--- - set_fact: IP_subject_alt_name: "{{ IP_subject_alt_name }}" - name: Ensure that the sshd_config file has desired options blockinfile: dest: /etc/ssh/sshd_config marker: '# ANSIBLE_MANAGED_ssh_tunneling_role' block: | Match Group algo AllowTcpForwarding local AllowAgentForwarding no AllowStreamLocalForwarding no PermitTunnel no X11Forwarding no notify: - restart ssh - name: Ensure that the algo group exist group: name=algo state=present - name: Ensure that the jail directory exist file: path=/var/jail/ state=directory mode=0755 owner=root group=root - name: Ensure that the SSH users exist user: name: "{{ item }}" groups: algo home: '/var/jail/{{ item }}' createhome: yes generate_ssh_key: yes shell: /bin/false ssh_key_type: rsa ssh_key_bits: 2048 ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}' ssh_key_passphrase: "{{ easyrsa_p12_export_password }}" state: present append: yes with_items: "{{ users }}" - name: The authorized keys file created file: src: '/var/jail/{{ item }}/.ssh/id_rsa.pub' dest: '/var/jail/{{ item }}/.ssh/authorized_keys' owner: "{{ item }}" group: "{{ item }}" state: link with_items: "{{ users }}" - name: Generate SSH fingerprints shell: > ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null register: ssh_fingerprints - name: The known_hosts file created template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts - name: Fetch users SSH private keys fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes with_items: "{{ users }}" - name: Change mode for SSH private keys local_action: file path=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem mode=0600 with_items: "{{ users }}" become: false - name: Fetch the known_hosts file fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_known_hosts flat=yes