Restructure public key install to use vars instead of fileglobs

2019-09-01 13:54:49 -04:00 · 2019-09-01 13:54:49 -04:00 · 6a881e918b
parent 193c059e2c
commit 6a881e918b
2 changed files with 23 additions and 1 deletions
--- a/playbooks/update-users-local.yml
+++ b/playbooks/update-users-local.yml
@ -122,9 +122,10 @@
            path: /home/{{ item.name }}/.ssh
          loop: "{{ local_users | difference([None]) }}"
        - name: Put keys on remote
+          when: item.keys != []
          authorized_key:
            user: "{{ item.name }}"
-            key: "{{ lookup('pipe','cat keys/' + item.name + '/*') if item.name != 'root' else '' }}"
+            key: "{{ item.sshkeys | join('\n') }}"
            state: present
            exclusive: yes
          loop: "{{ local_users | difference([None]) }}"
@ -141,6 +142,8 @@

 - hosts: all
  name: Disable SSH password authentication
+  tags:
+    - always
  tasks:
    - import_tasks: tasks/sshd/disable-password-auth.yml
      when: enable_ssh_password_auth|bool == false
--- a/vars/users.yml
+++ b/vars/users.yml
@ -14,6 +14,7 @@ users:
      - vms
      - workstations
    admin: True
+    sshkeys: []

 # Automation users

@ -32,6 +33,10 @@ users:
      - nextcloud
    admin: True
    svc: True
+    sshkeys:
+      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGg4xAXrwMdS8AjUuke5ZpyHAFvdmlFEqWLmIDWGLPmP enpaul@inerro.tre2.local
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDN/E/zjwCruZf+mboBeBAtNFBInWMvdm6TjwpIg6jVoGgRmYQxEfIcqDSfBTQQ0gbyE3udTdTUDRLRu7ADktzL9J0IepEaYARfz8SANS/Hx2MR0NNy8DArrSFJCOillDA7E7UmNPIPeQl0O76p2ZjEDy6qZnTiW8eOtD7LCzJp4eGJanUPFhag8f4aSNbmiHGR25Zuk82w2/+KrqiI3gO0+jNlnPBf+XHNnFbtUIroupRfxgLdk1OahmkWHTSHkDtXiYrWIISarrHCgVqHTHo1KIX5+MPOH4S5VLB1kaY/O7+g/XlFrAciw8m0zjyBq0ILb+YTSrL9PYnSBtnHAVGJv2bB+TgCfF/nhQGqoqBqqQHFnX0y3JygmDTJMO+aE5wlvI5Laki7EHYPU4fL+Ge76l/dG9j2anw4/iHklbfk1UOxnLvJl593GAlILg1Kd8xx9VfYzVZ7GZym2zq3NI4uQ77T1H4iGoE67zarkn3peKacjX/KARq4weVvs3irHIHibnIuh/TGcS4eiQoNdPxsSA2wRKB6jeuXiV65F1rUDNGs80wcJmsAbZN8/u9Tt0o/Xc+L/LVhV0yrSeBUxzXtlaS+RfcteBXByO3xfC112Cj5grKVki5xWN9AY42Y6JhT3OyiO33dKUMEF/KfiEWWAfvQr/t1CI/rdcEbv3pyUw== epaul@ansible-vigil-nox
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIbXaUzVqDDKDSC1iO/nOmxIcJoOoMvXE+CJRobEdpkkYSBmlPfburJvGMDMQ3O/88OfgBrG5S7HKlbgVPGEII0Vpsk5iwzOk5Tmo03nLz02Ilx1xXYxTrjUSwnexzbHpluHmqunKEIUVTMHpDz2m4UPgZ4ECsGp9/6n6+n//uLeJ4fQUO9x4L+VMbpDrtfpKN7/P6U30XBIb9bZuKznVPtqTmCy/BFkxTkIn9QKqDh5d49FY/xkOjy1K9zTWb78DFzBRf4sGEykrp19N6inL0eRstGSZAKhqL+qdRXOy/7n6l0u+CdXWl9ZFVXRFhVdAhYOgkEvtuqoasK1Fk3OMqP6SflFanuDiFBostfgfrf8SUV+7CFvOuSpEWgTqx/jPFZV4Vr6wx5ZFVs02OzZ6TJFaEHaLvOE/R3iLOiuFcvqVNpvstLiyiigsj1+DwhDJcwOr3DaEsNdUbv0BTI2P03wtHJtBQw5CaVr5zCBDEeUsL0bBVQdq+6d0NT+CPJNxSZlTmmrBBbgkpupxdnmX6VVBYfXnylsE8UZxY1d7yxba3+Wzp2yvlr2MVocwQmMTPEqimIsW0hsQ8iXi1nrDXecSojlDAeu+LBFuaCxO8H59GrrVWVTI2dAPLEcP+stNGLHqKZuh62t5TnmxuMMi0SY6jH7KiKmusD4fYafzrlQ== enpaul@vigil-nox

 # Service accounts

@ -42,6 +47,7 @@ users:
      - gitea
    admin: False
    svc: True
+    sshkeys: []

