Reworked persist_hostkeys role to use common set of persistent keys from state directory

Author: wtripp180901

ansible/roles/persist_hostkeys/README.md

@@ -1,8 +1,5 @@
 # persist_hostkeys
 
-Save hostkeys to persistent storage and restore them after a rebuild/reimage.
+Idempotently generates a persistent set of hostkeys and restores them after a rebuild/reimage.
 
-Add hosts to the `persist_hostkeys` group to enable.
-
-This role has no variables but hosts in this group must have `appliances_state_dir`
-defined as a directory they can write to on persistent storage.
+Add hosts to the `persist_hostkeys` group to enable. All hosts in group will share the same set hostkeys.

ansible/roles/persist_hostkeys/defaults/main.yml

@@ -0,0 +1,2 @@
+persist_hostkeys_state_server: "{{ groups['control'] | first }}"
+persist_hostkeys_state_dir: "{{ hostvars[persist_hostkeys_state_server]['appliances_state_dir'] }}/hostkeys"

ansible/roles/persist_hostkeys/tasks/main.yml

@@ -1,33 +1,46 @@
 ---
 
-- name: Ensure hostkeys directory exists on persistent storage
-  file:
-    path: "{{ appliances_state_dir }}/hostkeys/{{ inventory_hostname }}"
-    state: directory
-    owner: root
-    group: root
-    mode: 0600
+- name: Generate persistent hostkeys in state directory
+  delegate_to: "{{ persist_hostkeys_state_server }}"
+  block:
+  - name: Ensure hostkeys directory exists on persistent storage
+    file:
+      path: "{{ persist_hostkeys_state_dir }}"
+      state: directory
+      owner: root
+      group: root
+      mode: 0600
 
-- name: Copy hostkeys from persistent storage
-  # won't fail if no keys are in persistent storage
-  copy:
-    src: "{{ appliances_state_dir }}/hostkeys/{{ inventory_hostname }}/"
-    dest: /etc/ssh/
-    remote_src: true
+  - name: Check for existing hostkeys
+    find:
+      paths: "{{ persist_hostkeys_state_dir }}/"
+    register: _files_found
+
+  - name: Generate hostkeys
+    when: _files_found.matched == 0
+    shell:
+      cmd: |
+        mkdir -p {{ persist_hostkeys_state_dir }}/etc/ssh
+        ssh-keygen -A -N \"\" -f {{ persist_hostkeys_state_dir }}
+        mv {{ persist_hostkeys_state_dir }}/etc/ssh/* {{ persist_hostkeys_state_dir }}
+        rm -rf {{ persist_hostkeys_state_dir }}/etc/ssh
+  
+  - name: Get created key names
+    find:
+      path: "{{ persist_hostkeys_state_dir }}/"
+    register: _find_ssh_keys
 
-- name: Find hostkeys
-  find:
-    path: /etc/ssh/
-    patterns: ssh_host_*_key*
-  register: _find_ssh_keys
+  - name: Create in-memory copies of keys
+    ansible.builtin.slurp:
+      src: "{{ item.path }}"
+    loop: "{{ _find_ssh_keys.files }}"
+    register: _slurp_keys
 
-- name: Persist hostkeys
+- name: Copy keys to hosts
+  no_log: true
   copy:
-    dest: "{{ appliances_state_dir }}/hostkeys/{{ inventory_hostname }}/"
-    src: "{{ item }}"
-    remote_src: true
-    mode: preserve
-  loop: "{{ _find_ssh_keys.files | map(attribute='path') }}"
+    content: "{{ item.content | b64decode }}"
+    dest: "/etc/ssh/{{ item.source | regex_search('[^/]+$') }}"
+  loop: "{{ _slurp_keys.results }}"
 
 - meta: reset_connection
-

environments/common/layouts/everything

@@ -69,8 +69,10 @@ openhpc
 [manila]
 # Hosts to configure for manila fileshares
 
-[persist_hostkeys]
-# Hosts to persist hostkeys for across reimaging. NB: Requires appliances_state_dir on hosts.
+[persist_hostkeys:children]
+# Hosts to use common set of hostkeys which persist across reimaging.
+login
+openondemand
 
 [squid]
 # Hosts to run squid proxy