ssh-certs hosts.

2026-05-22 01:50:31 +10:00
parent 413a83dddb
commit 5ed75ea52c
1 changed files with 13 additions and 6 deletions
--- a/playbooks/ssh-certs/deploy-host-certs.yml
+++ b/playbooks/ssh-certs/deploy-host-certs.yml
@@ -59,12 +59,6 @@
        block: | 
          # Coexistence with Proxmox internal clustering (Plain Keys fallback)
          HostKey /etc/ssh/ssh_host_rsa_key 
-
-          # Исключение для локального кластерного трафика Proxmox
-          Match User root
-              PermitRootLogin yes
-              PubkeyAuthentication yes
-          #
        marker: "# {mark} ANSIBLE MANAGED HOST RSA KEY BLOCK #"
        create: true
        mode: '0600'
@@ -81,6 +75,19 @@
        marker: "# {mark} ANSIBLE MANAGED HOST CERTIFICATE BLOCK #"
      notify: Restart SSH

+    - name: Configure ROOT ACCESS for proxmoxes
+      blockinfile:
+        path: /etc/ssh/sshd_config  # Или укажите путь к дроп-ину в sshd_config.d/, если используете их
+        block: | 
+          Match User root Address 127.0.0.1,::1,192.168.0.71,192.168.0.72,192.168.0.73,192.168.0.74,192.168.0.75,192.168.0.89
+              PermitRootLogin yes
+              PubkeyAuthentication yes
+        marker: "# {mark} ANSIBLE MANAGED  ROOT ACCESS for proxmoxes BLOCK #"
+        create: true
+        mode: '0600'
+        validate: /usr/sbin/sshd -t -f %s
+      when: "'proxmoxes' in group_names"
+      notify: Restart SSH

    - name: Очистка временных файлов на Ansible-машине
      delegate_to: localhost