Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Supporting private keys in user_ansible. #842

Merged
merged 4 commits into from
Oct 6, 2022
Merged

Supporting private keys in user_ansible. #842

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
28443c7
Supporting private keys in user_ansible.
gregharvey Oct 6, 2022
32a66cb
Improved defaults and docs.
gregharvey Oct 6, 2022
11811ce
User sub roles need all variables.
gregharvey Oct 6, 2022
6e7f283
Hiding private key and allowing hashing of known_hosts.
gregharvey Oct 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions roles/user_ansible/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,10 @@ user_ansible:
groups: ""
# List of SSH pub keys to authorize. These must be provided as strings (content of the pub key).
ssh_keys: []
# List of SSH private keys to add to server. These must be provided as strings (content of the private key).
# Be sure to store securely using SOPS or similar.
ssh_private_keys: []
# List of hostnames to add to known_hosts.
known_hosts: []
# Whether or not to hash any provided hosts for known_hosts.
known_hosts_hash: true
33 changes: 33 additions & 0 deletions roles/user_ansible/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,36 @@
with_items: "{{ user_ansible.ssh_keys }}"
loop_control:
loop_var: key

- name: Copy SSH private key to target.
ansible.builtin.copy:
dest: "/home/{{ user_ansible.username }}/.ssh/{% if key_id == 0 %}id_rsa{% else %}id_rsa_{{ key_id }}{% endif %}"
content: "{{ key }}"
owner: "{{ user_ansible.username }}"
group: "{{ user_ansible.username }}"
mode: '0600'
with_items: "{{ user_ansible.ssh_private_keys }}"
no_log: true
loop_control:
loop_var: key
index_var: key_id

- name: Ensure known_hosts file exists.
ansible.builtin.file:
path: "/home/{{ user_ansible.username }}/.ssh/known_hosts"
state: touch
owner: "{{ user_ansible.username }}"
group: "{{ user_ansible.username }}"
mode: '0600'
when: user_ansible.known_hosts | length

- name: Add public keys to known_hosts.
ansible.builtin.known_hosts:
hash_host: "{{ user_ansible.known_hosts_hash }}"
path: "/home/{{ user_ansible.username }}/.ssh/known_hosts"
name: "{{ host }}"
key: "{{ lookup('pipe', 'ssh-keyscan -t rsa ' + host) }}"
state: present
with_items: "{{ user_ansible.known_hosts }}"
loop_control:
loop_var: host
4 changes: 4 additions & 0 deletions roles/user_deploy/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,7 @@ user_deploy:
# List of additional groups to add the user to.
groups: []
ssh_keys: []
# If you add more than one key here, make sure the original private key of your deploy server is the first.
ssh_private_keys: []
known_hosts: []
known_hosts_hash: true
4 changes: 4 additions & 0 deletions roles/user_provision/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,7 @@ user_provision:
sudoer: true
groups: []
ssh_keys: []
# If you add more than one key here, make sure the original private key of your infra controller server is the first.
ssh_private_keys: []
known_hosts: []
known_hosts_hash: true