Changed approach for generating sshfp RR to lookup on python script

4 years ago · eff48f1773
parent 748999d36d
commit eff48f1773
4 changed files with 27 additions and 22 deletions
--- a/helpers/ssh_dns_fingerprints.makefile
+++ b/helpers/ssh_dns_fingerprints.makefile
@ -1,4 +0,0 @@
-FILES = $(shell ls | grep -vE "^dns$$")
-
-dns: $(FILES)
-	echo "$(FILES)" | xargs --max-args 1 ssh-keygen -r "$$(basename "$$(pwd)")." -f > "$@"
--- a/playbooks/dns.yml
+++ b/playbooks/dns.yml
@ -6,16 +6,6 @@
  hosts: nvak.banananet.work
  vars:
    nvak_dns_slaves: []
-  pre_tasks:
-    - name: Load ssh host key dns fingerprint for host
-      command: cat "{{ global_ssh_host_key_directory | quote }}/{{ item | quote }}/dns"
-      delegate_to: localhost
-      register: ssh_key_dns_fpr_raw
-      changed_when: False
-      loop: "{{ groups['public_available'] }}"
-    - name: Remap ssh host key dns fingerprints
-      set_fact:
-        ssh_key_dns_fpr_map: "{{ ssh_key_dns_fpr_raw.results | items2dict(key_name='item', value_name='stdout') }}"
  roles:
    - role: dns/master
      domain: banananet.work
@ -31,7 +21,7 @@
        {% for fqdn in groups['public_available'] %}
        {{ fqdn }}. IN A {{ hostvars[fqdn].ansible_default_ipv4.address }}
        {{ fqdn }}. IN AAAA {{ hostvars[fqdn].ansible_default_ipv6.address }}
-        {{ ssh_key_dns_fpr_map[fqdn] }}
+        {{ lookup('pipe', global_public_key_directory|quote + '/ssh_dns_fp.py --host ' + fqdn|quote) }}
        {% endfor %}
        ; Public use domains
        @ IN A {{ ansible_default_ipv4.address }}
--- a/public_keys/ssh_dns_fp.py
+++ b/public_keys/ssh_dns_fp.py
@ -0,0 +1,26 @@
+#!/usr/bin/env python3
+
+import argparse
+from pathlib import Path
+import subprocess
+import sys
+
+def gen_sshfp_rr(keys_dir, host, domain):
+    key_dir = Path(keys_dir) / host
+    res = []
+    for key in key_dir.iterdir():
+        if key.name != "dns":
+            res.append(subprocess.check_output(["ssh-keygen", "-r", domain, "-f", str(key)]).decode('utf-8').strip())
+    return '\n'.join(res)
+
+def main():
+    ssh_hosts_keys = Path(sys.argv[0]).parent / "ssh/hosts"
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--domain', default=None)
+    parser.add_argument('--host', required=True)
+    args = parser.parse_args()
+    args.domain = (args.domain or args.host) + "."
+    print(gen_sshfp_rr(ssh_hosts_keys, args.host, args.domain))
+
+if __name__ == "__main__":
+    main()
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@ -64,10 +64,3 @@
  loop: "{{ ssh_host_keys.results }}"
  loop_control:
    label: "{{ item.item }}"
-
- name: Generate ssh host key dns fingerprints locally
-  make:
-    chdir: "{{ global_ssh_host_key_directory }}/{{ inventory_hostname }}"
-    file: "{{ playbook_dir }}/helpers/ssh_dns_fingerprints.makefile"
-    target: dns
-  delegate_to: localhost