aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRomain Gonçalves <me@rgoncalves.se>2021-12-11 21:55:28 +0000
committerRomain Gonçalves <me@rgoncalves.se>2021-12-11 21:55:28 +0000
commitd67fb68e5fcd240c6c0e8e7c6e7e804da6f6238b (patch)
treefa415a01a3f0237a539bceb0cf9c06c1c4cc0189
parentde3373e97d133e0ac76fb44deb5dea27c18d8815 (diff)
downloadrules-d67fb68e5fcd240c6c0e8e7c6e7e804da6f6238b.tar.gz
roles/sshd: Enable and cleanup key synchronization
-rw-r--r--roles/sshd/tasks/main.yml3
-rw-r--r--roles/sshd/tasks/synchronize_keys.yml65
2 files changed, 10 insertions, 58 deletions
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index fcff3e9..54ef9c2 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -6,6 +6,9 @@
group: 0
mode: 0644
+- name: include key synchronization tasks
+ include_tasks: synchronize_keys.yml
+
- name: enable and restart sshd
service:
name: sshd
diff --git a/roles/sshd/tasks/synchronize_keys.yml b/roles/sshd/tasks/synchronize_keys.yml
index cb634a4..722fdfa 100644
--- a/roles/sshd/tasks/synchronize_keys.yml
+++ b/roles/sshd/tasks/synchronize_keys.yml
@@ -1,69 +1,18 @@
-- name: retrieve all existing users
- command: cut -d ":" -f 1 /etc/passwd
- register: sshd_users
- changed_when: false
-
-- name: convert retrieved users to list
- set_fact:
- sshd_users: "{{ sshd_users.stdout_lines }}"
-
-- name: get ssh keys for all user
+- name: get ssh keys for all users
find:
- paths: "{{ inventory_dir }}/files/keys"
- pattern: "*.pub"
- recurse: true
+ paths: files/keys
file_type: link
- register: keys
- run_once: true
+ recurse: true
delegate_to: localhost
-
-- name: show pubkeys
- debug:
- msg: |
- {% for key in keys.files %}
- {{ key.path }}
- {% endfor %}
run_once: true
- delegate_to: localhost
+ register: result
- name: synchronize ssh keys
authorized_key:
user: "{{ item.path | dirname | basename }}"
state: present
key: "{{ lookup('file', item.path) }}"
- when: item.path | dirname | basename in sshd_users
- loop: "{{ keys.files }}"
- loop_control:
- label: "{{ item.path }}"
-
-- name: get users homedir
- shell: echo $(getent passwd "{{ item.path | dirname | basename }}" | cut -d ":" -f 6) "{{ item.path | dirname | basename }}"
- register: sshd_homedirs
- when: item.path | dirname | basename in sshd_users
- loop: "{{ keys.files }}"
- changed_when: false
- loop_control:
- label: "{{ item.path | dirname | basename }}"
-
-- name: clean users homedir result
- set_fact:
- sshd_homedirs: "[{% for dir in sshd_homedirs.results if dir.stdout is defined %}\"{{ dir.stdout }}\", {% endfor %}]"
-
-- name: make users homedir unique
- set_fact:
- sshd_homedirs: "{{ sshd_homedirs | unique }}"
-
-- name: show sshd homedirs for users
- debug:
- var: sshd_homedirs
-
-- name: chown ssh file to correct user
- file:
- path: "{{ item.split(' ')[0] }}/.ssh/authorized_keys"
- owner: "{{ item.split(' ')[1] }}"
- mode: "0600"
- ignore_errors: true
- when: item.split(" ")[1] in sshd_users
- loop: "{{ sshd_homedirs }}"
loop_control:
- label: "{{ item }}"
+ label: "{{ item.path }} -> user: {{ item.path | dirname | basename }}"
+ loop: "{{ result.files }}"
+ failed_when: false
remember that computers suck.