Initial commit, squashed

roles/firewall/tasks/config.yml

@@ -0,0 +1,59 @@
+- name: Install packages for config updates
+  package:
+    name: tar
+
+- name: Limit SSH for config updates
+  copy:
+    dest: /etc/ssh/
+    src: sshd_config.friwall
+  notify: reload sshd.friwall
+
+- name: Create SSH service for config updates
+  file:
+    path: /etc/init.d/sshd.friwall
+    src: /etc/init.d/sshd
+    state: link
+
+- name: Configure SSH service for config updates
+  copy:
+    dest: /etc/conf.d/sshd.friwall
+    content: |
+      cfgfile="/etc/ssh/sshd_config.friwall"
+      vrf="default"
+  notify: restart sshd.friwall
+
+- name: Enable SSH service for config updates
+  service:
+    name: sshd.friwall
+    enabled: yes
+    state: started
+
+- name: Install config updater
+  copy:
+    dest: /usr/local/bin/
+    src: update
+    mode: 0700
+
+- name: Get master SSH key
+  delegate_to: '{{ master }}'
+  command: "cat ~friwall/.ssh/id_ed25519.pub"
+  register: master_key
+  changed_when: false
+
+- name: Deploy master key on node
+  authorized_key: "user=root key={{ master_key.stdout }}"
+
+- name: Get my host SSH key
+  command: cat /etc/ssh/ssh_host_ed25519_key.pub
+  register: node_key
+  changed_when: false
+
+- name: Introduce myself to master
+  delegate_to: '{{ master }}'
+  become: yes
+  become_user: friwall
+  become_method: su
+  become_flags: "-s /bin/sh" # no login shell for user
+  known_hosts:
+    name: "{{ inventory_hostname }}"
+    key: "{{ inventory_hostname }},{{ interfaces | selectattr('name', '==', 'lo') | map(attribute='ip_addresses') | first | selectattr('role') | selectattr('role.value', '==', 'loopback') | map(attribute='address') | ipv4 | first | ipaddr('address') }} {{ node_key.stdout }}" # TODO make IP retrieval less terrifying