From 28443c79da9a66a2c992ab999e4261ea51112b61 Mon Sep 17 00:00:00 2001
From: gregharvey <greg.harvey@gmail.com>
Date: Thu, 6 Oct 2022 12:15:02 +0200
Subject: [PATCH 1/4] Supporting private keys in user_ansible.

---
 roles/user_ansible/defaults/main.yml |  4 ++++
 roles/user_ansible/tasks/main.yml    | 31 ++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/roles/user_ansible/defaults/main.yml b/roles/user_ansible/defaults/main.yml
index 63d909c60..9ceea3181 100644
--- a/roles/user_ansible/defaults/main.yml
+++ b/roles/user_ansible/defaults/main.yml
@@ -14,3 +14,7 @@ user_ansible:
   groups: ""
   # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key).
   ssh_keys: []
+  # List of SSH private keys to add to server. Should always be stored using SOPS or similar.
+  ssh_private_keys: []
+  # List of hostnames to add to known_hosts.
+  known_hosts: []
diff --git a/roles/user_ansible/tasks/main.yml b/roles/user_ansible/tasks/main.yml
index a643da3ef..12b5b29c7 100644
--- a/roles/user_ansible/tasks/main.yml
+++ b/roles/user_ansible/tasks/main.yml
@@ -44,3 +44,34 @@
   with_items: "{{ user_ansible.ssh_keys }}"
   loop_control:
     loop_var: key
+
+- name: Copy SSH private key to target.
+  ansible.builtin.copy:
+    dest: "/home/{{ user_ansible.username }}/.ssh/{% if key_id == 0 %}id_rsa{% else %}id_rsa_{{ key_id }}{% endif %}"
+    content: "{{ key }}"
+    owner: "{{ user_ansible.username }}"
+    group: "{{ user_ansible.username }}"
+    mode: '0600'
+  with_items: "{{ user_ansible.ssh_private_keys }}"
+  loop_control:
+    loop_var: key
+    index_var: key_id
+
+- name: Ensure known_hosts file exists.
+  ansible.builtin.file:
+    path: "/home/{{ user_ansible.username }}/.ssh/known_hosts"
+    state: touch
+    owner: "{{ user_ansible.username }}"
+    group: "{{ user_ansible.username }}"
+    mode: '0600'
+  when: user_ansible.known_hosts | length
+
+- name: Add public keys to known_hosts.
+  ansible.builtin.known_hosts:
+    path: "/home/{{ user_ansible.username }}/.ssh/known_hosts"
+    name: "{{ host }}"
+    key: "{{ lookup('pipe', 'ssh-keyscan -t rsa ' + host) }}"
+    state: present
+  with_items: "{{ user_ansible.known_hosts }}"
+  loop_control:
+    loop_var: host

From 32a66cb2633aaff90b832cc3f5c757ee027b1bce Mon Sep 17 00:00:00 2001
From: gregharvey <greg.harvey@gmail.com>
Date: Thu, 6 Oct 2022 12:27:22 +0200
Subject: [PATCH 2/4] Improved defaults and docs.

---
 roles/user_ansible/defaults/main.yml | 3 ++-
 roles/user_deploy/defaults/main.yml  | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/roles/user_ansible/defaults/main.yml b/roles/user_ansible/defaults/main.yml
index 9ceea3181..980dd3528 100644
--- a/roles/user_ansible/defaults/main.yml
+++ b/roles/user_ansible/defaults/main.yml
@@ -14,7 +14,8 @@ user_ansible:
   groups: ""
   # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key).
   ssh_keys: []
-  # List of SSH private keys to add to server. Should always be stored using SOPS or similar.
+  # List of SSH private keys to add to server.
+  # Should be the full private key contents and always be stored using SOPS or similar.
   ssh_private_keys: []
   # List of hostnames to add to known_hosts.
   known_hosts: []
diff --git a/roles/user_deploy/defaults/main.yml b/roles/user_deploy/defaults/main.yml
index 75a871ffd..3b04cc159 100644
--- a/roles/user_deploy/defaults/main.yml
+++ b/roles/user_deploy/defaults/main.yml
@@ -14,3 +14,5 @@ user_deploy:
   # List of additional groups to add the user to.
   groups: []
   ssh_keys: []
+  # If you add more than one key here, make sure the original private key of your deploy server is the first.
+  ssh_private_keys: []

From 11811ce9d2e3908b268f35ba4ca4a4f98596caea Mon Sep 17 00:00:00 2001
From: gregharvey <greg.harvey@gmail.com>
Date: Thu, 6 Oct 2022 12:46:28 +0200
Subject: [PATCH 3/4] User sub roles need all variables.

