diff options
author | Romain Gonçalves <me@rgoncalves.se> | 2021-12-11 21:55:28 +0000 |
---|---|---|
committer | Romain Gonçalves <me@rgoncalves.se> | 2021-12-11 21:55:28 +0000 |
commit | d67fb68e5fcd240c6c0e8e7c6e7e804da6f6238b (patch) | |
tree | fa415a01a3f0237a539bceb0cf9c06c1c4cc0189 | |
parent | de3373e97d133e0ac76fb44deb5dea27c18d8815 (diff) | |
download | rules-d67fb68e5fcd240c6c0e8e7c6e7e804da6f6238b.tar.gz |
roles/sshd: Enable and cleanup key synchronization
-rw-r--r-- | roles/sshd/tasks/main.yml | 3 | ||||
-rw-r--r-- | roles/sshd/tasks/synchronize_keys.yml | 65 |
2 files changed, 10 insertions, 58 deletions
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index fcff3e9..54ef9c2 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -6,6 +6,9 @@ group: 0 mode: 0644 +- name: include key synchronization tasks + include_tasks: synchronize_keys.yml + - name: enable and restart sshd service: name: sshd diff --git a/roles/sshd/tasks/synchronize_keys.yml b/roles/sshd/tasks/synchronize_keys.yml index cb634a4..722fdfa 100644 --- a/roles/sshd/tasks/synchronize_keys.yml +++ b/roles/sshd/tasks/synchronize_keys.yml @@ -1,69 +1,18 @@ -- name: retrieve all existing users - command: cut -d ":" -f 1 /etc/passwd - register: sshd_users - changed_when: false - -- name: convert retrieved users to list - set_fact: - sshd_users: "{{ sshd_users.stdout_lines }}" - -- name: get ssh keys for all user +- name: get ssh keys for all users find: - paths: "{{ inventory_dir }}/files/keys" - pattern: "*.pub" - recurse: true + paths: files/keys file_type: link - register: keys - run_once: true + recurse: true delegate_to: localhost - -- name: show pubkeys - debug: - msg: | - {% for key in keys.files %} - {{ key.path }} - {% endfor %} run_once: true - delegate_to: localhost + register: result - name: synchronize ssh keys authorized_key: user: "{{ item.path | dirname | basename }}" state: present key: "{{ lookup('file', item.path) }}" - when: item.path | dirname | basename in sshd_users - loop: "{{ keys.files }}" - loop_control: - label: "{{ item.path }}" - -- name: get users homedir - shell: echo $(getent passwd "{{ item.path | dirname | basename }}" | cut -d ":" -f 6) "{{ item.path | dirname | basename }}" - register: sshd_homedirs - when: item.path | dirname | basename in sshd_users - loop: "{{ keys.files }}" - changed_when: false - loop_control: - label: "{{ item.path | dirname | basename }}" - -- name: clean users homedir result - set_fact: - sshd_homedirs: "[{% for dir in sshd_homedirs.results if dir.stdout is defined %}\"{{ dir.stdout }}\", {% endfor %}]" - -- name: make users homedir unique - set_fact: - sshd_homedirs: "{{ sshd_homedirs | unique }}" - -- name: show sshd homedirs for users - debug: - var: sshd_homedirs - -- name: chown ssh file to correct user - file: - path: "{{ item.split(' ')[0] }}/.ssh/authorized_keys" - owner: "{{ item.split(' ')[1] }}" - mode: "0600" - ignore_errors: true - when: item.split(" ")[1] in sshd_users - loop: "{{ sshd_homedirs }}" loop_control: - label: "{{ item }}" + label: "{{ item.path }} -> user: {{ item.path | dirname | basename }}" + loop: "{{ result.files }}" + failed_when: false |