add server boostrap role

refactor: update SSH key management to load keys from a URL and set permissions
2025-08-14 18:12:37 +02:00 · 2025-08-14 18:12:14 +02:00
3 changed files with 23 additions and 5 deletions
--- a/ansible/roles/server_bootstrap/meta/main.yml
+++ b/ansible/roles/server_bootstrap/meta/main.yml
@ -0,0 +1,4 @@
+dependencies:
+  - role: server_install_ssh
+  - role: server_install_fail2ban
+  - role: server_install_syslog
--- a/ansible/roles/server_install_ssh/defaults/main.yml
+++ b/ansible/roles/server_install_ssh/defaults/main.yml
@ -2,7 +2,7 @@
 ssh_user: skulladmin

 # Platzhalter-Key
-ssh_public_key: ""
+ssh_auth_keys_url: "https://skulldev.de/Skull-IT/trusted-ssh-keys/raw/branch/main/trusted-ssh-keys"

 # SSH-Port
 ssh_port: 22
--- a/ansible/roles/server_install_ssh/tasks/main.yml
+++ b/ansible/roles/server_install_ssh/tasks/main.yml
@ -28,10 +28,24 @@
    group: "{{ ssh_user }}"
    mode: '0700'

- name: SSH-Key eintragen
-  ansible.builtin.copy:
-    content: "{{ ssh_public_key }}"
-    dest: "/home/{{ ssh_user }}/.ssh/authorized_keys"
+- name: Trusted SSH keys von GitHub laden
+  ansible.builtin.get_url:
+    url: "{{ ssh_auth_keys_url }}"
+    dest: "/home/{{ ssh_user }}/.ssh/trusted_ssh_keys"
+    owner: "{{ ssh_user }}"
+    group: "{{ ssh_user }}"
+    mode: '0644'
+
+- name: Alle geladenen Keys in authorized_keys eintragen
+  ansible.builtin.command: >
+    bash -c "cat /home/{{ ssh_user }}/.ssh/trusted_ssh_keys >> /home/{{ ssh_user }}/.ssh/authorized_keys"
+  args:
+    creates: "/home/{{ ssh_user }}/.ssh/authorized_keys"
+  become: true
+
+- name: Permissions für authorized_keys setzen
+  ansible.builtin.file:
+    path: "/home/{{ ssh_user }}/.ssh/authorized_keys"
    owner: "{{ ssh_user }}"
    group: "{{ ssh_user }}"
    mode: '0600'
Author	SHA1	Message	Date
=	d0896b2acc	add server boostrap role	2025-08-14 18:12:37 +02:00
=	318af615c0	refactor: update SSH key management to load keys from a URL and set permissions	2025-08-14 18:12:14 +02:00