Using an SSH jump host for Ansible
I was working from outside home today, trying to push out changes to a bunch of my homelab servers. As usual I was using Ansible, but I was connected over tailscale to the home network.
Now normally I would just create a socks/http proxy to one of my home machines and set the proxy environment variable
like HTTP_PROXY
and most apps would just work. But Ansible doesn’t seem to respect that environment variable.
There is an environment
keyword that lets you set http_proxy
variables, but that is for tasks
executing remotely. They can use that environment variable for commands they are executing which need to call over the Internet. But what we need is a way to reach the target host in the first place.
Jeff Geerling has a post about using ssh args in ansible.cfg
which looked to be exactly what I need.
But then I discovered the -J
jump host parameter, which for some reason I had never spotted before all these years.
-J destination
Connect to the target host by first making an ssh connection to the jump host
described by destination and then establishing a TCP forwarding to the
ultimate destination from there. Multiple jump hops may be specified
separated by comma characters. This is a shortcut to specify a ProxyJump
configuration directive. Note that configuration directives supplied on the
command-line generally apply to the destination host and not any specified
jump hosts. Use `~/.ssh/config` to specify configuration for jump hosts.
So to actually use this, I had to add the following to ansible.cfg
:
# For tailscale
[ssh_connection]
ssh_args = -J guardian.rolling-doe.ts.net
Here guardian.rolling-doe.ts.net
is the (fictional) Tailscale hostname of the host I am trying to use as a bastion host.