diff --git a/docs/roles/aws/aws_ami.md b/docs/roles/aws/aws_ami.md index f4f3bd2be..acc2f10e4 100644 --- a/docs/roles/aws/aws_ami.md +++ b/docs/roles/aws/aws_ami.md @@ -29,6 +29,7 @@ aws_ami: ami_name: "example" owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official ssh_username: "admin" + public_key_name: id_ecdsa.pub # from Debian 12 (Bookworm) onwards RSA keys, i.e. id_rsa.pub, are deprecated encrypt_boot: false # EBS volume options device_name: /dev/xvda # default for Debian AMIs diff --git a/docs/roles/debian/ce_deploy.md b/docs/roles/debian/ce_deploy.md index 856e548eb..d3c939fd2 100644 --- a/docs/roles/debian/ce_deploy.md +++ b/docs/roles/debian/ce_deploy.md @@ -20,7 +20,9 @@ ce_deploy: # Other ce-deploy settings. aws_support: true # installs boto3 new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user - key_name: id_rsa.pub # existing users may have a key of a different name + ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ecdsa # set to rsa to create an RSA key + public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name username: "{{ _ce_deploy.username }}" own_repository: "https://github.com/codeenigma/ce-deploy.git" own_repository_branch: "master" diff --git a/docs/roles/debian/ce_provision.md b/docs/roles/debian/ce_provision.md index 8611d76b4..e3816975d 100644 --- a/docs/roles/debian/ce_provision.md +++ b/docs/roles/debian/ce_provision.md @@ -21,7 +21,9 @@ ce_provision: new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user username: "{{ _ce_provision_username }}" # see _init defaults #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user - public_key_name: id_rsa.pub # existing users may have a key of a different name + ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ecdsa # set to rsa to create an RSA key + public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name # Main repo. own_repository: "https://github.com/codeenigma/ce-provision.git" own_repository_branch: "master" diff --git a/roles/aws/aws_ami/README.md b/roles/aws/aws_ami/README.md index f4f3bd2be..acc2f10e4 100644 --- a/roles/aws/aws_ami/README.md +++ b/roles/aws/aws_ami/README.md @@ -29,6 +29,7 @@ aws_ami: ami_name: "example" owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official ssh_username: "admin" + public_key_name: id_ecdsa.pub # from Debian 12 (Bookworm) onwards RSA keys, i.e. id_rsa.pub, are deprecated encrypt_boot: false # EBS volume options device_name: /dev/xvda # default for Debian AMIs diff --git a/roles/aws/aws_ami/defaults/main.yml b/roles/aws/aws_ami/defaults/main.yml index 4b9bcbf1c..c828adaec 100644 --- a/roles/aws/aws_ami/defaults/main.yml +++ b/roles/aws/aws_ami/defaults/main.yml @@ -9,6 +9,7 @@ aws_ami: ami_name: "example" owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official ssh_username: "admin" + public_key_name: id_ecdsa.pub # from Debian 12 (Bookworm) onwards RSA keys, i.e. id_rsa.pub, are deprecated encrypt_boot: false # EBS volume options device_name: /dev/xvda # default for Debian AMIs diff --git a/roles/aws/aws_ami/templates/packer.json.j2 b/roles/aws/aws_ami/templates/packer.json.j2 index 5efd118b6..d2abad8af 100755 --- a/roles/aws/aws_ami/templates/packer.json.j2 +++ b/roles/aws/aws_ami/templates/packer.json.j2 @@ -52,27 +52,28 @@ "type": "ansible", "playbook_file": "{{ aws_ami.playbook_file }}", "inventory_directory": "{{ _ce_provision_base_dir }}/hosts", - "ssh_authorized_key_file": "/home/{{ user_provision.username }}/.ssh/id_rsa.pub", + "ssh_authorized_key_file": "/home/{{ user_provision.username }}/.ssh/{{ aws_ami.public_key_name }}", {% if aws_ami.groups is defined and aws_ami.groups | length %} "groups": {{ aws_ami.groups | to_json }}, {% endif %} "ansible_env_vars": [ - "ANSIBLE_FORCE_COLOR=True", - "ALLOW_WORLD_READABLE_TMPFILES=True", + "ANSIBLE_FORCE_COLOR=True", + "ALLOW_WORLD_READABLE_TMPFILES=True", "ANSIBLE_CONFIG={{ _ce_provision_base_dir }}/ansible.cfg" ], "extra_arguments": - [ + [ + "--scp-extra-args", "'-O'", {% if ansible_verbosity >= 1 %} "-vvvv", {% endif %} {% if _aws_ami_extra_vars is defined and _aws_ami_extra_vars | length %} - "--extra-vars", + "--extra-vars", "{{ _aws_ami_extra_vars }}", {% endif %} - "--extra-vars", - "{ _ce_provision_base_dir: {{ _ce_provision_base_dir }}, _ce_provision_build_dir: {{ _ce_provision_build_dir }}, _ce_provision_build_tmp_dir: {{ _ce_provision_build_tmp_dir }}, _ce_provision_data_dir: {{ _ce_provision_data_dir }}, _ce_provision_build_id: {{ _ce_provision_build_id }}, _ce_provision_force_play: true }" - ] + "--extra-vars", + "{ _ce_provision_base_dir: {{ _ce_provision_base_dir }}, _ce_provision_build_dir: {{ _ce_provision_build_dir }}, _ce_provision_build_tmp_dir: {{ _ce_provision_build_tmp_dir }}, _ce_provision_data_dir: {{ _ce_provision_data_dir }}, _ce_provision_build_id: {{ _ce_provision_build_id }}, _ce_provision_force_play: true }" + ] }] } diff --git a/roles/debian/ce_deploy/README.md b/roles/debian/ce_deploy/README.md index 856e548eb..d3c939fd2 100644 --- a/roles/debian/ce_deploy/README.md +++ b/roles/debian/ce_deploy/README.md @@ -20,7 +20,9 @@ ce_deploy: # Other ce-deploy settings. aws_support: true # installs boto3 new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user - key_name: id_rsa.pub # existing users may have a key of a different name + ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ecdsa # set to rsa to create an RSA key + public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name username: "{{ _ce_deploy.username }}" own_repository: "https://github.com/codeenigma/ce-deploy.git" own_repository_branch: "master" diff --git a/roles/debian/ce_deploy/defaults/main.yml b/roles/debian/ce_deploy/defaults/main.yml index d43bde3e6..dfccea372 100644 --- a/roles/debian/ce_deploy/defaults/main.yml +++ b/roles/debian/ce_deploy/defaults/main.yml @@ -12,7 +12,9 @@ ce_deploy: # Other ce-deploy settings. aws_support: true # installs boto3 new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user - key_name: id_rsa.pub # existing users may have a key of a different name + ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ecdsa # set to rsa to create an RSA key + public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name username: "{{ _ce_deploy.username }}" own_repository: "https://github.com/codeenigma/ce-deploy.git" own_repository_branch: "master" diff --git a/roles/debian/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml index d5bbb3761..447cd99c1 100644 --- a/roles/debian/ce_deploy/tasks/main.yml +++ b/roles/debian/ce_deploy/tasks/main.yml @@ -16,7 +16,8 @@ generate_ssh_key: true home: "/home/{{ ce_deploy.username }}" password: "*" - ssh_key_bits: 4096 + ssh_key_bits: "{{ ce_deploy.ssh_key_bits }}" + ssh_key_type: "{{ ce_deploy.ssh_key_type }}" ssh_key_comment: "{{ ce_deploy.username }}@{{ ansible_host }}" system: true groups: "{{ ce_deploy.groups }}" @@ -35,7 +36,7 @@ - name: Place the public key in the ce-provision data directory on the controller server. ansible.builtin.fetch: dest: "{{ _ce_provision_data_dir }}" - src: "/home/{{ ce_deploy.username }}/.ssh/{{ ce_deploy.key_name }}" + src: "/home/{{ ce_deploy.username }}/.ssh/{{ ce_deploy.public_key_name }}" - name: Ensure Git is installed. ansible.builtin.apt: diff --git a/roles/debian/ce_provision/README.md b/roles/debian/ce_provision/README.md index 8611d76b4..e3816975d 100644 --- a/roles/debian/ce_provision/README.md +++ b/roles/debian/ce_provision/README.md @@ -21,7 +21,9 @@ ce_provision: new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user username: "{{ _ce_provision_username }}" # see _init defaults #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user - public_key_name: id_rsa.pub # existing users may have a key of a different name + ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ecdsa # set to rsa to create an RSA key + public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name # Main repo. own_repository: "https://github.com/codeenigma/ce-provision.git" own_repository_branch: "master" diff --git a/roles/debian/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml index 62c92b9e9..863be9952 100644 --- a/roles/debian/ce_provision/defaults/main.yml +++ b/roles/debian/ce_provision/defaults/main.yml @@ -12,7 +12,9 @@ ce_provision: new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user username: "{{ _ce_provision_username }}" # see _init defaults #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user - public_key_name: id_rsa.pub # existing users may have a key of a different name + ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys + ssh_key_type: ecdsa # set to rsa to create an RSA key + public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name # Main repo. own_repository: "https://github.com/codeenigma/ce-provision.git" own_repository_branch: "master" diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index d19b458cc..7a531051d 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -30,7 +30,8 @@ generate_ssh_key: true home: "/home/{{ ce_provision.username }}" password: "*" - ssh_key_bits: 4096 + ssh_key_bits: "{{ ce_provision.ssh_key_bits }}" + ssh_key_type: "{{ ce_provision.ssh_key_type }}" ssh_key_comment: "{{ ce_provision.username }}@{{ ansible_host }}" system: true groups: "{{ ce_provision.groups }}"