orahost_ssh: Role rewritten with modern ansible modules

Author: Rendanic

changelogs/fragments/ssh.yml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - "orahost_ssh: Role rewritten with modern ansible modules ()"

roles/orahost_ssh/README.md

@@ -2,18 +2,11 @@
 
 SSH Setup for Oracle Grid-Infrastructure installations.
 
-This role needs a complete refactoring in the future!
-
 ## Table of content
 
 - [Requirements](#requirements)
 - [Default Variables](#default-variables)
-  - [grid_user](#grid_user)
-  - [hostgroup](#hostgroup)
-  - [oracle_group](#oracle_group)
-  - [oracle_user](#oracle_user)
-  - [oracle_users](#oracle_users)
-- [Discovered Tags](#discovered-tags)
+  - [orahost_ssh_keyname](#orahost_ssh_keyname)
 - [Dependencies](#dependencies)
 - [License](#license)
 - [Author](#author)
@@ -26,51 +19,20 @@ This role needs a complete refactoring in the future!
 
 ## Default Variables
 
-### grid_user
-
-#### Default value
-
-```YAML
-grid_user: grid
-```
-
-### hostgroup
+### orahost_ssh_keyname
 
-#### Default value
+The name of used key during role execution.
 
-```YAML
-hostgroup: '{{ group_names[0] }}'
-```
+Example for oracle:
 
-### oracle_group
+/home/oracle/.ssh/{{ orahost_ssh_keyname }}
 
 #### Default value
 
 ```YAML
-oracle_group: oinstall
+orahost_ssh_keyname: id_ed25519
 ```
 
-### oracle_user
-
-#### Default value
-
-```YAML
-oracle_user: oracle
-```
-
-### oracle_users
-
-#### Default value
-
-```YAML
-oracle_users:
-  - {username: oracle, primgroup: oinstall}
-  - {username: grid, primgroup: oinstall}
-```
-
-## Discovered Tags
-
-**_sshkeys,known_hosts_**
 
 
 ## Dependencies
@@ -84,4 +46,4 @@ license (MIT)
 
 ## Author
 
-[Mikael Sandström]
+[Thorsten Bruhns]

roles/orahost_ssh/defaults/main.yml

@@ -1,9 +1,9 @@
 ---
-# defaults file for host-config-ssh
-hostgroup: "{{ group_names[0] }}"
-oracle_group: oinstall                          # Primary group for oracle_user.
-oracle_user: oracle
-grid_user: grid
-oracle_users:         # Passwd :Oracle123
-  - {username: oracle, primgroup: oinstall}
-  - {username: grid, primgroup: oinstall}
+# @var orahost_ssh_keyname:description: >
+# The name of used key during role execution.
+#
+# Example for oracle:
+#
+# /home/oracle/.ssh/{{ orahost_ssh_keyname }}
+# @end
+orahost_ssh_keyname: id_ed25519

roles/orahost_ssh/meta/main.yml

@@ -2,14 +2,13 @@
 # @meta description: >
 # SSH Setup for Oracle Grid-Infrastructure installations.
 #
-# This role needs a complete refactoring in the future!
 # @end
-# @meta author: [Mikael Sandström]
+# @meta author: [Thorsten Bruhns]
 galaxy_info:
   role_name: orahost_ssh
-  author: Mikael Sandström
+  author: Thorsten Bruhns
   description: SSH Setup for Oracle Grid-Infrastructure installations.
-  company: Mikael Sandström
+  company: Thorsten Bruhns
   license: license (MIT)
 
   min_ansible_version: 2.14.0
@@ -20,6 +19,7 @@ galaxy_info:
         - "6"
         - "7"
         - "8"
+        - "9"
     - name: SLES
       versions:
         - "15"

