Support specifying custom SSH public key.

global_vars/default-site.yml

@@ -4,6 +4,11 @@
 # This file is mutated by the playbooks/customize.yml tasks when a user chooses
 # to customize which Streisand services are installed.
 
+# The SSH private key that Ansible will use to connect to the Streisand node.
+# The associated public key will be used if required when provisioning cloud
+# nodes for the authorized_keys file.
+streisand_ssh_private_key: "~/.ssh/id-rsa"
+
 vpn_clients: 5
 
 streisand_l2tp_enabled: yes

playbooks/amazon.yml

@@ -109,7 +109,7 @@
   roles:
     - genesis-amazon
 
-
+- include: ssh-setup.yml
 - include: cloud-status.yml
 - include: streisand.yml
 ...

playbooks/azure.yml

@@ -131,6 +131,7 @@
   roles:
     - genesis-azure
 
+- include: ssh-setup.yml
 - include: cloud-status.yml
 - include: streisand.yml
 ...

playbooks/customize.yml

@@ -4,6 +4,10 @@
   gather_facts: no
 
   vars_prompt:
+    - name: streisand_ssh_private_key
+      prompt: "Enter the path to your SSH private key, or press enter for default "
+      default: "~/.ssh/id_rsa"
+      private: no
     - name: vpn_clients
       prompt: "How many VPN client profiles should be generated per-service? Press enter for default "
       default: 5
@@ -46,6 +50,10 @@
       private: no
 
   tasks:
+    - lineinfile:
+        path: "{{ streisand_site_vars }}"
+        regexp: "^streisand_ssh_private_key: .*$"
+        line: "streisand_ssh_private_key: {{ streisand_ssh_private_key }}"
     - lineinfile:
         path: "{{ streisand_site_vars }}"
         regexp: "^vpn_clients: [\\d]+$"

playbooks/digitalocean.yml

@@ -50,7 +50,7 @@
       private: no
 
     - name: "do_ssh_name"
-      prompt: "\n\nThe following information can be found on your DigitalOcean control panel.\nhttps://cloud.digitalocean.com/settings/security\n\nWhat is the name of the DigitalOcean SSH key that you would like to use?\n  * If you have never uploaded an SSH key to DigitalOcean then the default\n    value will work!\n  * This key should match your .ssh/id_rsa.pub file.\n\  * DigitalOcean requires SSH keys to be unique. You cannot upload multiple\n    keys that have the same value under different names.\n\n    If you see an error that says 'SSH Key failed to be created' once the setup\n    process starts, then this is the problem. You can retry the setup process\n    using the name of the existing SSH key from the DigitalOcean control panel\n    that matches the contents of your RSA public key.\n"
+      prompt: "\n\nThe following information can be found on your DigitalOcean control panel.\nhttps://cloud.digitalocean.com/settings/security\n\nWhat is the name of the DigitalOcean SSH key that you would like to use?\n  * If you have never uploaded an SSH key to DigitalOcean then the default\n    value will work!\n  * This key should match your Streisand SSH key file (default: ~/.ssh/id_rsa.pub).\n\  * DigitalOcean requires SSH keys to be unique. You cannot upload multiple\n    keys that have the same value under different names.\n\n    If you see an error that says 'SSH Key failed to be created' once the setup\n    process starts, then this is the problem. You can retry the setup process\n    using the name of the existing SSH key from the DigitalOcean control panel\n    that matches the contents of your RSA public key.\n"
       default: "streisand"
       private: no
 
@@ -60,7 +60,7 @@
   roles:
     - genesis-digitalocean
 
-
+- include: ssh-setup.yml
 - include: cloud-status.yml
 - include: streisand.yml
 ...

playbooks/existing-server.yml

@@ -3,6 +3,30 @@
 # role to create a new server and instead applies Streisand to an existing
 # remote server.
 
