Homelab/Ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Inject SSH public keys during LXC creation and switch to key-based authentication.

Browse Source
This commit is contained in:
Maksym Buz
2026-01-04 11:55:56 +01:00
parent eecac82dcd
commit 79737b8598
1 changed files with 12 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
playbooks/create_lxc.yml
View File

@@ -40,7 +40,8 @@
ostemplate: '{{ proxmox_storage }}:vztmpl/ubuntu-24.04-standard_24.04-2_amd64.tar.zst' ostemplate: '{{ proxmox_storage }}:vztmpl/ubuntu-24.04-standard_24.04-2_amd64.tar.zst'
vmid: "{{ container_id }}" vmid: "{{ container_id }}"
hostname: "{{ container_name }}" hostname: "{{ container_name }}"
password: "{{ ansible_password }}" password: "{{ ansible_password }}"
pubkey: "{{ my_public_keys | join('\n') }}"
netif: netif:
net0: "name=eth0,gw=10.0.0.1,ip={{ container_ip_cidr }},bridge=vmbr0" net0: "name=eth0,gw=10.0.0.1,ip={{ container_ip_cidr }},bridge=vmbr0"
cores: "{{ container_cores }}" cores: "{{ container_cores }}"
@@ -75,12 +76,8 @@
groups: new groups: new
ansible_host: "{{ container_ip_cidr | split('/') | first }}" ansible_host: "{{ container_ip_cidr | split('/') | first }}"
ansible_user: root ansible_user: root
ansible_ssh_pass: "{{ ansible_password }}" ansible_user: root
# We need to ignore host key checking for the fresh container to avoid interactive prompt # Removed ansible_ssh_pass - we rely on the injected key
ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
ansible_ssh_pass: "{{ ansible_password }}"
# We need to ignore host key checking for the fresh container to avoid interactive prompt
ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
- name: Secure and Configure New Container - name: Secure and Configure New Container
@@ -88,15 +85,17 @@
gather_facts: no gather_facts: no
vars: vars:
# We must explicitly use the password here because the 'new' group in inventory might not have it set # We must explicitly use the password here because the 'new' group in inventory might not have it set
ansible_ssh_pass: "{{ hostvars[inventory_hostname]['ansible_ssh_pass'] | default(ansible_password) }}" # We use the key for the initial root connection, NOT the password
# Set ansible_ssh_private_key_file if needed, otherwise it uses the agent
ansible_user: root ansible_user: root
ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
vars_files: vars_files:
- "../vars.yml" - "../vars.yml"
tasks: tasks:
- name: Wait for connection # Updated to verify SSH key works, not password
wait_for_connection: - name: Verify we can connect (ping)
timeout: 60 ping:
- name: Create user '{{ target_user }}' - name: Create user '{{ target_user }}'
ansible.builtin.user: ansible.builtin.user:
name: '{{ target_user }}' name: '{{ target_user }}'
@@ -157,4 +156,4 @@
{{ hostvars[item]['inventory_hostname'] }} ansible_host={{ hostvars[item]['ansible_host'] }} {{ hostvars[item]['inventory_hostname'] }} ansible_host={{ hostvars[item]['ansible_host'] }}
insertafter: "^\\[lxc\\]" insertafter: "^\\[lxc\\]"
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR HOST {{ hostvars[item]['inventory_hostname'] }}" marker: "# {mark} ANSIBLE MANAGED BLOCK FOR HOST {{ hostvars[item]['inventory_hostname'] }}"
loop: "{{ groups['new'] }}" loop: "{{ groups['new'] }}"