feat(roles/sshd_keys): simplify key management

4 files changed, 17 insertions, 27 deletions

diff --git a/group_vars/all.yml b/group_vars/all.yml
index ee658c1..4e56a84 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -87,11 +87,7 @@ unix_users__users: "[
     {% endfor %}
   ]"
 
-sshd_keys__users: "[
-    {% for user in __users %}
-      {{ user.username }},
-    {% endfor %}
-  ]"
+sshd_keys__dir: secrets/files/authorized_keys
 
 nextcloud__users: "[
     {% for user in __users %}
diff --git a/roles/sshd_keys/meta/main.yml b/roles/sshd_keys/meta/main.yml
index ccf16eb..4123733 100644
--- a/roles/sshd_keys/meta/main.yml
+++ b/roles/sshd_keys/meta/main.yml
@@ -5,12 +5,6 @@ argument_specs:
     short_description: sshd__keys main entrypoint.
     options:
 
-      sshd_keys__users:
-        type: list
-        elements: str
-        required: true
-        description: Users to be synced
-
       sshd_keys__dir:
         type: path
         required: true
diff --git a/roles/sshd_keys/tasks/main.yml b/roles/sshd_keys/tasks/main.yml
index 168f64d..d6cb511 100644
--- a/roles/sshd_keys/tasks/main.yml
+++ b/roles/sshd_keys/tasks/main.yml
@@ -2,27 +2,26 @@
 
 - name: get ssh keys for all users
   ansible.builtin.find:
-    paths: "{{ sshd__keys_paths }}"
-    file_type: link
+    paths: "{{ sshd_keys__dir }}"
     recurse: true
   delegate_to: localhost
   run_once: true
-  register: sshd__keys_result_find
+  register: sshd_keys__result_find
 
-- name: set sshd__keys_found_users variable
-  ansible.builtin.set_fact:
-    sshd__keys_found_users: "{{ sshd__keys_result_find.files
-      | map(attribute='path')
-      | map('dirname')
-      | map('basename')
-      | unique }}"
+- name: retrieve existing users
+  ansible.builtin.getent:
+    database: passwd
+  register: sshd_keys__result_getent
 
-- name: synchronize ssh keys
+- name: set authorized key, removing all the authorized keys already set
   ansible.posix.authorized_key:
-    user: "{{ item.path | dirname | basename }}"
-    state: present
+    user: "{{ item.path | basename }}"
     key: "{{ lookup('file', item.path) }}"
+    state: present
+    exclusive: true
+  when: item.path
+    | basename in sshd_keys__result_getent.ansible_facts.getent_passwd
+    | list
   loop_control:
-    label: "{{ item.path }}: {{ item.path | dirname | basename }}"
-  loop: "{{ sshd__keys_result_find.files }}"
-  failed_when: false
+    label: "{{ item.path }}"
+  loop: "{{ sshd_keys__result_find.files }}"
diff --git a/site.system.yml b/site.system.yml
index 282450a..37b4d20 100644
--- a/site.system.yml
+++ b/site.system.yml
@@ -7,3 +7,4 @@
     - role: unix_users
     - role: toolbox
     - role: update
+    - role: sshd_keys