+- name: Register the genesis role in use
+  hosts: localhost
+  gather_facts: yes
+  tasks:
+    - set_fact:
+        streisand_genesis_role: "existing-server"
+
+- include: ssh-setup.yml
+
+- name: Check SSH access to existing server
+  hosts: streisand-host
+  gather_facts: no
+  remote_user: "{{ lookup('env', 'SSH_USER') }}"
+  become: true
+  tasks:
+    - block:
+        - raw: whoami
+          args:
+            executable: /bin/bash
+          changed_when: False
+      rescue:
+        - fail:
+            msg: "Unable to SSH to existing streisand-host.\nEnsure private key corresponding to \"{{ streisand_ssh_key }}\" is loaded in your SSH key agent.\nTry using `ssh-keygen -i {{ streisand_ssh_key }} to generate your key if it does not exist\n"
+
 # Ensure Python is installed on the system
 - include: python.yml
 
@@ -12,12 +36,8 @@
 - name: Prepare the remote server for Streisand
 # =========================================
   hosts: streisand-host
-  remote_user: "root"
+  remote_user: "{{ lookup('env', 'SSH_USER') }}"
   become: true
 
-  tasks:
-    - set_fact:
-        streisand_genesis_role: "existing-server"
-
 - include: streisand.yml
 ...

playbooks/google.yml

@@ -127,7 +127,7 @@
   roles:
     - genesis-google
 
-
+- include: ssh-setup.yml
 - include: cloud-status.yml
 - include: streisand.yml
 ...

playbooks/linode.yml

@@ -49,6 +49,6 @@
   roles:
     - genesis-linode
 
-
+- include: ssh-setup.yml
 - include: streisand.yml
 ...

playbooks/rackspace.yml

@@ -45,6 +45,7 @@
   roles:
     - genesis-rackspace
 
+- include: ssh-setup.yml
 - include: cloud-status.yml
 - include: streisand.yml
 ...

playbooks/roles/diagnostics/templates/streisand-diagnostics.md.j2

@@ -48,6 +48,7 @@ It will help the developers reproduce your problem and provide a fix.
 * Streisand Git revision: {{ streisand_diagnostics_git_rev.stdout }}
 * Streisand Git clone has untracked changes: {{ streisand_diagnostics_git_untracked.stdout }}
 * Genesis role: {{ streisand_genesis_role | default("None") }}
+* Custom SSH key: {{ streisand_ssh_private_key != "~/.ssh/id_rsa" }}
 
 ### Enabled Roles
 

playbooks/roles/genesis-amazon/tasks/main.yml

@@ -2,6 +2,11 @@
 - set_fact:
     streisand_genesis_role: "genesis-amazon"
 
+- name: "Get the {{ streisand_ssh_private_key }}.pub contents"
+  command: "cat {{ streisand_ssh_private_key }}.pub"
+  register: ssh_key
+  changed_when: False
+
 - name: Remove the 'streisand' SSH key from Amazon if it already exists. This is to prevent problems if two people with two different keys are sharing the same AWS account.
   ec2_key:
     name: streisand-ssh
@@ -11,11 +16,6 @@
     region: "{{ aws_region }}"
     wait: yes
 
-- name: Get the default SSH key
-  command: cat ~/.ssh/id_rsa.pub
-  register: ssh_key
-  changed_when: False
-
 - name: Add the SSH key to Amazon under the name of 'streisand-ssh'
   ec2_key:
     name: streisand-ssh

playbooks/roles/genesis-azure/tasks/main.yml

@@ -2,8 +2,8 @@
 - set_fact:
     streisand_genesis_role: "genesis-azure"
 
-- name: Get the default SSH key
-  command: cat ~/.ssh/id_rsa.pub
+- name: "Get the {{ streisand_ssh_private_key }}.pub contents"
+  command: "cat {{ streisand_ssh_private_key }}.pub"
   register: ssh_key
   changed_when: False
 

playbooks/roles/genesis-digitalocean/tasks/main.yml

@@ -2,15 +2,15 @@
 - set_fact:
     streisand_genesis_role: "genesis-digitalocean"
 
