Fix problems with ssh_keys - switch to ansible_host

roles/ansible_node/defaults/main.yml

@@ -13,7 +13,7 @@ ansible_node_playbook_galaxy_script: "{{ ansible_pip_venv_path + '/bin/ansible-g
 # and all playbooks in files/playbooks/IDENTIFIER/ are copied to /etc/ansible/playbooks.
 # The host file and the playbooks directory has to be exist, if identifier is specified.
 # Default identifier is 'inventory_hostname'
-# Set it to '', if you do not want it (like on pm)
+# Set it to '', if you do not want it (like on alphanodes-pm)
 ansible_node_identifier: '{{ inventory_hostname }}'
 
 # Roles to install (only done, if ansible_node_identifier != '')

roles/fail2ban/defaults/main.yml

@@ -25,7 +25,14 @@ fail2ban_sshd_ddos: false
 fail2ban_roundcube_auth: false
 fail2ban_roundcube_auth_log: /srv/roundcube/logs/errors.log
 
-fail2ban_ignoreip: '127.0.0.1/8 {{ lxc_internal_subnet }} {{ hostvars["s1"].ip_address_v4 }}/32 {{ hostvars["s2"].ip_address_v4 }}/32 {{ hostvars["s5"].ip_address_v4 }}/32 {{ hostvars["backup"].ip_address_v4 }}/32 {{ hostvars["code"].ext_ip_address_v4 }}/32'
+fail2ban_ignoreip:
+  - '127.0.0.1/8'
+  - '{{ lxc_internal_subnet }}'
+  - '{{ backup_ip_address_v4 }}/32'
+  - '{{ ext_ip_address_v4 | default(ip_address_v4) }}/32'
+  - '{{ hostvars["alphanodes-broker"].ip_address_v4 }}/32'
+  - '{{ hostvars["alphanodes-git"].ip_address_v4 }}/32'
+  - '{{ hostvars["alphanodes-monitor"].ip_address_v4 }}/32'
 fail2ban_destemail: "{{ alphanodes_support_mail | default('root@localhost') }}"
 fail2ban_action: "%(action_)s"
 fail2ban_backend: systemd

roles/fail2ban/templates/jail.local.j2

@@ -17,7 +17,7 @@ before = paths-debian.conf
 # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
 # ban a host which matches an address in this list. Several addresses can be
 # defined using space separator.
-ignoreip = {{ fail2ban_ignoreip }}
+ignoreip = {{ fail2ban_ignoreip | join(' ') }}
 
 # External command that will take an tagged arguments to ignore, e.g. <ip>,
 # and return true if the IP is to be ignored. False otherwise.

roles/gitlab/defaults/main.yml

@@ -292,4 +292,3 @@ gitlab_backup_pg_schema: public
 
 gitlab_monitoring_ip_whitelist:
   - 127.0.0.0/8
-  - '{{ lxc_internal_subnet }}'

roles/ssh/tasks/host_keys.yml

@@ -28,21 +28,24 @@
     name: '{{ item }}'
     state: absent
   loop:
-    - '{{ inventory_hostname }}'
-    - "`dig +short {{ inventory_hostname }}`"
+    - '{{ ansible_host }}'
+    - "`dig +short {{ ansible_host }}`"
   delegate_to: localhost
 
-# ip address with custom ssh port is not supported at the moment
-- name: Collect new host entries for known_hosts file
-  ansible.builtin.shell: "ssh-keyscan -t ed25519,rsa {{ inventory_hostname }},`dig +short {{ inventory_hostname }}`"
-  register: ssh_known_host_results
-  ignore_errors: true
-  delegate_to: localhost
-
-- name: Add new host key to known_hosts file
-  ansible.builtin.known_hosts:
-    name: '{{ inventory_hostname }}'
-    key: '{{ ssh_known_host_results.stdout }}'
-    state: present
-  delegate_to: localhost
-  when: ssh_known_host_results.stdout | length > 0
+- name: add host keys
+  when: ansible_host != ip_address_v4 and (ext_ip_address_v4 is undefined or ansible_host != ext_ip_address_v4)
+  block:
+    # ip address with custom ssh port is not supported at the moment
+    - name: Collect new host entries for known_hosts file
+      ansible.builtin.shell: "ssh-keyscan -t ed25519,rsa {{ ansible_host }},`dig +short {{ ansible_host }}`"
+      register: ssh_known_host_results
+      ignore_errors: true
+      delegate_to: localhost
+
+    - name: Add new host key to known_hosts file
+      ansible.builtin.known_hosts:
+        name: '{{ ansible_host }}'
+        key: '{{ ssh_known_host_results.stdout }}'
+        state: present
+      delegate_to: localhost
+      when: ssh_known_host_results.stdout | length > 0