From ce813a881b7e900bc6e63324c86b524eab653552 Mon Sep 17 00:00:00 2001
From: mg <michael.grote@posteo.de>
Date: Mon, 3 Jul 2023 22:42:46 +0200
Subject: [PATCH] rotate ansibe-user ssh key (#544)

Co-authored-by: Michael Grote <michael.grote@posteo.de>
Reviewed-on: https://git.mgrote.net/mg/homeserver/pulls/544
---
 .gitignore                              | 3 +++
 ansible.cfg                             | 2 +-
 group_vars/all.yml                      | 2 +-
 group_vars/docker.yml                   | 2 +-
 group_vars/pbs.yml                      | 2 +-
 group_vars/pve.yml                      | 3 ++-
 playbooks/on-off/remove_old_ssh_key.yml | 4 ++--
 7 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/.gitignore b/.gitignore
index 1bc743d1..e70d0af2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,9 @@
 vault-pass.yml
 id_rsa_ansible_user
 id_rsa_ansible_user_pub
+id_rsa_ansible_user.pub
 plugins/lookup/__pycache__/**
 plugins/callback/__pycache__/
 trace/**json
+id_ed25519
+id_ed25519.pub
diff --git a/ansible.cfg b/ansible.cfg
index 96643c7d..aaa758e4 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -5,7 +5,7 @@ retry_files_enabled   = False
 roles_path            = ./roles
 lookup_plugins        = ./plugins/lookup
 collections_paths     = ./ansible_collections
-private_key_file      = ./id_rsa_ansible_user
+private_key_file      = ./id_ed25519
 vault_password_file   = vault-pass.yml
 gathering             = smart
 #display_ok_hosts      = no # zeigt nur noch changed und error tasks/hosts an
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 000d12df..ddc3b4dc 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -43,7 +43,7 @@
       update_password: on_create
       groups: ssh, sudo
       state: present
-      public_ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyqs0OE5RVqs6tIzyuGQWvq/OVDa/tfdSEqMIwcthFt+pwCCjpqtNc8L8FSXgphSwuNosFakqhMLDFD3pmII+t61NRExsoR3nGTDuCAQnTvTKXTEfhnunN3pwgXWVTI68j9pRzmSy+hMkSFbgN9EGMSXxGcNunY7ewS3ZkVe08SWFpiX9giYq6uiOiMHsZKdcP6s2QRXUhZlTx2cOc/9gJ5lD82EUXQRZzT6ww2xVrceIW9c3CZFmSmYWxvrR7dPcHrke90FPPd5WhU+Anz++6GsT6+OhZTk+uQnBHllFXn9NoFQIEUDO4zV+gFXITaAbTkLAcCwuKB2QcDZ6C2mhf ansible-generated on ansible-v2
+      public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
       allow_sudo: true
       allow_passwordless_sudo: true
   ### mgrote.munin-node
diff --git a/group_vars/docker.yml b/group_vars/docker.yml
index 7484014f..e87606e7 100644
--- a/group_vars/docker.yml
+++ b/group_vars/docker.yml
@@ -39,7 +39,7 @@
       update_password: on_create
       groups: ssh, sudo
       state: present
-      public_ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyqs0OE5RVqs6tIzyuGQWvq/OVDa/tfdSEqMIwcthFt+pwCCjpqtNc8L8FSXgphSwuNosFakqhMLDFD3pmII+t61NRExsoR3nGTDuCAQnTvTKXTEfhnunN3pwgXWVTI68j9pRzmSy+hMkSFbgN9EGMSXxGcNunY7ewS3ZkVe08SWFpiX9giYq6uiOiMHsZKdcP6s2QRXUhZlTx2cOc/9gJ5lD82EUXQRZzT6ww2xVrceIW9c3CZFmSmYWxvrR7dPcHrke90FPPd5WhU+Anz++6GsT6+OhZTk+uQnBHllFXn9NoFQIEUDO4zV+gFXITaAbTkLAcCwuKB2QcDZ6C2mhf ansible-generated on ansible-v2
+      public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
       allow_sudo: true
       allow_passwordless_sudo: true
   ### geerlingguy.docker
diff --git a/group_vars/pbs.yml b/group_vars/pbs.yml
index a1e90231..8a24b2f4 100644
--- a/group_vars/pbs.yml
+++ b/group_vars/pbs.yml
@@ -24,7 +24,7 @@
       update_password: on_create
       groups: ssh, sudo
       state: present
-      public_ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyqs0OE5RVqs6tIzyuGQWvq/OVDa/tfdSEqMIwcthFt+pwCCjpqtNc8L8FSXgphSwuNosFakqhMLDFD3pmII+t61NRExsoR3nGTDuCAQnTvTKXTEfhnunN3pwgXWVTI68j9pRzmSy+hMkSFbgN9EGMSXxGcNunY7ewS3ZkVe08SWFpiX9giYq6uiOiMHsZKdcP6s2QRXUhZlTx2cOc/9gJ5lD82EUXQRZzT6ww2xVrceIW9c3CZFmSmYWxvrR7dPcHrke90FPPd5WhU+Anz++6GsT6+OhZTk+uQnBHllFXn9NoFQIEUDO4zV+gFXITaAbTkLAcCwuKB2QcDZ6C2mhf ansible-generated on ansible-v2
+      public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
       allow_sudo: true
       allow_passwordless_sudo: true
 
diff --git a/group_vars/pve.yml b/group_vars/pve.yml
index 25aec9fc..c4f3d8b6 100644
--- a/group_vars/pve.yml
+++ b/group_vars/pve.yml
@@ -23,9 +23,10 @@
       update_password: on_create
       groups: ssh, sudo
       state: present
-      public_ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyqs0OE5RVqs6tIzyuGQWvq/OVDa/tfdSEqMIwcthFt+pwCCjpqtNc8L8FSXgphSwuNosFakqhMLDFD3pmII+t61NRExsoR3nGTDuCAQnTvTKXTEfhnunN3pwgXWVTI68j9pRzmSy+hMkSFbgN9EGMSXxGcNunY7ewS3ZkVe08SWFpiX9giYq6uiOiMHsZKdcP6s2QRXUhZlTx2cOc/9gJ5lD82EUXQRZzT6ww2xVrceIW9c3CZFmSmYWxvrR7dPcHrke90FPPd5WhU+Anz++6GsT6+OhZTk+uQnBHllFXn9NoFQIEUDO4zV+gFXITaAbTkLAcCwuKB2QcDZ6C2mhf ansible-generated on ansible-v2
+      public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
       allow_sudo: true
       allow_passwordless_sudo: true
+      
   ### mgrote.apt_manage_packages
   apt_packages_extra:
     - ifupdown2
diff --git a/playbooks/on-off/remove_old_ssh_key.yml b/playbooks/on-off/remove_old_ssh_key.yml
index d4c33d0a..1efe73f8 100644
--- a/playbooks/on-off/remove_old_ssh_key.yml
+++ b/playbooks/on-off/remove_old_ssh_key.yml
@@ -6,7 +6,7 @@
     - name: Set authorized key taken from file
       become: yes
       ansible.posix.authorized_key:
-        user: mg
+        user: ansible-user
         state: present
-        key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKL8opSQ0rWVw9uCfbuiqmXq188OP4xh66MBTO3zV5jo heimserver_mg_v3
+        key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
         exclusive: true #entferne alle keys bis auf diesen