+- name: "Get the {{ streisand_ssh_private_key }}.pub contents"
+  command: "cat {{ streisand_ssh_private_key }}.pub"
+  register: ssh_key
+  changed_when: False
+
 - name: Set the DigitalOcean Access Token fact to the value that was entered, or attempt to retrieve it from the environment if the entry is blank
   set_fact:
     do_access_token: "{{ do_access_token_entry | default( lookup('env', 'DO_API_KEY') ) }}"
 
-- name: Get the default SSH key
-  command: cat ~/.ssh/id_rsa.pub
-  register: ssh_key
-  changed_when: False
-
 - block:
     - name: Add the SSH key to DigitalOcean if it doesn't already exist
       digital_ocean:

playbooks/roles/genesis-google/tasks/main.yml

@@ -2,8 +2,8 @@
 - set_fact:
     streisand_genesis_role: "genesis-google"
 
-- name: Get the default SSH key
-  command: cat ~/.ssh/id_rsa.pub
+- name: "Get the {{ streisand_ssh_private_key }}.pub contents"
+  command: "cat {{ streisand_ssh_private_key }}.pub"
   register: ssh_key
   changed_when: False
 

playbooks/roles/genesis-linode/tasks/main.yml

@@ -2,8 +2,8 @@
 - set_fact:
     streisand_genesis_role: "genesis-linode"
 
-- name: Get the default SSH key
-  command: cat ~/.ssh/id_rsa.pub
+- name: "Get the {{ streisand_ssh_private_key }}.pub contents"
+  command: "cat {{ streisand_ssh_private_key }}.pub"
   register: ssh_key
   changed_when: False
 

playbooks/roles/genesis-rackspace/tasks/main.yml

@@ -2,6 +2,11 @@
 - set_fact:
     streisand_genesis_role: "genesis-rackspace"
 
+- name: "Get the {{ streisand_ssh_private_key }}.pub contents"
+  command: "cat {{ streisand_ssh_private_key }}.pub"
+  register: ssh_key
+  changed_when: False
+
 - name: Create the server
   rax:
     api_key: "{{ rackspace_api_key }}"
@@ -11,7 +16,7 @@
     image: "{{ rackspace_image }}"
     region: "{{ regions[rackspace_region] }}"
     files:
-      /root/.ssh/authorized_keys: ~/.ssh/id_rsa.pub
+      /root/.ssh/authorized_keys: "{{ streisand_ssh_key }}"
     wait: yes
   register: streisand_server
 

playbooks/roles/validation/tasks/main.yml

@@ -1,4 +1,7 @@
 ---
+# Check SSH key exists
+- include: ssh.yml
+
 - name: Validate that OpenVPN optional variables are rational
   fail:
     msg: "stunnel cannot be enabled if openvpn is disabled"

playbooks/roles/validation/tasks/ssh.yml

@@ -0,0 +1,28 @@
+---
+- block:
+    - name: "Stat the Streisand SSH private key"
+      stat:
+        path: "{{ streisand_ssh_private_key }}"
+      register: streisand_ssh_private_key_status
+      changed_when: False
+    - name: "Fail if the Streisand SSH private key file doesn't exist"
+      fail:
+        msg: "The Streisand SSH private key \"{{ streisand_ssh_private_key }}\" does not exist."
+      when: streisand_ssh_private_key_status.stat.exists == False
+    - name: "Stat the Streisand SSH public key"
+      stat:
+        path: "{{ streisand_ssh_private_key }}.pub"
+      register: streisand_ssh_key_status
+      changed_when: False
+    - name: "Fail if the Streisand SSH public key file doesn't exist"
+      fail:
+        msg: "The Streisand SSH public key \"{{ streisand_ssh_private_key }}.pub\" does not exist."
+      when: streisand_ssh_key_status.stat.exists == False
+      #- name: "Register the Streisand SSH public key"
+      #command: "cat {{ streisand_ssh_private_key }}.pub"
+      #register: streisand_ssh_key
+      #changed_when: False
+
+  rescue:
+    - fail:
+        msg: "Ensure you specified an existing SSH private key file (not public).\n Try using `ssh-keygen -f {{ streisand_ssh_private_key }} to generate your key if it does not exist\n"

