rotate ansibe-user ssh key (#544)

Co-authored-by: Michael Grote <michael.grote@posteo.de> Reviewed-on: #544
2023-07-03 22:42:46 +02:00 · 2023-07-03 22:42:46 +02:00 · ce813a881b
commit ce813a881b
parent 8e9465e0b9
7 changed files with 11 additions and 7 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,6 +2,9 @@
 vault-pass.yml
 id_rsa_ansible_user
 id_rsa_ansible_user_pub
+id_rsa_ansible_user.pub
 plugins/lookup/__pycache__/**
 plugins/callback/__pycache__/
 trace/**json
+id_ed25519
+id_ed25519.pub
--- a/ansible.cfg
+++ b/ansible.cfg
@ -5,7 +5,7 @@ retry_files_enabled   = False
 roles_path            = ./roles
 lookup_plugins        = ./plugins/lookup
 collections_paths     = ./ansible_collections
-private_key_file      = ./id_rsa_ansible_user
+private_key_file      = ./id_ed25519
 vault_password_file   = vault-pass.yml
 gathering             = smart
 #display_ok_hosts      = no # zeigt nur noch changed und error tasks/hosts an
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -43,7 +43,7 @@
      update_password: on_create
      groups: ssh, sudo
      state: present
-      public_ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyqs0OE5RVqs6tIzyuGQWvq/OVDa/tfdSEqMIwcthFt+pwCCjpqtNc8L8FSXgphSwuNosFakqhMLDFD3pmII+t61NRExsoR3nGTDuCAQnTvTKXTEfhnunN3pwgXWVTI68j9pRzmSy+hMkSFbgN9EGMSXxGcNunY7ewS3ZkVe08SWFpiX9giYq6uiOiMHsZKdcP6s2QRXUhZlTx2cOc/9gJ5lD82EUXQRZzT6ww2xVrceIW9c3CZFmSmYWxvrR7dPcHrke90FPPd5WhU+Anz++6GsT6+OhZTk+uQnBHllFXn9NoFQIEUDO4zV+gFXITaAbTkLAcCwuKB2QcDZ6C2mhf ansible-generated on ansible-v2
+      public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
      allow_sudo: true
      allow_passwordless_sudo: true
  ### mgrote.munin-node
--- a/group_vars/docker.yml
+++ b/group_vars/docker.yml
@ -39,7 +39,7 @@
      update_password: on_create
      groups: ssh, sudo
      state: present
-      public_ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyqs0OE5RVqs6tIzyuGQWvq/OVDa/tfdSEqMIwcthFt+pwCCjpqtNc8L8FSXgphSwuNosFakqhMLDFD3pmII+t61NRExsoR3nGTDuCAQnTvTKXTEfhnunN3pwgXWVTI68j9pRzmSy+hMkSFbgN9EGMSXxGcNunY7ewS3ZkVe08SWFpiX9giYq6uiOiMHsZKdcP6s2QRXUhZlTx2cOc/9gJ5lD82EUXQRZzT6ww2xVrceIW9c3CZFmSmYWxvrR7dPcHrke90FPPd5WhU+Anz++6GsT6+OhZTk+uQnBHllFXn9NoFQIEUDO4zV+gFXITaAbTkLAcCwuKB2QcDZ6C2mhf ansible-generated on ansible-v2
+      public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
      allow_sudo: true
      allow_passwordless_sudo: true
  ### geerlingguy.docker
--- a/group_vars/pbs.yml
+++ b/group_vars/pbs.yml
@ -24,7 +24,7 @@
      update_password: on_create
      groups: ssh, sudo
      state: present
-      public_ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyqs0OE5RVqs6tIzyuGQWvq/OVDa/tfdSEqMIwcthFt+pwCCjpqtNc8L8FSXgphSwuNosFakqhMLDFD3pmII+t61NRExsoR3nGTDuCAQnTvTKXTEfhnunN3pwgXWVTI68j9pRzmSy+hMkSFbgN9EGMSXxGcNunY7ewS3ZkVe08SWFpiX9giYq6uiOiMHsZKdcP6s2QRXUhZlTx2cOc/9gJ5lD82EUXQRZzT6ww2xVrceIW9c3CZFmSmYWxvrR7dPcHrke90FPPd5WhU+Anz++6GsT6+OhZTk+uQnBHllFXn9NoFQIEUDO4zV+gFXITaAbTkLAcCwuKB2QcDZ6C2mhf ansible-generated on ansible-v2
+      public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
      allow_sudo: true
      allow_passwordless_sudo: true

--- a/group_vars/pve.yml
+++ b/group_vars/pve.yml
@ -23,9 +23,10 @@
      update_password: on_create
      groups: ssh, sudo
      state: present
-      public_ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyqs0OE5RVqs6tIzyuGQWvq/OVDa/tfdSEqMIwcthFt+pwCCjpqtNc8L8FSXgphSwuNosFakqhMLDFD3pmII+t61NRExsoR3nGTDuCAQnTvTKXTEfhnunN3pwgXWVTI68j9pRzmSy+hMkSFbgN9EGMSXxGcNunY7ewS3ZkVe08SWFpiX9giYq6uiOiMHsZKdcP6s2QRXUhZlTx2cOc/9gJ5lD82EUXQRZzT6ww2xVrceIW9c3CZFmSmYWxvrR7dPcHrke90FPPd5WhU+Anz++6GsT6+OhZTk+uQnBHllFXn9NoFQIEUDO4zV+gFXITaAbTkLAcCwuKB2QcDZ6C2mhf ansible-generated on ansible-v2
+      public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
      allow_sudo: true
      allow_passwordless_sudo: true
+      
  ### mgrote.apt_manage_packages
  apt_packages_extra:
    - ifupdown2
--- a/playbooks/on-off/remove_old_ssh_key.yml
+++ b/playbooks/on-off/remove_old_ssh_key.yml
@ -6,7 +6,7 @@
    - name: Set authorized key taken from file
      become: yes
      ansible.posix.authorized_key:
-        user: mg
+        user: ansible-user
        state: present
-        key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKL8opSQ0rWVw9uCfbuiqmXq188OP4xh66MBTO3zV5jo heimserver_mg_v3
+        key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
        exclusive: true #entferne alle keys bis auf diesen