共享有线公钥ansible.posix.synchronize：

Question

我刚开始学习ansible，所以你能帮我吗，或者给我一些建议？关键是我正在尝试用ansible-剧本安装和配置wireguard (以防万一我知道如何配置没有ansible的wireguard )。

因此，我想通过ansible共享公钥(然后通过PublicKey = {{ lookup('file', '/etc/wireguard/publickey_client') }}在wg0.conf中读取它们)

我试图在我的剧本中使用ansible.posix.synchronize，但是当它执行任务时--“共享键”--它只是开始思考，但在我停止进程之前什么也不要做(很长时间)。用-vv启动游戏手册也不会显示任何东西

剧本wireguard_configuration.yml：

---
- hosts: client
  name: make wg keys on client
  become: true
  tasks:
    - name: wg0.conf client file
      ansible.builtin.copy:
        src: /etc/ansible/conf/wg0_client.conf
        dest: /etc/wireguard/wg0.conf
        mode: 0755
        owner: owner

    - name: creating wg keys on client
      ansible.builtin.shell:
        cmd: wg genkey | tee privatekey_client | wg pubkey > publickey_client
        chdir: /etc/wireguard

    - name: share pubkey from client to server
      ansible.posix.synchronize:
        src: /etc/wireguard/publickey_client
        dest: /etc/wireguard/publickey_client
      delegate_to: server


- hosts: server
  name: make wg keys on server
  become: true
  tasks:
    - name: wg0.conf server file
      ansible.builtin.copy:
        src: /etc/ansible/conf/wg0_server.conf
        dest: /etc/wireguard/wg0.conf
        mode: 0755
        owner: owner

    - name: creating wg keys on client
      ansible.builtin.shell:
        cmd: wg genkey | tee privatekey_server | wg pubkey > publickey_server
        chdir: /etc/wireguard

    - name: share pubkey from server to client
      ansible.posix.synchronize:
        src: /etc/wireguard/publickey_server
        dest: /etc/wireguard/publickey_server
      delegate_to: client

Answer 1

这里不需要synchronize模块:您不是试图复制一个大型的文件层次结构，而是试图将单个值从客户端传递到服务器。我认为更好的选择是将该值放在客户机上的一个变量中，然后通过服务器上的hostvars访问它。

下面的剧本就是这样做的一种方式。有几件事要注意：

• 我试着记录这些任务，但是如果有什么不清楚的话请告诉我。
• 这个剧本是写成幂等的:您可以多次运行它，它只生成一次私钥。

- hosts: client
  gather_facts: false
  become: true
  tasks:
    # Read an existing private key if it is available. We set
    # failed_when to false because an "error" simply means that
    # the key doesn't exist and we need to generate it.
    - name: read private key
      command: cat /etc/wireguard/privatekey_client
      failed_when: false
      changed_when: wg_private_read.rc != 0
      register: wg_private_read

    # Generate a new key if necessary. We used the "is changed" test
    # here so that we only generate a new key if we failed to read an
    # existing key in the previous task.
    - name: generate private key
      when: wg_private_read is changed
      command: wg genkey
      register: wg_private_create

    # This will either create the privatekey_client file or leave it
    # unmodified (because the content matches what we read from it
    # earlier in the "read private key" task).
    - name: write private key
      when: wg_private_read is changed
      copy:
        content: "{{ wg_private_create.stdout }}"
        dest: /etc/wireguard/privatekey_client

    # We generate a public key but we don't bother writing it to disk.
    # The client doesn't need it and we can always generate it from
    # the private key.
    - name: generate public key
      shell:
        cmd: wg pubkey
        stdin: "{{ (wg_private_read is changed)|ternary(wg_private_create.stdout, wg_private_read.stdout) }}"
      changed_when: false
      register: wg_public

- hosts: server
  gather_facts: false
  become: true
  tasks:
    - name: write client public key
      copy:
        content: "{{ hostvars.client.wg_public.stdout }}"
        dest: "/etc/wireguard/publickey_client"

一些有用的文档链接：

关于failed_when and changed_when

• The ternary filter

的