Ian Wienand 24a1528fac
bridge: Disable writing known_hosts files
This is related to the work in
I0823c09165c445e9178c75ac5083f1988e8d3055 to deploy the host keys from
inventory to the bastion host.

As noted inline, there's really no reason this host should be
connecting anywhere that isn't in the inventory.  So caching values
can only hide that we might have missed something there.  Disable user
known_hosts globally.

Change-Id: I6d74df90db856cf7773698e3a06180986a531322
2022-11-21 15:29:56 +11:00

41 lines
1.3 KiB
YAML

- name: Load the current inventory from bridge
slurp:
src: '/home/zuul/src/opendev.org/opendev/system-config/inventory/base/hosts.yaml'
register: _bridge_inventory_encoded
- name: Turn inventory into variable
set_fact:
_bridge_inventory: '{{ _bridge_inventory_encoded.content | b64decode | from_yaml }}'
- name: Build known_hosts list
set_fact:
bastion_known_hosts: >-
[
{%- for host, values in _bridge_inventory['all']['hosts'].items() -%}
{% for key in values['host_keys'] %}
'{{ host }},{{ values.public_v4 }}{{ "," + values.public_v6 if 'public_v6' in values}} {{ key }}',
{% endfor %}
{%- endfor -%}
]
- name: Write out values to /etc/ssh/ssh_known_hosts
blockinfile:
path: '/etc/ssh/ssh_known_hosts'
block: |
{% for entry in bastion_known_hosts %}
{{ entry }}
{% endfor %}
owner: root
group: root
mode: 0644
create: yes
# Disable writing out known_hosts globally on the bastion host.
# Nothing on this host should be connecting to somewhere not codified
# above; this prevents us possibly hiding that by caching values.
- name: Disable known_hosts caching
lineinfile:
path: /etc/ssh/ssh_config
regexp: 'UserKnownHostsFile'
line: ' UserKnownHostsFile /dev/null'