Add support for bastion hosts

2026-02-15 18:20:02 -03:30 · 2016-12-09 10:38:17 +01:00
parent 33585fa673
commit 06584ee3aa
6 changed files with 51 additions and 1 deletions
--- a/roles/bastion-ssh-config/tasks/main.yml
+++ b/roles/bastion-ssh-config/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+- set_fact:
+    has_bastion: "{{ 'bastion' in groups['all'] }}"
+
+- set_fact:
+    bastion_ip: "{{ hostvars['bastion']['ansible_ssh_host'] }}"
+  when: has_bastion
+
+# As we are actually running on localhost, the ansible_ssh_user is your local user when you try to use it directly
+# To figure out the real ssh user, we delegate this task to the bastion and store the ansible_ssh_user in real_user
+- set_fact:
+    real_user: "{{ ansible_ssh_user }}"
+  delegate_to: bastion
+  when: has_bastion
+
+- name: create ssh bastion conf
+  become: false
+  template: src=ssh-bastion.conf dest="{{ playbook_dir }}/ssh-bastion.conf"
--- a/roles/bastion-ssh-config/templates/ssh-bastion.conf
+++ b/roles/bastion-ssh-config/templates/ssh-bastion.conf
@@ -0,0 +1,21 @@
+{% if has_bastion %}
+{% set vars={'hosts': ''} %}
+{% set user='' %}
+
+{% for h in groups['all'] %}
+{% if h != 'bastion' %}
+{% if vars.update({'hosts': vars['hosts'] + ' ' + hostvars[h]['ansible_ssh_host']}) %}{% endif %}
+{% endif %}
+{% endfor %}
+
+Host {{ bastion_ip }}
+  Hostname {{ bastion_ip }}
+  StrictHostKeyChecking no
+  ControlMaster auto
+  ControlPath ~/.ssh/ansible-%r@%h:%p
+  ControlPersist 5m
+
+Host {{ vars['hosts'] }}
+  ProxyCommand ssh -W %h:%p {{ real_user }}@{{ bastion_ip }}
+  StrictHostKeyChecking no
+{% endif %}