From 54fd61c887f266f8e2e6b1419a86fc6681116069 Mon Sep 17 00:00:00 2001 From: EuAndreh Date: Wed, 5 Jun 2019 16:38:53 -0300 Subject: Use Ansible instead of Bash for provisioning The deployment is not quite working, and I'm unable to test right now: DigitalOcean is returning 503 for my requests. As of this commit, I can run =ansible-playbook provider.yml= more than once and it will actually be idempotent. Notes: - SSH fingerprint are now taken from the public key file instead of manually supplying it in the terraform template using the =digitalocean_ssh_key= resource; - use Ansible instead of ad-hoc Bash scripts for provisioning the Droplets created by Terraform; - use the =filename.env.extension= to create the concrete files in CI; - use the =user_data= to add the know SSH key pair to the newly created Droplet; - add =rotate-ssh-keys.sh= utils; --- rotate-ssh-keys.sh | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100755 rotate-ssh-keys.sh (limited to 'rotate-ssh-keys.sh') diff --git a/rotate-ssh-keys.sh b/rotate-ssh-keys.sh new file mode 100755 index 0000000..2e3f1fb --- /dev/null +++ b/rotate-ssh-keys.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash +set -Eeuo pipefail +cd "$(dirname "${BASH_SOURCE[0]}")" + +rm -f ./secrets/ssh/* +ssh-keygen -t rsa -b 4096 -q -N '' -f ./secrets/ssh/vps-box-client +ssh-keygen -t rsa -b 4096 -q -N '' -f ./secrets/ssh/vps-box-server +PUBLIC_KEY="$(awk '{print $2}' < ./secrets/ssh/vps-box-server.pub)" +echo "${TLD},${PINNED_IP} ssh-rsa ${PUBLIC_KEY}" > ./secrets/ssh/known-hosts.txt + +# git add ./secrets/ssh/ +# git commit -m "Script: rotate SSH keys" + +# rotate() { +# # FIXME: add email address? +# # FIXME: use 4096 instead of (default) 2048 +# ssh-keygen -t rsa \ +# -q \ +# -N '' \ +# -f "${1}" +# } + +# rotate ./secrets/ssh/vps-box-client +# rotate ./secrets/ssh/vps-box-server + + +# FIXME: +# Commit to repo the rotated files -- cgit v1.2.3