---
 roles/user_ansible/defaults/main.yml   | 4 ++--
 roles/user_deploy/defaults/main.yml    | 1 +
 roles/user_provision/defaults/main.yml | 3 +++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/roles/user_ansible/defaults/main.yml b/roles/user_ansible/defaults/main.yml
index 980dd3528..bf255e126 100644
--- a/roles/user_ansible/defaults/main.yml
+++ b/roles/user_ansible/defaults/main.yml
@@ -14,8 +14,8 @@ user_ansible:
   groups: ""
   # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key).
   ssh_keys: []
-  # List of SSH private keys to add to server.
-  # Should be the full private key contents and always be stored using SOPS or similar.
+  # List of SSH private keys to add to server. These must be provided as strings (content of the private key).
+  # Be sure to store securely using SOPS or similar.
   ssh_private_keys: []
   # List of hostnames to add to known_hosts.
   known_hosts: []
diff --git a/roles/user_deploy/defaults/main.yml b/roles/user_deploy/defaults/main.yml
index 3b04cc159..97dd3c2d9 100644
--- a/roles/user_deploy/defaults/main.yml
+++ b/roles/user_deploy/defaults/main.yml
@@ -16,3 +16,4 @@ user_deploy:
   ssh_keys: []
   # If you add more than one key here, make sure the original private key of your deploy server is the first.
   ssh_private_keys: []
+  known_hosts: []
diff --git a/roles/user_provision/defaults/main.yml b/roles/user_provision/defaults/main.yml
index b38ec3612..82e008317 100644
--- a/roles/user_provision/defaults/main.yml
+++ b/roles/user_provision/defaults/main.yml
@@ -12,3 +12,6 @@ user_provision:
   sudoer: true
   groups: []
   ssh_keys: []
+  # If you add more than one key here, make sure the original private key of your infra controller server is the first.
+  ssh_private_keys: []
+  known_hosts: []

From 6e7f283c98c859c9d276b32a4af02ace04198463 Mon Sep 17 00:00:00 2001
From: gregharvey <greg.harvey@gmail.com>
Date: Thu, 6 Oct 2022 13:21:07 +0200
Subject: [PATCH 4/4] Hiding private key and allowing hashing of known_hosts.

---
 roles/user_ansible/defaults/main.yml   | 2 ++
 roles/user_ansible/tasks/main.yml      | 2 ++
 roles/user_deploy/defaults/main.yml    | 1 +
 roles/user_provision/defaults/main.yml | 1 +
 4 files changed, 6 insertions(+)

diff --git a/roles/user_ansible/defaults/main.yml b/roles/user_ansible/defaults/main.yml
index bf255e126..bcccd873c 100644
--- a/roles/user_ansible/defaults/main.yml
+++ b/roles/user_ansible/defaults/main.yml
@@ -19,3 +19,5 @@ user_ansible:
   ssh_private_keys: []
   # List of hostnames to add to known_hosts.
   known_hosts: []
+  # Whether or not to hash any provided hosts for known_hosts.
+  known_hosts_hash: true
diff --git a/roles/user_ansible/tasks/main.yml b/roles/user_ansible/tasks/main.yml
index 12b5b29c7..fdcb8a527 100644
--- a/roles/user_ansible/tasks/main.yml
+++ b/roles/user_ansible/tasks/main.yml
@@ -53,6 +53,7 @@
     group: "{{ user_ansible.username }}"
     mode: '0600'
   with_items: "{{ user_ansible.ssh_private_keys }}"
+  no_log: true
   loop_control:
     loop_var: key
     index_var: key_id
@@ -68,6 +69,7 @@
 
 - name: Add public keys to known_hosts.
   ansible.builtin.known_hosts:
+    hash_host: "{{ user_ansible.known_hosts_hash }}"
     path: "/home/{{ user_ansible.username }}/.ssh/known_hosts"
     name: "{{ host }}"
     key: "{{ lookup('pipe', 'ssh-keyscan -t rsa ' + host) }}"
diff --git a/roles/user_deploy/defaults/main.yml b/roles/user_deploy/defaults/main.yml
index 97dd3c2d9..5c02b9fed 100644
--- a/roles/user_deploy/defaults/main.yml
+++ b/roles/user_deploy/defaults/main.yml
@@ -17,3 +17,4 @@ user_deploy:
   # If you add more than one key here, make sure the original private key of your deploy server is the first.
   ssh_private_keys: []
   known_hosts: []
+  known_hosts_hash: true
diff --git a/roles/user_provision/defaults/main.yml b/roles/user_provision/defaults/main.yml
index 82e008317..3f53b4d71 100644
--- a/roles/user_provision/defaults/main.yml
+++ b/roles/user_provision/defaults/main.yml
@@ -15,3 +15,4 @@ user_provision:
   # If you add more than one key here, make sure the original private key of your infra controller server is the first.
   ssh_private_keys: []
   known_hosts: []
+  known_hosts_hash: true