{"id":21129613,"url":"https://github.com/pimvh/cloud_init","last_synced_at":"2025-12-29T09:45:01.355Z","repository":{"id":151279169,"uuid":"592880254","full_name":"pimvh/cloud_init","owner":"pimvh","description":"Ansible cloud-init role","archived":false,"fork":false,"pushed_at":"2023-08-20T19:31:26.000Z","size":72,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-21T06:09:52.997Z","etag":null,"topics":["ansible","ansible-pull","cloud-init","dualstack","role","ssh-ca"],"latest_commit_sha":null,"homepage":"","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pimvh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-24T18:27:12.000Z","updated_at":"2023-11-15T23:19:05.000Z","dependencies_parsed_at":"2024-11-20T21:19:11.618Z","dependency_job_id":null,"html_url":"https://github.com/pimvh/cloud_init","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pimvh%2Fcloud_init","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pimvh%2Fcloud_init/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pimvh%2Fcloud_init/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pimvh%2Fcloud_init/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pimvh","download_url":"https://codeload.github.com/pimvh/cloud_init/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243573492,"owners_count":20312883,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-pull","cloud-init","dualstack","role","ssh-ca"],"created_at":"2024-11-20T05:26:25.608Z","updated_at":"2025-12-29T09:45:01.311Z","avatar_url":"https://github.com/pimvh.png","language":"Jinja","readme":"![Molecule test](https://github.com/pimvh/cloud_init/actions/workflows/test.yaml/badge.svg)\n# Requirements\n\n1. Ansible installed:\n\n```bash\nsudo apt install python3\npython3 -m ensurepip --upgrade\npip3 install ansible\n```\n\n2. Requirements.yaml installed (this role uses [pimvh.ssh_keygen](https://github.com/pimvh/ssh_keygen)):\n\n```bash\nansible-galaxy install -r requirements.yaml\n```\n\n## Required variables\n\nReview the variables as shown in defaults.\n\n```yaml\ncloud_init_machine_name: \"\"\ncloud_init_ansible_user_passwd_hash: \"\" # the hash of the password for the ansible user\ncloud_init_github_token: \"\"\n\ncloud_init_userdata:\n  hostname: hostname\n  fqdn: hostname.example.com\n  groups: []\n  users:\n    - name: my user\n      gecos: My user description\n      shell: /bin/bash\n      sudo: ALL=(ALL) NOPASSWD:ALL # passwordless sudo\n      groups: sudo                 # member of sudo\n      lock_passwd: false           # unlock password\n      passwd: \"{{ password_here |  password_hash('sha512') }}\"\n      ssh_authorized_keys: []      # optional authorized key\n  runcmd: []                       # additional command to run in cloudinit\n  writefiles: []                   # additional files to write\n  packages: []                     # additional packages to install\n\ncloud_init_networkdata:\n    # define IPs and use the `default routes` and `nameservers` below\n    ipv4: \u003c\u003c ipv4 \u003e\u003e\n    ipv6: \u003c\u003c ipv6 \u003e\u003e\n    # --- OR ---\n    # dump an entire netplan\n    # like the following\n    netplan:\n      network:\n        version: 2\n        ethernets:\n          enp1s0:\n            dhcp4: false\n            addresses:\n              - \u003c\u003c addr \u003e\u003e\n            gateway4: \u003c\u003c addr \u003e\u003e\n            gateway6: \u003c\u003c addr \u003e\u003e\n            nameservers:\n              addresses:\n              - \u003c\u003c dns_server ip \u003e\u003e\n\ncloud_init_netplan_routes:\n  - to: default\n    via: 1.0.0.1\n  - to: default\n    via: 2001:db8::11\n\ncloud_init_netplan_nameservers:\n  addresses:\n    - 1.1.1.1\n    - 1.0.0.1\n\ncloud_init_add_to_known_hosts: true\ncloud_init_reboot_on_finish: true\ncloud_init_enable_ssh_ca: true\n\n# My recommendation is to use lookup plugins like this:\n# cloud_init_ssh_host_ca_publickey: \"{{ lookup('ansible.builtin.file', 'your_ca') }}\"\n# or vars lookups like this:\n# \"{{ lookup('ansible.builtin.vars', 'your_ca') }}\"\ncloud_init_ssh_host_ca_privatekey: \"\"\ncloud_init_ssh_host_ca_privatekey_pass: \"\"\ncloud_init_ssh_host_ca_publickey: \"\"\ncloud_init_ssh_user_ca_publickeys: []\n\ncloud_init_enable_ansible_pull: false\ncloud_init_ansible_pull_repo_owner: \"\"\ncloud_init_ansible_pull_repo_name: \"\"\ncloud_init_ansible_pull_playbook_name: \"\"\ncloud_init_ansible_pull_deploy_key_name: \"Ansible-pull deploy key\"\n\ncloud_init_validity_period: 520w\ncloud_init_ssh_ca_runcmd:\n  # configure ca usage on the server\n  - echo \"@cert-authority * $(cat /etc/ssh/host_ca.pub)\" \u003e\u003e /etc/ssh/ssh_known_hosts\n  # just remove the host CAs public key\n  - rm -f /etc/ssh/host_ca.pub\n  # configure new trustedUserCAkey key by appending the create cloud-init ssh config\n  - echo \"TrustedUserCAKeys /etc/ssh/ssh_trusted_user_ca_keys\" \u003e\u003e /etc/ssh/sshd_config.d/50-cloud-init.conf\n  # restart sshd to make changes have effect\n  - systemctl restart sshd\n```\n\n# Example playbook\n\n```yaml\nhosts:\n  - foo\nroles:\n  - pimvh.cloud_init\n\n```\n\n# TLDR - What will happen if I run this\n\n- Assert required variables are defined\n- Create directory to start cloud-init files\n- Fetch Github hostkeys (when requested)\n- Generate SSH key pair for Ansible pull (when requested)\n- Configure SSH Host CAs and User CAs (when requested)\n  - Sign certificate keys on the controller\n- Configure Ansible-pull by putting requirements.yaml of the repo_url in the cloud-int config (when requested)\n- Template cloud_init\n  - Template signed certificates to cloud-init configuration\n  - Template required cloud-init userdata\n  - Template cloud-init networkdata\n  - Template Ansible pull requirements.yaml\n- Add Github deploy key to requested Ansiblepull repository (when requested)\n- Run Ansible-pull as the ansible user on the system (when requested)\n- Add SSH CA to known hosts (when requested)\n\n# Future Improvements\n\n- Find a better way to get shortlived access to Github using different auth method.\n\n# Sources\n\nPart of the SSH CA logic is based on the [following blog](https://www.thiswayup.de/blog/2021/ssh-host-key-ca-with-cloud-init-and-terraform.html)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpimvh%2Fcloud_init","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpimvh%2Fcloud_init","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpimvh%2Fcloud_init/lists"}