  - name: svc_plex
    password: "$6$dDEwXYf6DYbVZCw4$KZWDDZV1bO7KwGdWkbsck/A.fAqxOyExy4MI8QHtnOyjumgImidTck71V3cs8rZ6nASsspqmIqy4YlWH9o1la."
@ -50,6 +56,7 @@ users:
      - plex
    admin: False
    svc: True
+    sshkeys: []

  - name: svc_bitwarden
    password: "$6$oWPdq2hmQV03IBuF$SgpAzN1XVIefwYZtvA2gVaHD3DcclyGugEbZLXGn./1KZocew96KQC6PJZhVOKX9PYlzfWntmEy0Y/VCKHWBj1"
@ -58,6 +65,7 @@ users:
      - bitwarden
    admin: False
    svc: True
+    sshkeys: []

 # Actual user accounts

@ -76,6 +84,12 @@ users:
      - vpn
      - nextcloud
    admin: True
+    sshkeys:
+      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPpDBJ9yNAtZVc+Eoqj+Xc6oqb+hJedIUj38icSkSPj enpaul@inerro
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDi9rWRC15og/+3Jc3AMHOrlIc2BHaAX9PLbklz3qfFtSOp9bIScMcH5ZR6lyVSgP8RCEjI5HuZejDUJTXUQYfvEJeno//vmxn9Vw66lpMz/FSJ3JcDbjDVI1pe3A8mTOAS+AoVOEzCUOJVZJvdI272Hgf+QRBu+ONQ12u+2XYdVfLFDe7mAG+vEJRBatwb8B7Al+/LUpIrCuPm9PzMBtCMFjWGaqQgnyJYRSPIGxz9231XIjwhHLOQG1R0jLGuS37X+J49Y5JYDaHf9q9KH76GjdO2rOq6aGvwN93Y4Z+D2hMOklhD0Ez/ZE+I3ZUPV0e5pF28gsA6L7gTeqmSGpQaKdwjCUoU12VM70OVxng5p2+7DIc0k2np7rnvd4zybgn9OMM+TIO5M3c6ocDuNsEmRgfS3V99X5oh9qNy35UdBXV08j0wFoUo1KcyGwyNBYzKzvkkvtgJezVKmqSPKeBjMgMX4UsJsMn27Zosk0ZgoUwLFPO9Pg7uShncwgsTnvYDR1ws53PV832gc7A85ud/dC9Fjn6jBsMQaCFbiZktc5J8mv3cugQHQesbq8Y2aNVRu+ECb+KUvAEdPacWdBOkk0IvZ4PvLrAs2xehF6FYVqKVtPlJMaUAAwj9vVx7Nl2HnsSRIrCgxsMOTOhbbp/3NrvM8r6K7zKBzXg2TNgQeQ== enpaul@ph-1
+      - ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAuQfx5b+YMpkJgz/AarDanNhs1h0O31p5xQ4jqJ2mVFOgTQ+qwqpqWrMLqoHNnxQGgCRxGVyDEt7eB2ImzvmdM+aw/9+GzgQREaJQIHEFWya7Hq43d0YTJlxkUJwew3mc1sYla2dIdK8QV8WbRNDwjPidm+tJoUZqM35a48OqKwJy6fpJSNwUUiUVpdYD0yZJZ1nKtucUVgU4APWGu0feGKYYbW6GBNrIxs8BtGy65hbcPh49FLoFfBxoMPRw9VDK6b99bhZ1R5lsURBsZ6Gtv6vGfo6Av/XJRxcXY+qPmHYbl16W8YLdqvNFP1sHzmzcozzpYADN3LlwcuDM19u1TA156V6S8twfISE9kj5x5eYHJs/xJsMuLZAfxuTxTOIMIJz/XpKnERuZqrhCiUxKqqkI5XoIh0HVa9d7UsG2tqLRHWxhNr6JKYryPqqIGyQk7xOrw/N3djrNop4ELQ1ihCKEljPuo1vYdLouwRobZ5BQpe9jte26ldyAaDs+KAnqomPxCpxUIvLbLF/FUyHkso3/V+nNdDzpPpfyjnJZjS9KEFP+fMZ2IJi+a7o0CC7+HfD/aMA+Dnv7VJ+1GhfrNKpStl3BBLf7q6xH3JUD27HvzsZtnMmb1lKDC036LbqDF4zju03z6lhq1EyVq79oU+uwevW+WOpcQkC6wa+6ps0= enpaul@serico-lux
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8K74AXz6LBYfoXRbY1pKP+1rvi5BpjFOkg1uYuMM+q78toagSREpLrbjvPtoL8fkEFox4T9TUaME08ZP8560R6iRk35extTTiXquflEwvpsF+e9Lv8E712s/1ydJpkYoux1OohE4W5D9DjVMEW1tjXeb+9aDUcVml6YKMpKLpjEIVanyjHMN13XgswKZGoK3mVMnWxE36fbGVVfiFCvMr/BpjqGShRCxmvldzgq76i1BpTKi6omOjvpgRQcUJcDhYcHAUVSlNccgGLmlAPiUillA//pk84yczzH1dQBB6571Ab5ldoUDBU/hJ0W27aeOfrepup4hNuUt2oux+zAn+uetAuAWKU2Kd0Oo6L5IKObbAQLI0CXfyrmHlrYXwTyNMFleeOdw7s9lf2ra3YCYVXfMALdE6pp+HJLBxzg9kMBbTp6zkV7ZKi75AQhyBJA0s4+vRUccBtJit3Tls+aw/3rd9Dt9lLaXkE80khoKsUI0eiuXtPDlurGxkpcTe6Al/lChNA19pdKEUsBmhD6UUvMTYWlApmta/+xf0wDsSyHqJcnIGx8Qdtg3c4j1Ch+WXwbdOwk8XJrL0atWmv2ium1ll/arO2NFBmbwG1LG/lzJ1k/DoAiHrKrb1HdlwDk0O/7xF/zyC2mfVZKO36+g4XlA7wDJc0tB5vIymlEy2rw== enpaul@serico-nox
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHUXG01NQ7IahqBwLx+lqvbnhU5Cynt+Y4xCk2u5pwjU2KwKyRfqc5LUROU4mcFLuA1mP9uoMaYmiJ/rIWvM/A9OVplilCoSKXxWJW09fR/rOPmCn7pOR+CpFXBNOiRR0WoiDeu1D0tifbSuK/qOxKy6Lp9MH20Ma46d89xA57L9LX+B5CrwF9fR2FXIQGojCiFFyByaUgmzuDMi5mCafm3XlqaR1/wcqoA1YwqFFiGR3gVylSbOmB/Q4GnnyLpBbcYAc5AQnbnD4LlM5biEsLNy7vtQj9s0SeloUkzsJ112dNozdwTI/tOWbINVM+o3AH4B2baTQayWK/UrG9sivjHgEz5Jk5A4xAbUWC1MrH7WHo7vevHu4AT+DiPLkmHli9Ztu0DqJuenheJDyRLfWwDPvIpoY9/AsbVZ/UXqRVbfIB4jV00IHneEg4zj0AdWbSHDz55BZ23JItpuU4i37cO9Cbo2tQYqZjgM5VAlZXwhNPUF7pxWJJxGFqiB5MTQM0LZcrmXpToxBPa0BSDmIcjvLP6NQWk1u+Fdjunyx/q9Gmlc3vFtFEz7swWCuKp4DavyUXFeWwSKt4dDRZyPPdSYrKxDPCncSaKeCv+G5sx4RyQLJjpx14tisnnZP0O5b5S6j3PfGzjgnNBhzl/xIzM5moUqPF7R2laOKh9CBdoQ== enpaul@vigil-nox

