From 858bd37da53d309a5165595ebe9fed76588ee1d7 Mon Sep 17 00:00:00 2001
From: Sven Velt <sven@velt.de>
Date: Mon, 11 Nov 2024 10:31:13 +0100
Subject: [PATCH] Initial commit

---
 .gitignore        |  3 +++
 README.md         | 33 +++++++++++++++++++++++++++++++++
 defaults/main.yml |  3 +++
 meta/main.yml     | 39 +++++++++++++++++++++++++++++++++++++++
 ssh-hostkeys.yml  | 10 ++++++++++
 tasks/main.yml    | 14 ++++++++++++++
 6 files changed, 102 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 defaults/main.yml
 create mode 100644 meta/main.yml
 create mode 100644 ssh-hostkeys.yml
 create mode 100644 tasks/main.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a204212
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+.*.swp
+*~
+
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..5a61100
--- /dev/null
+++ b/README.md
@@ -0,0 +1,33 @@
+# ssh-hostkeys
+
+Depoly global available (Open)SSH host keys
+
+## Requirements
+
+- Set `ssh_hostkeys` variable as list of single-named(!) `known_hosts` entries
+
+## Role Variables
+
+Defaults:
+- `ssh_hostkeys`: `[]`
+- `ssh_hostkeys_file`: `/etc/ssh/ssh_known_hosts`
+
+## Dependencies
+
+- None
+
+## Example Playbook
+
+    - hosts: all
+      roles:
+        - role: ssh_hostkeys
+
+## License
+
+AGPL3.0-or-later
+
+## Author Information
+
+- Sven Velt <sven-ansiblerole@velt.biz>
+- https://git.velt.biz/
+
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..8d0a7a5
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+ssh_hostkeys: []
+ssh_hostkeys_file: /etc/ssh/ssh_known_hosts
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..f290e02
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,39 @@
+galaxy_info:
+  author: Sven Velt
+  description: Deploy global SSH known hosts
+  company: velt.biz
+  issue_tracker_url: https://git.velt.biz/Ansible/ssh-hostkeys/issues
+  license: AGPL-3.0-or-later
+  min_ansible_version: 2.1
+  platforms:
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+        - bullseye
+        - bookworm
+        - trixie
+    - name: Ubuntu
+      versions:
+        - bionic
+        - focal
+        - jammy
+        - noble
+    - name: Fedora
+      versions:
+        - 38
+        - 39
+        - 40
+        - 41
+    - name: EL
+      versions:
+        - 6
+        - 7
+        - 8
+        - 9
+
+  galaxy_tags:
+    - operations
+    - security
+
+dependencies: []
diff --git a/ssh-hostkeys.yml b/ssh-hostkeys.yml
new file mode 100644
index 0000000..1791237
--- /dev/null
+++ b/ssh-hostkeys.yml
@@ -0,0 +1,10 @@
+---
+- hosts: all
+
+  roles:
+    - role: ssh-hostkeys
+#     vars:
+#       ssh_hostkeys:
+#         - 'server1 ssh-ed25519 KEY'
+#         - 'server2:22 ssh-rsa KEY'
+
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..3b97c30
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+- name: Sanity check
+  assert:
+    that:
+      - ssh_hostkeys|length > 0
+      - ansible_user_id == 'root'
+
+- name: Add global known hosts fingerprints for SSH
+  known_hosts:
+    path: '{{ ssh_hostkeys_file }}'
+    name: '{{ item.split(" ")[0] }}'
+    hash_host: false
+    key: '{{ item }}'
+  loop: '{{ ssh_hostkeys }}'