From 6c60c6bd400b104a6f2d5b8c116162e32af453c0 Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutrelis.com>
Date: Fri, 25 Feb 2022 07:32:23 +0200
Subject: [PATCH] tasks/sync-ssh-hostkeys: allow custom known_hosts

Change docs/ssh-known_hosts.txt to be partially managed by Ansible, so
custom entries can be added to the top of the file. Use the new format
to write down the host keys of our two borg hosts.
---
 docs/ssh-known_hosts.txt              | 19 +++++++++++++------
 host_vars/u236610.your-storagebox.de  |  1 -
 host_vars/zh1905.rsync.net            |  1 -
 playbooks/tasks/sync-ssh-hostkeys.yml | 19 ++++---------------
 4 files changed, 17 insertions(+), 23 deletions(-)

diff --git a/docs/ssh-known_hosts.txt b/docs/ssh-known_hosts.txt
index ed1d299e5..945c327c5 100644
--- a/docs/ssh-known_hosts.txt
+++ b/docs/ssh-known_hosts.txt
@@ -1,3 +1,15 @@
+# u236610.your-storagebox.de
+[u236610.your-storagebox.de]:23 ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGK0po6usux4Qv2d8zKZN1dDvbWjxKkGsx7XwFdSUCnF19Q8psHEUWR7C/LtSQ5crU/g+tQVRBtSgoUcE8T+FWp5wBxKvWG2X9gD+s9/4zRmDeSJR77W6gSA/+hpOZoSE+4KgNdnbYSNtbZH/dN74EG7GLb/gcIpbUUzPNXpfKl7mQitw==
+[u236610.your-storagebox.de]:23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs
+[u236610.your-storagebox.de]:23 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==
+
+# zh1905.rsync.net
+zh1905.rsync.net ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLR2uz+YLn2KiQK0Luu8rhfWS6LHgUfGAWB1j8rM2MKn4KZ2/LhIX1CYkPKMTPxHr6mzayeL1T1hyJIylxXv0BY=
+zh1905.rsync.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtclizeBy1Uo3D86HpgD3LONGVH0CJ0NT+YfZlldAJd
+zh1905.rsync.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPgHxQyaDaVxUefoUJZO/lITh0Gp0sqbP7HejQcCfZi7gAcuM6/IAuUXLHFImefCHh52x6T/cHxgL1qz26GKgdxykl06WRXlRIuE45QFSy/cd9JKr6l58fKq30ApmXRsCNwFrMlFPoEpCTqxzddZ9cLXs1Yt9dRxvFlQVEuAzw7ayvt8DE6RP9/CHYVp54wbbvUToECGwu70sxY1vFg51K+vNpvJ3J0t5j3s4c1Wls4BrIwqi2U8kqCq9Nj2CUIQqjM+93CSqEacR3qOGvG/6QMzd733wzpJ/iZee+lcyTYzA0YNMosnaF01hrv7NMwtZ6xRFLlJZtMZ7JpfySrOBr
+
+# BEGIN ANSIBLE MANAGED BLOCK
+
 # accounts.archlinux.org
 accounts.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFi9o8CPcvujoELaKVRqMh92KiMJrBvvoTpf3FlTNAfAo641IdkGqzqCFyJA1FeFXLYOS+Zeehi1AMe1iI/b1js=
 accounts.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBu3+qlfqd8FwqodNzem7cCVcNA5RQpidYHkDRPdsZzq
@@ -183,9 +195,4 @@ wiki.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzd
 wiki.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILFxxvRi7khrt6mUQGiXX35O1MBrrDeEmvaAnWo9ql/7
 wiki.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZQmj2D2B66bBHzze7+LEITju0rmtJT2rYsV/1GGpEPg6q6GAkUnIgRpyYxRn+UKRO9akDFXLv7W02h86cfbxOjeHufGMy/Y7NCPl2OSP9VauavJ3c3v/n80nmntU/Ji/U/p/roP0z+/OPgdWymFm0n33cl+XhmNOUumYQ7Y3z7EzrvCFZo2gt1EYChXb5Pd32rkd9tiwr3O0/M7TEiUxODzoD1dum+TJafUttC20V/4Sj8HztPx2BzhRugXfeEDbVlYvMXMMYgxbbhXLZyuE/dCaYpRvuekouAob7voIRSUaNqFXBLcGgo0udRI0mnKLgTb5bMprrRZ1zXIBU77H3gWyfHqe2I20arhXivtsHLEOZi0hc2/ni15WqkNS8G23n/+hJ+H16bjVb6t+8opErY4mL8T+F6OkxmNo8d0ztwUdxHEa+fvNPQ8UO6W4CN6kNVB9JE4f8j9FeHQq8rtlzo0wjUof4D7PhDn2WYA1l9RDiuRUxlGS4waStmttM3dE=
 