  - name: kaisersjr
    fullname: Sultan Jilani
@ -87,6 +101,7 @@ users:
      - vpn
      - nextcloud
    admin: False
+    sshkeys: []

  - name: notsoninja
    fullname: Johnathan W. Adams
@ -97,6 +112,7 @@ users:
      - vpn
      - nextcloud
    admin: False
+    sshkeys: []

  - name: avalonburned
    fullname: Christine K. Deidrich
@ -107,6 +123,8 @@ users:
      - vpn
      - nextcloud
    admin: False
+    sshkeys:
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCrI/Il2kM9Ndvx2lVn9JbsBo0MHhzqcXlFSwISCCay+NeesHprpFiJ7AzozZp6AMCU4iaFYgOBMuCJkmCYu58G2qUiNrcoWQW+UuHonje3kcba4qZ3zXz9LWch1L7r1qUOIz7VIWggYhkA1uI5fnXaCGP42pueh4e5gkzJLOVi5HHLHRyQ1FggWUJIUcXLIosuAbJbD+VlsnPiLpYcZQVEs7XOi8I98SGMJV+7+Lhx1WZMWZvjttdOmb7bO/4YpCE4/toJ3SEYuFPZfjGMnuNBH1IV6B0K1SLeI+4+ps2/rPYkYR7wc67lYYg4LJ1SoBnpQqHdV22mWcWepKmBJOCUSElvHE268UnnaAhSi4qnIzFN/LkYiocHJ9B960z6qtJL7aYEt6HbT8f621hMk4FQNbLSSh+Rd7D+n64af+xjpvdSTL0+nPCY/6ExfKfSShJE3Jeo4jhH5BZxHAPu8VlqteJOb4bbG7DUaOFD8ph+Qoe0rFTanQLOAl/7xsjXUCcmPj08/AX17U6u/EQd9qY/csy8e3jTmSFrc2fR4GpJLzfchmUmD4TgPyBTaKCHSCBk5kZwx6rA/9no+ST4QBIQUJglwDMZ3vE+AsC3AY2e62Ds3PFHgSPRuubCnxn9uFFTUW7L6K6xGofn8vHIebtRH9hXpAEM+XZBFOIt7VWg+w== ducky@Icefire

  - name: sglagovitch
    fullname: Sophia Glagovitch
@ -117,3 +135,4 @@ users:
      - vpn
      - nextcloud
    admin: False
+    sshkeys: []