If you specify user SSH keys as a list of keys, you can user them like this
using with_subelements:
- name: User SSH keys
authorized_key: user="{{ item.0.username }}" key="{{ item.1 }}"
when: item.0.username in users_add
with_subelements:
- users
- ssh_key
This works for me without a problem. Just modify the when: condition to be
like your one.
On Saturday, May 10, 2014 3:46:48 PM UTC+2, Ernest0x wrote:
>
> On 05/07/2014 09:32 PM, Bruce Pennypacker wrote:
>
> Ah, thanks! All the documentation for the authorized_key module implies
> that it works on just one key at a time, not a file/string that contains
> multiple keys. That documentation should really be updated...
>
> -Bruce
>
> On Wednesday, May 7, 2014 2:13:42 PM UTC-4, Matt Martz wrote:
>>
>> I'd recommend storing you keys in files, and using lookup('file', ...)
>>
>> The. You can store multiple keys in a single file.
>>
>> Additionally you could just store multiple keys as a string with new
>> lines in your current data structure and not try using a list.
>>
>> On Wednesday, May 7, 2014, Bruce Pennypacker <bruce.pe...@gmail.com>
>> wrote:
>>
>>> We have a role that defines user accounts as follows:
>>>
>>> users:
>>> - username: user1
>>> comment: User 1
>>> uid: 3001
>>> ssh_key: "xxx"
>>>
>>> - username: user2
>>> comment: User 2
>>> uid: 3002
>>> ssh_key: "yyy"
>>>
>>> Users are then grouped by name into other lists:
>>>
>>> regular_users:
>>> - user1
>>> - user2
>>> ...
>>>
>>> ops_users:
>>> - user3
>>> - user4
>>> ...
>>>
>>> Our hosts then have a fact called user_roles that's a list of each
>>> group of users and individual usernames to create accounts for. We then
>>> have tasks defined like this:
>>>
>>> - name: add users
>>> user: name={{ item.username }}
>>> comment="{{ item.comment }}"
>>> uid={{ item.uid }}
>>> when: item.username in lookup('flattened',user_roles)
>>> with_items: users
>>>
>>> - name: add SSH keys
>>> authorized_key: user={{ item.username }}
>>> key="{{ item.ssh_key }}"
>>> when: item.username in lookup('flattened',user_roles) and item.ssh_key
>>> is defined
>>> with_items: users
>>>
>>> All of this is working great. We're managing about 50 different user
>>> accounts over 80 servers in varying groups without any difficulty. But now
>>> I'd like to be able to extend this to support multiple SSH keys for each
>>> user. So I'd like to be able to define a user along these lines:
>>>
>>> - username: userFoo
>>> comment: User Foo
>>> uid: 4321
>>> ssh_keys: [ 'xxx', 'yyy', 'zzz']
>>>
>>> But if I do this then I'm at a complete loss of how to rewrite the
>>> authorized_key task to handle it properly. At first glance I would expect
>>> that I'd need to use with_nested but I'm not entirely sure how to go about
>>> doing it. I tried variations of this, but haven't gotten anything to work:
>>>
>>> - name: add multiple SSH keys
>>> authorized_key: user={{ item[0].username }}
>>> key="{{ item.[1] }}"
>>> when: item[0].username in lookup('flattened',user_roles) and
>>> item[0].ssh_keys is defined
>>> with_nested:
>>> - users
>>> - item[0].ssh_keys
>>>
>>> Is there a better way of managing a dynamic list of ssh keys? Or am I
>>> just trying something that's too complex for Ansible to handle cleanly?
>>>
>>> -Bruce
>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ansible-project+unsubscr...@googlegroups.com.
>>> To post to this group, send email to ansible-project@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/ed9760ef-ae4d-4403-b145-2e8d0ec84d34%40googlegroups.com<https://groups.google.com/d/msgid/ansible-project/ed9760ef-ae4d-4403-b145-2e8d0ec84d34%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>> --
>> Matt Martz
>> ma...@sivel.net
>> http://sivel.net/
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com <javascript:>.
> To post to this group, send email to ansible...@googlegroups.com<javascript:>
> .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/567aee32-6cf7-4ef2-8caf-f398087f4940%40googlegroups.com<https://groups.google.com/d/msgid/ansible-project/567aee32-6cf7-4ef2-8caf-f398087f4940%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
>
> You can store multiple keys in a single file, but that means that you
> would have to manually create a separate file for each key combination you
> want to deploy.
> Instead, take a look at my pull request for with_nested (
> https://github.com/ansible/ansible/pull/7278) and the example I have
> given in my previous post at the "Nested looping with hash/dict so I can
> override values" thread. It would allow you to do what you want more
> cleanly.
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/f25c26ab-e647-4d76-914f-eb11d0c47105%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