playbooks/ssh-setup.yml

@@ -0,0 +1,7 @@
+---
+- name: Configure Ansible SSH
+  hosts: streisand-host
+  gather_facts: no
+  tasks:
+    - set_fact:
+        ansible_ssh_private_key_file: "{{ streisand_ssh_private_key }}"

playbooks/vagrant.yml

@@ -21,5 +21,6 @@
   roles:
     - validation
 
+- include: ssh-setup.yml
 - include: streisand.yml
 ...

streisand

@@ -47,18 +47,34 @@ function check_python() {
   fi
 }
 
-# check_ssh_key checks that there is a `~/.ssh/id_rsa.pub` file present.
-# Streisand requires this key be present.
-function check_ssh_key() {
-  local STREISAND_SSH_KEY="$HOME/.ssh/id_rsa.pub"
-
-  if [ ! -f "$STREISAND_SSH_KEY" ]
-  then
-    echo "
-Streisand requires a RSA SSH key be present at '$HOME/.ssh/id_rsa.pub'.
-Please create this keypair by running 'ssh-keygen'"
-    exit 1
-  fi
+# validate runs the validation role to check the consistency of the Streisand
+# service vars (e.g. that at least one service is enabled after customization of
+# $SITE_VARS).
+function validate() {
+  echo; echo; ansible-playbook \
+    --extra-vars="@$GLOBAL_VARS" \
+    --extra-vars="@$DEFAULT_SITE_VARS" \
+    --extra-vars="@$SITE_VARS" \
+    playbooks/validate.yml
+}
+
+# customize prompts the user to decide if they want to customize the Streisand
+# installation. If the user wishes, the playbooks/customize.yml role is used to
+# change the base installation by rewriting the $SITE_VARS file.
+function customize() {
+  read -r -p "
+Do you wish to customize this Streisand installation?
+Please enter the word 'yes' or hit enter to continue: " confirm
+  case "$confirm" in
+    yes) echo; echo "Confirmed. Customizing Streisand.";
+         # NOTE(@cpu): We don't pass the other `--extra-vars` here because the
+         # customize `vars_prompt` will only happen if the vars aren't already
+         # set. If you pass the site/defaults in no prompting will happen.
+         echo; echo; ansible-playbook \
+           --extra-vars="@$GLOBAL_VARS" \
+           playbooks/customize.yml;;
+    *) echo; echo "Installing Streisand services specified in $SITE_VARS";;
+  esac
 }
 
 # validate runs the validation role to check the consistency of the Streisand
@@ -170,10 +186,6 @@ localhost ansible_connection=local ansible_python_interpreter=python
 $SERVER_IP ansible_user=$SSH_USER
 EOF
 
-  # Test a SSH connection to the server using the key Streisand assumes will be
-  # used for server access
-  ssh -i ~/.ssh/id_rsa "$SSH_USER@$SERVER_IP" -o BatchMode=yes -t true
-
   # Create the inventory file
   echo "$TEMPL" > inventories/inventory-existing
   # Invoke the Streisand playbook on the existing server inventory
@@ -184,7 +196,6 @@ EOF
 init_homedir
 check_python
 check_ansible
-check_ssh_key
 
 # Figure out which genesis role to invoke
 read -r -p "Which provider are you using?

tests/development-setup.yml

@@ -4,10 +4,6 @@
   remote_user: root
   become: yes
   pre_tasks:
-    - name: Perform global vars sanity check
-      include_role:
-        name: validation
-
     # NOTE(@alimakki): Due to key rotation, we pre-emptivley
     # add the Google linux apt signing key required by some
     # packages
@@ -135,7 +131,7 @@
         path: /var/lib/lxd/unix.socket
         mode: "0777"
 
-    - name: Launch streisand container(This will take a while)
+    - name: Launch streisand container (this will take a while)
       lxd_container:
         name: streisand
         state: started