Add ssh-client config, closes issue #2

papanito · Aug 10, 2020 · bbe5709 · bbe5709
1 parent adbb325
commit bbe5709
Show file tree

Hide file tree

Showing 7 changed files with 68 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -5,6 +5,7 @@
 - [Role Variables](#role-variables)
   - [General parameters](#general-parameters)
   - [Cloudflare parameters](#cloudflare-parameters)
+  - [SSH Client config](#ssh-client-config)
 - [Dependencies](#dependencies)
 - [Example Playbook](#example-playbook)
 - [License](#license)
@@ -69,6 +70,8 @@ These are all variables
 |`download_baseurl`|Base url for `cloudflare` binaries|https://bin.equinox.io/c/VdrWdbjqyF/|
 |`cert_location`|Location of the certificate to be copied - see [Authenticate the daemon](#authenticate-the-daemon)|-|
 |`install_only`|Set to `true` if you only want to install the binary without any configuration or login|`false`|
+|`ssh_client_config`|Set to `true` if you want to configure the proxy configuration for your [ssh-guide-client], see [SSH Client config](#ssh-client-config)|`false`|
+|`ssh_client_config_group`|Name of the inventory group for which the ssh proxy config shall be created, see [SSH Client config](#ssh-client-config)|``|
 |`force_install`|Set to `true` if you want to re-install `cloudflared`. By default the assumption is that `cloudflared` is running as a service and automatically auto-updates.|`false`|
 |`tunnels`|[Mandatory] List of services, each one defining [Cloudflare parameters](#cloudflare-parameters)|-|
 |`do_legacy_cleanup`|Due to the changes of switching to [systemd-unit-template] you may need to cleanup the "legacy" stuff, if you used the role before.|`false`|
@@ -102,6 +105,27 @@ tunnels:
 |`retries`|Maximum number of retries for connection/protocol errors. Retries use exponential backoff (retrying at 1, 2, 4, 8, 16 seconds by default) so increasing this value significantly is not recommended - see [docu](https://developers.cloudflare.com/argo-tunnel/reference/arguments/#retries)|`5`|
 |`no_chunked_encoding`|Disables chunked transfer encoding; useful if you are running a WSGI server - see [docu](https://developers.cloudflare.com/argo-tunnel/reference/arguments/#no-chunked-encoding)|`false`|
 
+### SSH Client config
+
+From where you access your nodes via ssh which is proxied by cloudflared, you need to follow [ssh-guide-client]. You have to add the following
+
+```yml
+Host xxx.mycompany.com
+  ProxyCommand /usr/bin/cloudflared access ssh --hostname %h
+```
+
+You can achieve this configuration if you enable `ssh_client_config`. In addition you also need to specify `ssh_client_config_group`. So let's assume your inventory looks as follows:
+
+```yml
+all:
+  children:
+    servers:
+      hosts:
+        host001:
+        host002:
+```
+
+If you specify `ssh_client_config_group` = `servers` you would get an entry for `host001` and `host002`.
 
 ## Dependencies
 
@@ -112,26 +136,29 @@ none
 The following example installs an ssh-tunnel for each `server`
 
 ```yaml
-- hosts: server
+- hosts: servers
   vars:
-    hostname: "{{ inventory_hostname }}.mycompany.com"
+    systemd_user: root
+    systemd_group: root
+    cert_location: /home/papanito/cert.pem
     services:
       ssh:
+        hostname: "{{ inventory_hostname }}.mycompany.com"
         url: ssh://localhost:22
-        systemd_user: root
-        systemd_group: root
-        cert_location: /home/papanito/cert.pem
   roles:
     - papanito.cloudflared
 ```
 
-The following example simply downloads `cloudflared` on your local machine
+The following example simply downloads `cloudflared` on your local machine and configures the ssh-config file:
 
 ```yaml
 - hosts: localhost
   remote_user: papanito #your local user who has admin
   vars:
     install_only: True
+    ssh_client_config: True
+    ssh_client_config_group: servers
+    external_domain: mycompany.com
   roles:
     - papanito.cloudflared
 ```
@@ -147,7 +174,8 @@ Written by [Papanito](https://wyssmann.com) - [Gitlab](https://gitlab.com/papani
 [argo-tunnel]: https://developers.cloudflare.com/argo-tunnel
 [downloads]: https://developers.cloudflare.com/argo-tunnel/downloads
 [ssh-guide]: https://developers.cloudflare.com/access/ssh/ssh-guide/
+[ssh-guide-client]: https://developers.cloudflare.com/access/ssh/ssh-guide/#2-authenticate-the-cloudflare-daemon
 [config]: https://developers.cloudflare.com/argo-tunnel/reference/config/
 [cli-args]: https://developers.cloudflare.com/argo-tunnel/reference/arguments/
 [authenticate-the-cloudflare-daemon]: https://developers.cloudflare.com/access/ssh/ssh-guide/#2-authenticate-the-cloudflare-daemon
-[systemd-unit-template]: https://fedoramagazine.org/systemd-template-unit-files/
+[systemd-unit-template]: https://fedoramagazine.org/systemd-template-unit-files/ssh-guide-client
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -7,4 +7,6 @@ download_baseurl: https://bin.equinox.io/c/VdrWdbjqyF/
 download_folder: ./download
 install_only: False
 force_install: False
-do_legacy_cleanup: False
+do_legacy_cleanup: False
+ssh_client_config: False
+ssh_client_config_group: ""
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -16,3 +16,7 @@
 - name: Configure tunnels
   include_tasks: configure-tunnels.yml
   when: not install_only
+- name: Add ssh proxy for all servers in the ssh client config
+  include_tasks: ssh-client-config.yml
+  loop: "{{ groups['servers'] }}"
+  when: ssh_client_config
diff --git a/tasks/ssh-client-config.yml b/tasks/ssh-client-config.yml
@@ -0,0 +1,13 @@
+## https://developers.cloudflare.com/access/ssh/ssh-guide/#2-authenticate-the-cloudflare-daemon
+## Host [your hostname]
+##   ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
+
+- name: Check if {{ item }} is added to local ssh config
+  shell: grep -c "^Host {{ item }}." {{ ssh_config_file }} || true
+  register: test_grep
+
+- name: Add proxy config for {{ item }} is added to local ssh config
+  lineinfile:
+    dest: "{{ ssh_config_file }}"
+    line: "Host {{ item }}.{{ external_domain }}\n   ProxyCommand /usr/bin/cloudflared access ssh --hostname %h"
+  when: test_grep.stdout == "0"
diff --git a/tests/install_only.yml b/tests/install_only.yml
@@ -3,5 +3,8 @@
   remote_user: aedu
   vars:
     install_only: True
+    ssh_client_config: True
+    ssh_client_config_group: servers
+    external_domain: wyssmann.com
   roles:
     - ansible-role-cloudflared
diff --git a/tests/inventory b/tests/inventory
@@ -1,2 +1,8 @@
 localhost:
-  ansible_connection: local
+  ansible_connection: local
+all:
+  children:
+    servers:
+      hosts:
+        host001:
+        host002:
diff --git a/vars/main.yml b/vars/main.yml
@@ -22,4 +22,6 @@ systemd_target_dir: /etc/systemd/system/
 install_target_dir: /usr/bin
 config_dir: /etc/cloudflared
 config_dir_tunnels: "{{ config_dir }}"
-cert_name: cert.pem
+cert_name: cert.pem
+
+ssh_config_file: "~/.ssh/config"