feat: Inject SSH public keys during LXC creation and switch to key-based authentication.

2026-01-04 11:55:56 +01:00
parent eecac82dcd
commit 79737b8598
1 changed files with 12 additions and 13 deletions
--- a/playbooks/create_lxc.yml
+++ b/playbooks/create_lxc.yml
@@ -40,7 +40,8 @@
        ostemplate: '{{ proxmox_storage }}:vztmpl/ubuntu-24.04-standard_24.04-2_amd64.tar.zst'
        vmid: "{{ container_id }}"
        hostname: "{{ container_name }}"
-        password: "{{ ansible_password }}" 
+        password: "{{ ansible_password }}"
+        pubkey: "{{ my_public_keys | join('\n') }}"
        netif:
          net0: "name=eth0,gw=10.0.0.1,ip={{ container_ip_cidr }},bridge=vmbr0"
        cores: "{{ container_cores }}"
@@ -75,12 +76,8 @@
        groups: new
        ansible_host: "{{ container_ip_cidr | split('/') | first }}"
        ansible_user: root
-        ansible_ssh_pass: "{{ ansible_password }}"
-        # We need to ignore host key checking for the fresh container to avoid interactive prompt
-        ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
-
-        ansible_ssh_pass: "{{ ansible_password }}"
-        # We need to ignore host key checking for the fresh container to avoid interactive prompt
+        ansible_user: root
+        # Removed ansible_ssh_pass - we rely on the injected key
        ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'

 - name: Secure and Configure New Container
@@ -88,15 +85,17 @@
  gather_facts: no
  vars:
    # We must explicitly use the password here because the 'new' group in inventory might not have it set
-    ansible_ssh_pass: "{{ hostvars[inventory_hostname]['ansible_ssh_pass'] | default(ansible_password) }}"
+    # We use the key for the initial root connection, NOT the password
+    # Set ansible_ssh_private_key_file if needed, otherwise it uses the agent
    ansible_user: root
+    ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
  vars_files:
    - "../vars.yml"
  tasks:
-    - name: Wait for connection
-      wait_for_connection:
-        timeout: 60
-
+    # Updated to verify SSH key works, not password
+    - name: Verify we can connect (ping)
+      ping:
+      
    - name: Create user '{{ target_user }}'
      ansible.builtin.user:
        name: '{{ target_user }}'
@@ -157,4 +156,4 @@
          {{ hostvars[item]['inventory_hostname'] }} ansible_host={{ hostvars[item]['ansible_host'] }}
        insertafter: "^\\[lxc\\]"
        marker: "# {mark} ANSIBLE MANAGED BLOCK FOR HOST {{ hostvars[item]['inventory_hostname'] }}"
-      loop: "{{ groups['new'] }}"
+      loop: "{{ groups['new'] }}"