crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'action_sshfp' into 'newinfra' 

[moimoin-gendoc] Write ssh fingerprint instead of the full key that no one would ever read.

See merge request nounous/ansible!124
certbot_on_virtu
_pollion 2020-12-23 23:41:01 +01:00
parent d17968e246 ec6cd26d6c
commit 69565b8765
4 changed files with 83 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
action_plugins/sshfp.py 100755
View File

@ -0,0 +1,75 @@
import base64
import hashlib
from ansible.errors import AnsibleError
from ansible.plugins.action import ActionBase
from ansible.utils.display import Display
from ansible.module_utils._text import to_native
display = Display()
class ActionModule(ActionBase):
TRANSFERS_FILES = False
def _sshfp(self, key):
return(b'SHA256:'+base64.b64encode(
hashlib.sha256(base64.b64decode(key)
).digest()).replace(b'=',b'')).decode('utf-8')
def run(self, tmp=None, task_vars=None):
"""
The run method is the main Action Plugin driver. All work is done from within this method.
tmp: Temporary directory. Sometimes an action plugin sets up
a temporary directory and then calls another module. This parameter
allows us to reuse the same directory for both.
task_vars: The variables (host vars, group vars, config vars, etc) associated with this task.
Note that while this will contain Ansible facts from the host, they should be used
with caution as a user running Ansible can disable their collection. If you want
make sure that your Action Plugin always has access to the ones it needs, you may
want to consider running the setup module directly in the run the method and getting
the Ansible facts that way.
The strategy plugin which manages running tasks on instances uses an ansible.vars.manager
VariableManager instance to retrieve this context specific dict of variables.
"""
if task_vars is None:
task_vars = dict()
result = super(ActionModule, self).run(tmp, task_vars)
self._supports_check_mode = True
self._supports_async = False
setup_module_args=dict(
gather_subset='all',
gather_timeout=10
)
setup_result = self._execute_module(
module_name='setup',
module_args=setup_module_args,
persist_files=False,
task_vars=task_vars,
tmp=tmp,
)
hostname = task_vars.get('inventory_hostname')
for algo in ['rsa', 'ecdsa', 'ed25519']:
key = f'ansible_ssh_host_key_{algo}_public'
keyblob = setup_result['ansible_facts'].get(key)
if not keyblob:
display.vvv(f"host {hostname} doesn't offer {algo} ssh host key. Skipping...")
result[f'ssh_host_key_{algo}_fp'] = None
continue
try:
display.vvv("Trying to get fingerprint for {algo} ssh host key.")
fp = self._sshfp(keyblob)
result[f'ssh_host_key_{algo}_fp'] = fp
except Exception as e:
err_msg = to_native(e)
raise AnsibleError(err_msg)
return result

1
ansible.cfg
View File

@ -4,6 +4,7 @@
# Explicitely redefined some defaults to make play execution work
roles_path = ./roles
action_plugins = ./action_plugins
vars_plugins = ./vars_plugins
lookup_plugins = ./lookup_plugins

4
roles/moinmoin-gendoc/tasks/main.yml
View File

@ -10,6 +10,10 @@
- name: get dmidecode facts
dmidecode: {}
- name: get ssh fingerprints
sshfp: {}
register: sshfp
- name: "Create wiki page documenting {{ ansible_hostname }} (physical)"
when: ansible_system_vendor != 'QEMU'
moinmoin_page:

6
roles/moinmoin-gendoc/templates/server.j2
View File

@ -83,15 +83,15 @@ et {{ (ansible_memory_mb.swap.total/1024)|round(1) }} GiB de SWAP.
'''RSA''' :
{{ '{{{' }}
{{ ansible_ssh_host_key_rsa_public | wordwrap }}
{{ sshfp.ssh_host_key_rsa_fp }}
{{ '}}}' }}
'''ECDSA''' :
{{ '{{{' }}
{{ ansible_ssh_host_key_ecdsa_public | wordwrap }}
{{ sshfp.ssh_host_key_ecdsa_fp }}
{{ '}}}' }}
'''ED25519''' :
{{ '{{{' }}
{{ ansible_ssh_host_key_ed25519_public | wordwrap }}
{{ sshfp.ssh_host_key_ed25519_fp }}
{{ '}}}' }}