From 120b01b2cf3ad57babbf7cf329d4ed587405ccc6 Mon Sep 17 00:00:00 2001 From: nicoo Date: Wed, 13 Jun 2018 19:34:36 +0200 Subject: [PATCH] vm/install: Bake authorized_keys in the initrd This is less error-prone than cramming the SSH keys into the preseed. Also, support setting VM-specific SSH keys. --- ansible/roles/vm/install/tasks/main.yml | 7 +++++++ .../roles/vm/install/templates/preseed_debian-stretch.cfg.j2 | 4 +++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ansible/roles/vm/install/tasks/main.yml b/ansible/roles/vm/install/tasks/main.yml index 39e625f..aaa881e 100644 --- a/ansible/roles/vm/install/tasks/main.yml +++ b/ansible/roles/vm/install/tasks/main.yml @@ -19,12 +19,19 @@ src: "preseed_{{ vmdistro }}-{{ vmdistcodename }}.cfg.j2" dest: "{{ tmpdir }}/preseed.cfg" + - name: generate authorized_keys file + authorized_key: + user: root + path: "{{ tmpdir }}/authorized_keys" + key: "{{ hostvars[vmname].ssh_keys | default(noc_ssh_keys) | join('\n') }}" + - name: Inject files into initramfs shell: cpio -H newc -o | gzip -9 >> {{ initramfs }} args: chdir: "{{ tmpdir }}" stdin: | preseed.cfg + authorized_keys always: - name: Delete temporary directory diff --git a/ansible/roles/vm/install/templates/preseed_debian-stretch.cfg.j2 b/ansible/roles/vm/install/templates/preseed_debian-stretch.cfg.j2 index 6d48fd2..6cf4b9b 100644 --- a/ansible/roles/vm/install/templates/preseed_debian-stretch.cfg.j2 +++ b/ansible/roles/vm/install/templates/preseed_debian-stretch.cfg.j2 @@ -102,5 +102,7 @@ d-i finish-install/reboot_in_progress note d-i preseed/late_command string \ lvremove -f {{ vmname }}/dummy; \ in-target bash -c "apt-get update -q && apt-get full-upgrade -y -q"; \ - in-target bash -c "passwd -d root; passwd -l root; umask 077; mkdir -p /root/.ssh/; echo -e '{{ noc_ssh_keys | join('\\n') }}' > /root/.ssh/authorized_keys"; \ + in-target bash -c "passwd -d root && passwd -l root"; \ + mkdir -p -m 0700 /target/root/.ssh; \ + cp /authorized_keys /target/root/.ssh/; \ in-target bash -c "sed -e 's/^\(\s*#*\s*Port.*\)/Port 22000/' -i /etc/ssh/sshd_config" -- 1.7.10.4