roles/orahost_ssh/tasks/known-hosts.yml

@@ -0,0 +1,48 @@
+---
+# Variables:
+#   _key_owner: oracle
+#   _key_owner_home: /home/oracle
+#
+- name: Create .ssh directory for user {{ _key_owner }}
+  ansible.builtin.file:
+    path: "{{ _key_owner_home }}/.ssh"
+    owner: "{{ _key_owner }}"
+    mode: 0700
+    state: directory
+
+# Keys are only created when not existing.
+- name: Create ssh-key for user {{ _key_owner }}
+  community.crypto.openssh_keypair:
+    path: "{{ _key_owner_home }}/.ssh/{{ orahost_ssh_keyname }}"
+    owner: "{{ _key_owner }}"
+    type: ed25519
+
+- name: Read public key from remote host for user {{ _key_owner }}
+  ansible.builtin.slurp:
+    src: "{{ _key_owner_home }}/.ssh/{{ orahost_ssh_keyname }}.pub"
+  register: ssh_pubkey_res
+
+# All public keys from all cluster node are added to all authorized keys
+# loop over orasw_meta_cluster_hostgroup and write public key to target host.
+- name: Add public key to authorized_keys for user {{ _key_owner }}
+  ansible.posix.authorized_key:
+    key: >-
+      {{ hostvars[item]['ssh_pubkey_res']['content'] | b64decode | split('\n') | first }}
+    user: "{{ _key_owner }}"
+    state: present
+  with_items: "{{ groups[orasw_meta_cluster_hostgroup] }}"
+
+- name: Read host key from remote host with ssh-keyscan
+  ansible.builtin.command: ssh-keyscan -t ecdsa-sha2-nistp256 {{ ansible_hostname }}
+  register: ssh_hostkey_res
+  changed_when: ssh_hostkey_res.rc == 0
+
+- name: Add hostkeys to user {{ _key_owner }}
+  ansible.builtin.known_hosts:
+    name: "{{ _hostkey_line | split(' ') | first }}"
+    key: "{{ _hostkey_line }}"
+    path: "{{ _key_owner_home }}/.ssh/known_hosts"
+    state: present
+  with_items: "{{ groups[orasw_meta_cluster_hostgroup] }}"
+  vars:
+    _hostkey_line: "{{ hostvars[item]['ssh_hostkey_res']['stdout_lines'] | first }}"

roles/orahost_ssh/tasks/loop_osuser.yml

@@ -2,65 +2,19 @@
 - name: Deploy SSH-Keys on Cluster
   when:
     - _oraswgi_meta_configure_cluster | default(false)
+    - inventory_hostname in groups[orasw_meta_cluster_hostgroup]
   block:
+    - name: SSH-Keys for {{ oracle_user }}
+      ansible.builtin.include_tasks: loop_osuser.yml
+      vars:
+        _key_owner_home: "{{ oracle_user_home }}"
+        _key_owner: "{{ oracle_user }}"
 
-    - name: ssh-keys | get public key for oracle user
-      ansible.builtin.shell: cat /home/{{ oracle_user }}/.ssh/id_rsa.pub
-      # noqa command-instead-of-shell no-changed-when
-      register: oracle_key
-      tags:
-        - sshkeys
-
-    - name: ssh-keys | get public key for grid user
-      ansible.builtin.shell: cat /home/{{ grid_user }}/.ssh/id_rsa.pub
-      # noqa command-instead-of-shell no-changed-when
-      register: grid_key
-      when: role_separation
-      tags:
-        - sshkeys
-
-    - name: ssh-keys | Add keys for {{ oracle_user }}
-      ansible.posix.authorized_key:
-        user: "{{ oracle_user }}"
-        key: "{{ item[1] }}"
-      delegate_to: "{{ item[0] }}"
-      with_nested:
-        - "{{ groups[hostgroup] }}"
-        - "{{ oracle_key.stdout }}"
-      tags:
-        - sshkeys
-      when: oracle_key is defined
-
-    - name: ssh-keys | Add keys for {{ grid_user }}
-      ansible.posix.authorized_key:
-        user: "{{ grid_user }}"
-        key: "{{ item[1] }}"
-      delegate_to: "{{ item[0] }}"
-      with_nested:
-        - "{{ groups[hostgroup] }}"
-        - "{{ grid_key.stdout }}"
-      tags:
-        - sshkeys
-      when: role_separation and grid_key is defined
-
-    - name: ssh-keys | create .known_hosts
-      ansible.builtin.file:
-        path: "/home/{{ item }}/.ssh/known_hosts"
-        state: touch
-        owner: "{{ item }}"
-        group: "{{ oracle_group }}"
-        mode: 0600
-      with_items:
-        - "{{ oracle_user }}"
-        - "{% if role_separation %}{{ grid_user }}{% else %}[]{% endif %}"
-      changed_when: false
-      tags: sshkeys,known_hosts
-
-    - name: Deploy known_hosts
-      ansible.builtin.include_tasks: known-hosts.yml
-      with_items:
-        - "{{ oracle_user }}"
-        - "{% if role_separation %}{{ grid_user }}{% else %}[]{% endif %}"
-      loop_control:
-        loop_var: user
-      tags: sshkeys,known_hosts
+    - name: SSH-Keys for {{ _grid_install_user }}
+      ansible.builtin.include_tasks: loop_osuser.yml
+      vars:
+        _key_owner_home: "{{ grid_user_home }}"
+        _key_owner: "{{ _grid_install_user }}"
+      when:
+        - role_separation | bool
+        - oracle_user != _grid_install_user

roles/orahost_ssh/tasks/main.yml

@@ -0,0 +1,2 @@
+---
+_orahost_ssh_hostkey_filename: /etc/ssh/ssh_host_rsa_key.pub