Supporting private keys in user_ansible. (#842)

gregharvey · web-flow · commit 110fb43caf70 · 2022-10-06T13:43:45.000+02:00
* Supporting private keys in user_ansible.

* Improved defaults and docs.

* User sub roles need all variables.

* Hiding private key and allowing hashing of known_hosts.
diff --git a/roles/user_ansible/defaults/main.yml b/roles/user_ansible/defaults/main.yml
@@ -14,3 +14,10 @@ user_ansible:
   groups: ""
   # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key).
   ssh_keys: []
+  # List of SSH private keys to add to server. These must be provided as strings (content of the private key).
+  # Be sure to store securely using SOPS or similar.
+  ssh_private_keys: []
+  # List of hostnames to add to known_hosts.
+  known_hosts: []
+  # Whether or not to hash any provided hosts for known_hosts.
+  known_hosts_hash: true
diff --git a/roles/user_ansible/tasks/main.yml b/roles/user_ansible/tasks/main.yml
@@ -44,3 +44,36 @@
   with_items: "{{ user_ansible.ssh_keys }}"
   loop_control:
     loop_var: key
+
+- name: Copy SSH private key to target.
+  ansible.builtin.copy:
+    dest: "/home/{{ user_ansible.username }}/.ssh/{% if key_id == 0 %}id_rsa{% else %}id_rsa_{{ key_id }}{% endif %}"
+    content: "{{ key }}"
+    owner: "{{ user_ansible.username }}"
+    group: "{{ user_ansible.username }}"
+    mode: '0600'
+  with_items: "{{ user_ansible.ssh_private_keys }}"
+  no_log: true
+  loop_control:
+    loop_var: key
+    index_var: key_id
+
+- name: Ensure known_hosts file exists.
+  ansible.builtin.file:
+    path: "/home/{{ user_ansible.username }}/.ssh/known_hosts"
+    state: touch
+    owner: "{{ user_ansible.username }}"
+    group: "{{ user_ansible.username }}"
+    mode: '0600'
+  when: user_ansible.known_hosts | length
+
+- name: Add public keys to known_hosts.
+  ansible.builtin.known_hosts:
+    hash_host: "{{ user_ansible.known_hosts_hash }}"
+    path: "/home/{{ user_ansible.username }}/.ssh/known_hosts"
+    name: "{{ host }}"
+    key: "{{ lookup('pipe', 'ssh-keyscan -t rsa ' + host) }}"
+    state: present
+  with_items: "{{ user_ansible.known_hosts }}"
+  loop_control:
+    loop_var: host
diff --git a/roles/user_deploy/defaults/main.yml b/roles/user_deploy/defaults/main.yml
@@ -14,3 +14,7 @@ user_deploy:
   # List of additional groups to add the user to.
   groups: []
   ssh_keys: []
+  # If you add more than one key here, make sure the original private key of your deploy server is the first.
+  ssh_private_keys: []
+  known_hosts: []
+  known_hosts_hash: true
diff --git a/roles/user_provision/defaults/main.yml b/roles/user_provision/defaults/main.yml
@@ -12,3 +12,7 @@ user_provision:
   sudoer: true
   groups: []
   ssh_keys: []
+  # If you add more than one key here, make sure the original private key of your infra controller server is the first.
+  ssh_private_keys: []
+  known_hosts: []
+  known_hosts_hash: true
