Update Ansible ssh task, to remove template subbed into conditional

freedomofpress · Feb 15, 2024 · f32409f · f32409f
1 parent e2a9603
commit f32409f
Showing 1 changed file with 22 additions and 8 deletions.
diff --git a/install_files/ansible-base/roles/tails-config/tasks/create_ssh_aliases.yml b/install_files/ansible-base/roles/tails-config/tasks/create_ssh_aliases.yml
@@ -2,25 +2,39 @@
 - name: Import variables
   include_vars: "group_vars/all/site-specific"
 
-- name: Lookup v3 onion ssh files
+- name: Lookup v3 onion ssh files for config template
   stat:
     path: "{{ item }}-ssh.auth_private"
   register: "ssh_v3_onion_lookup"
   with_items:
     - app
     - mon
 
-- name: Hacky work-around to get below logic working
+- name: Hacky work-around to get config template working
   set_fact:
     mon_ip: "{{ monitor_ip }}"
 
+# Add separate lookups for app and mon to avoid unsafe conditional checks
+- name: Lookup app v3 onion ssh file
+  stat:
+    path: "app-ssh.auth_private"
+  register: "ssh_app_auth"
+
 - name: Confirm that either the app v3 onion ssh file exists or site-specific file exists
   assert:
-    that: "item.stat.exists or {{item.item}}_ip is defined"
-  with_items: "{{ ssh_v3_onion_lookup.results }}"
+    that: "ssh_app_auth.stat.exists or app_ip is defined"
+
+- name: Lookup mon v3 onion ssh file
+  stat:
+    path: "mon-ssh.auth_private"
+  register: "ssh_mon_auth"
+
+- name: Confirm that either the mon v3 onion ssh file exists or site-specific file exists
+  assert:
+    that: "ssh_mon_auth.stat.exists or monitor_ip is defined"
 
 - name: Create SSH config directory.
-  become: yes
+  become: true
   file:
     state: directory
     path: "{{ tails_config_amnesia_home }}/.ssh"
@@ -29,7 +43,7 @@
     group: amnesia
 
 - name: Create SSH alias
-  become: yes
+  become: true
   template:
     src: ssh_config.j2
     dest: "{{ item }}"
@@ -39,8 +53,8 @@
   vars:
     # Make the configured hostnames easily available to the Jinja template.
     # An explicit dictionary is necessary only because the unabbreviated key
-    # "monitor_hostname" prevents us from doing (e.g.) the following over the
-    # items in "ssh_v3_onion_lookup":
+    # "monitor_hostname" prevents us from doing (e.g.) the following over
+    # a lookup based on hostnames
     #
     #     hostvars[inventory_hostname][svc.item+'_hostname']
     hostnames: