From 5ed75ea52c82bb8462b6d06e7740e6c657d72b91 Mon Sep 17 00:00:00 2001
From: hogweed1 <simple.not1759@gmail.com>
Date: Fri, 22 May 2026 01:50:31 +1000
Subject: [PATCH] ssh-certs hosts.

---
 playbooks/ssh-certs/deploy-host-certs.yml | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/playbooks/ssh-certs/deploy-host-certs.yml b/playbooks/ssh-certs/deploy-host-certs.yml
index 4ece1c6..c2e5735 100644
--- a/playbooks/ssh-certs/deploy-host-certs.yml
+++ b/playbooks/ssh-certs/deploy-host-certs.yml
@@ -59,12 +59,6 @@
         block: | 
           # Coexistence with Proxmox internal clustering (Plain Keys fallback)
           HostKey /etc/ssh/ssh_host_rsa_key 
-
-          # Исключение для локального кластерного трафика Proxmox
-          Match User root
-              PermitRootLogin yes
-              PubkeyAuthentication yes
-          #
         marker: "# {mark} ANSIBLE MANAGED HOST RSA KEY BLOCK #"
         create: true
         mode: '0600'
@@ -81,6 +75,19 @@
         marker: "# {mark} ANSIBLE MANAGED HOST CERTIFICATE BLOCK #"
       notify: Restart SSH
 
+    - name: Configure ROOT ACCESS for proxmoxes
+      blockinfile:
+        path: /etc/ssh/sshd_config  # Или укажите путь к дроп-ину в sshd_config.d/, если используете их
+        block: | 
+          Match User root Address 127.0.0.1,::1,192.168.0.71,192.168.0.72,192.168.0.73,192.168.0.74,192.168.0.75,192.168.0.89
+              PermitRootLogin yes
+              PubkeyAuthentication yes
+        marker: "# {mark} ANSIBLE MANAGED  ROOT ACCESS for proxmoxes BLOCK #"
+        create: true
+        mode: '0600'
+        validate: /usr/sbin/sshd -t -f %s
+      when: "'proxmoxes' in group_names"
+      notify: Restart SSH
 
     - name: Очистка временных файлов на Ansible-машине
       delegate_to: localhost