-# zh1905.rsync.net
-zh1905.rsync.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtclizeBy1Uo3D86HpgD3LONGVH0CJ0NT+YfZlldAJd
-
-# u236610.your-storagebox.de
-[u236610.your-storagebox.de]:23,[2a01:4f8:b16:3000::68]:23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs
-
+# END ANSIBLE MANAGED BLOCK
diff --git a/host_vars/u236610.your-storagebox.de b/host_vars/u236610.your-storagebox.de
index 133ca34fb..e2e90e4d2 100644
--- a/host_vars/u236610.your-storagebox.de
+++ b/host_vars/u236610.your-storagebox.de
@@ -1,3 +1,2 @@
 ---
 ansible_ssh_user: "{{ hetzner_storagebox_username }}"
-known_host: "[u236610.your-storagebox.de]:23,[2a01:4f8:b16:3000::68]:23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs"
diff --git a/host_vars/zh1905.rsync.net b/host_vars/zh1905.rsync.net
index 701b03640..c8b607d78 100644
--- a/host_vars/zh1905.rsync.net
+++ b/host_vars/zh1905.rsync.net
@@ -1,3 +1,2 @@
 ---
 ansible_ssh_user: "{{ rsync_net_username }}"
-known_host: "zh1905.rsync.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtclizeBy1Uo3D86HpgD3LONGVH0CJ0NT+YfZlldAJd"
diff --git a/playbooks/tasks/sync-ssh-hostkeys.yml b/playbooks/tasks/sync-ssh-hostkeys.yml
index 1a143fab6..2eaf2966f 100644
--- a/playbooks/tasks/sync-ssh-hostkeys.yml
+++ b/playbooks/tasks/sync-ssh-hostkeys.yml
@@ -7,6 +7,7 @@
       shell: "for type in sha256 md5; do for file in /etc/ssh/ssh_host_*.pub; do ssh-keygen -l -f $file -E $type; done; echo; done"
       register: ssh_hostkeys
       changed_when: ssh_hostkeys | length > 0
+
     - name: fetch known_hosts
       shell: "set -o pipefail && ssh-keyscan 127.0.0.1 2>/dev/null | sed 's#^127.0.0.1#{{ inventory_hostname }}#' | sort"
       environment:
@@ -24,23 +25,11 @@
         dest: "{{ playbook_dir }}/../../docs/ssh-hostkeys.txt"
         content: "{% for host in query('inventory_hostnames', 'all,!rsync_net,!hetzner_storageboxes,!localhost') | sort %}# {{ host }}\n{{ hostvars[host].ssh_hostkeys.stdout }}\n\n{% endfor %}"
         mode: preserve
-      delegate_to: localhost
+
     - name: store known_hosts
-      copy:
-        dest: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
-        content: "{% for host in query('inventory_hostnames', 'all,!rsync_net,!hetzner_storageboxes,!localhost') | sort %}# {{ host }}\n{{ hostvars[host].known_hosts.stdout }}\n\n{% endfor %}"
-        mode: preserve
-      delegate_to: localhost
-    - name: manually append rsync.net host keys
-      lineinfile:
-        path: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
-        line: "{% for host in query('inventory_hostnames', 'rsync_net') | sort %}# {{ host }}\n{{ hostvars[host].known_host }}\n{% endfor %}"
-      delegate_to: localhost
-    - name: manually append Hetzner Storageboxes host keys
-      lineinfile:
+      blockinfile:
         path: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
-        line: "{% for host in query('inventory_hostnames', 'hetzner_storageboxes') | sort %}# {{ host }}\n{{ hostvars[host].known_host }}\n{% endfor %}"
-      delegate_to: localhost
+        block: "\n{% for host in query('inventory_hostnames', 'all,!rsync_net,!hetzner_storageboxes,!localhost') | sort %}# {{ host }}\n{{ hostvars[host].known_hosts.stdout }}\n\n{% endfor %}"
 
 - name: upload known_hosts to all nodes
   hosts: all,!rsync_net,!hetzner_storageboxes
-- 
GitLab