diff options
author | Romain Gonçalves <me@rgoncalves.se> | 2024-05-12 17:34:23 +0200 |
---|---|---|
committer | Romain Gonçalves <me@rgoncalves.se> | 2024-05-12 17:36:32 +0200 |
commit | 480496827c71acb9a52b27c7e18c4bae8d63004c (patch) | |
tree | 7dbcf9d2c140cc4c52d9abcc32be43fa8f1f3de9 | |
parent | fdd5293dd05890434c5b1660bfc44d493a4f4056 (diff) | |
download | rules-480496827c71acb9a52b27c7e18c4bae8d63004c.tar.gz |
feat(roles/sshd_keys): simplify key management
-rw-r--r-- | group_vars/all.yml | 6 | ||||
-rw-r--r-- | roles/sshd_keys/meta/main.yml | 6 | ||||
-rw-r--r-- | roles/sshd_keys/tasks/main.yml | 31 | ||||
-rw-r--r-- | site.system.yml | 1 |
4 files changed, 17 insertions, 27 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml index ee658c1..4e56a84 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -87,11 +87,7 @@ unix_users__users: "[ {% endfor %} ]" -sshd_keys__users: "[ - {% for user in __users %} - {{ user.username }}, - {% endfor %} - ]" +sshd_keys__dir: secrets/files/authorized_keys nextcloud__users: "[ {% for user in __users %} diff --git a/roles/sshd_keys/meta/main.yml b/roles/sshd_keys/meta/main.yml index ccf16eb..4123733 100644 --- a/roles/sshd_keys/meta/main.yml +++ b/roles/sshd_keys/meta/main.yml @@ -5,12 +5,6 @@ argument_specs: short_description: sshd__keys main entrypoint. options: - sshd_keys__users: - type: list - elements: str - required: true - description: Users to be synced - sshd_keys__dir: type: path required: true diff --git a/roles/sshd_keys/tasks/main.yml b/roles/sshd_keys/tasks/main.yml index 168f64d..d6cb511 100644 --- a/roles/sshd_keys/tasks/main.yml +++ b/roles/sshd_keys/tasks/main.yml @@ -2,27 +2,26 @@ - name: get ssh keys for all users ansible.builtin.find: - paths: "{{ sshd__keys_paths }}" - file_type: link + paths: "{{ sshd_keys__dir }}" recurse: true delegate_to: localhost run_once: true - register: sshd__keys_result_find + register: sshd_keys__result_find -- name: set sshd__keys_found_users variable - ansible.builtin.set_fact: - sshd__keys_found_users: "{{ sshd__keys_result_find.files - | map(attribute='path') - | map('dirname') - | map('basename') - | unique }}" +- name: retrieve existing users + ansible.builtin.getent: + database: passwd + register: sshd_keys__result_getent -- name: synchronize ssh keys +- name: set authorized key, removing all the authorized keys already set ansible.posix.authorized_key: - user: "{{ item.path | dirname | basename }}" - state: present + user: "{{ item.path | basename }}" key: "{{ lookup('file', item.path) }}" + state: present + exclusive: true + when: item.path + | basename in sshd_keys__result_getent.ansible_facts.getent_passwd + | list loop_control: - label: "{{ item.path }}: {{ item.path | dirname | basename }}" - loop: "{{ sshd__keys_result_find.files }}" - failed_when: false + label: "{{ item.path }}" + loop: "{{ sshd_keys__result_find.files }}" diff --git a/site.system.yml b/site.system.yml index 282450a..37b4d20 100644 --- a/site.system.yml +++ b/site.system.yml @@ -7,3 +7,4 @@ - role: unix_users - role: toolbox - role: update + - role: sshd_keys |