
+    set -o pipefail
+    ssh-keyscan '{{ ansible_host }}' | grep 'ecdsa-sha2-nistp256'
+  args:
+    executable: /bin/bash
+  register: key
+  changed_when: false
+  delegate_to: localhost
+
+- name: Assert we only have a single hostkey
+  ansible.builtin.assert:
+    that:
+      - key.stdout_lines | length == 1
+    fail_msg: More than one key grepped
+
 - name: Add hostkey to localhost `known_hosts`
   ansible.builtin.known_hosts:
     name: "{{ ansible_host }}"
     state: present
-    # NOTE: requires `gather_facts: true`
-    key: >
-      "{{ ansible_host }}" ecdsa-sha2-nistp256
-      "{{ ansible_ssh_host_key_ecdsa_public }}"
+    key: "{{ key.stdout }}"
     hash_host: true
   delegate_to: localhost