Merge pull request andrelohmann#4 from jeichler/change_default_kownn_…

…hosts_handling Change default known hosts handling
jeichler · Jul 22, 2020 · d12af3f · d12af3f
2 parents a3e3f21 + 791955f
commit d12af3f
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 49 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -20,6 +20,6 @@ hetzner_installimage_ignore_hostcode: False
 # timeout to wait for servers to come back after hardware reset
 hetzner_installimage_wait_timeout_after_reset: 180
 
-# know hosts file location on ansible control node
-hetzner_installimage_known_hosts_file: "{{ lookup('env','HOME') + '/.ssh/known_hosts' }}"
+# whether this role ios allowed to modify your known hosts or not
+hetzner_installimage_handle_known_hosts: False
 ...
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,15 +1,20 @@
 ---
 
-- name: set the correct ip from the fact if ansible_host wasn't specified.
-  set_fact:
-    ssh_host_ip: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
-  delegate_to: localhost
-  when: ansible_host == 'localhost'
-
-- name: set the ip to ansible_host as it was set in the inventory.
-  set_fact:
-    ssh_host_ip: "{{ ansible_host }}"
-  when: ssh_host_ip is not defined
+- block:
+  - name: set the correct ip from the fact if ansible_host wasn't specified.
+    set_fact:
+      ssh_host_ip: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
+    delegate_to: localhost
+    when: ansible_host == 'localhost'
+  - name: set the ip to ansible_host as it was set in the inventory.
+    set_fact:
+      ssh_host_ip: "{{ ansible_host }}"
+    when: ssh_host_ip is not defined
+  - name: get known hosts file
+    shell: "ssh -G {{ ansible_host}} {{ ansible_ssh_common_args | default('') }} | grep userknownhostsfile | cut -d ' ' -f2"
+    register: hetzner_installimage_known_hosts_file_result
+    delegate_to: localhost
+  when: hetzner_installimage_handle_known_hosts | bool
 
 - name: Confirm install for each host
   pause:

diff --git a/tasks/modify_known_hosts.yml b/tasks/modify_known_hosts.yml
@@ -1,44 +1,53 @@
 ---
-- name: set ssh_known_host_results to nothing
-  set_fact:
-    ssh_known_host_result: ''
+- block:
+  - name: set fact for known hosts file
+    set_fact:
+      hetzner_installimage_known_hosts_file: "{{ hetzner_installimage_known_hosts_file_result.stdout }}"
 
-- name: set default for modify_known_hosts_state
-  set_fact:
-    modify_known_hosts_state: present
-  when:
-    - modify_known_hosts_state is not defined
-    - modify_known_hosts_state | lower not in ("present", "absent")
+  - name: set ssh_known_host_results to nothing
+    set_fact:
+      ssh_known_host_result: ''
 
-- name: check the hostnames key
-  command: "ssh-keyscan -t ecdsa {{ hostvars[item]['inventory_hostname'] }}"
-  register: ssh_known_host_result
-  delegate_to: localhost
-  when:
-    - hostvars[item]['ansible_host'] is not defined
-    - modify_known_hosts_state == 'present'
+  - name: set default for modify_known_hosts_state
+    set_fact:
+      modify_known_hosts_state: present
+    when:
+      - modify_known_hosts_state is not defined
+      - modify_known_hosts_state | lower not in ("present", "absent")
 
-- name: ensure the server's hostname public key in known_hosts is added/removed
-  known_hosts:
-    name: "{{ hostvars[item]['inventory_hostname'] }}"
-    key: "{{ ssh_known_host_result.stdout | default(omit) }}"
-    path: "{{ hetzner_installimage_known_hosts_file }}"
-    state: "{{ modify_known_hosts_state | lower }}"
-  delegate_to: localhost
-  when: hostvars[item]['ansible_host'] is not defined
+  - name: check the hostnames key
+    command: "ssh-keyscan -t ecdsa {{ hostvars[item]['inventory_hostname'] }}"
+    register: ssh_known_host_result
+    delegate_to: localhost
+    when:
+      - hostvars[item]['ansible_host'] is not defined
+      - modify_known_hosts_state == 'present'
 
-- name: check the ip key
-  command: "ssh-keyscan -t ecdsa {{ hostvars[item]['ansible_default_ipv4']['address'] }}"
-  register: ssh_known_host_result
-  delegate_to: localhost
-  when:
-    - modify_known_hosts_state == 'present'
+  - name: ensure the server's hostname public key in known_hosts is added/removed
+    known_hosts:
+      name: "{{ hostvars[item]['inventory_hostname'] }}"
+      key: "{{ ssh_known_host_result.stdout | default(omit) }}"
+      path: "{{ hetzner_installimage_known_hosts_file }}"
+      state: "{{ modify_known_hosts_state | lower }}"
+    delegate_to: localhost
+    when: hostvars[item]['ansible_host'] is not defined
 
-- name: ensure the server's ip public key in known_hosts is added/removed
-  known_hosts:
-    name: "{{ hostvars[item]['ansible_default_ipv4']['address'] }}"
-    key: "{{ ssh_known_host_result.stdout | default(omit) }}"
-    path: "{{ hetzner_installimage_known_hosts_file }}"
-    state: "{{ modify_known_hosts_state | lower }}"
-  delegate_to: localhost
+  - name: check the ip key
+    command: "ssh-keyscan -t ecdsa {{ hostvars[item]['ansible_default_ipv4']['address'] }}"
+    register: ssh_known_host_result
+    delegate_to: localhost
+    when:
+      - modify_known_hosts_state == 'present'
+
+  - name: ensure the server's ip public key in known_hosts is added/removed
+    known_hosts:
+      name: "{{ hostvars[item]['ansible_default_ipv4']['address'] }}"
+      key: "{{ ssh_known_host_result.stdout | default(omit) }}"
+      path: "{{ hetzner_installimage_known_hosts_file }}"
+      state: "{{ modify_known_hosts_state | lower }}"
+    delegate_to: localhost
+  rescue:
+    - debug:
+        msg: "continue despite errors in known hosts file handling"
+  when: hetzner_installimage_handle_known_hosts | bool
 ...