Hi,
I am using the assemble module, like this:
```yaml
- name: ssh keys for root
assemble: src=. dest=/root/.ssh/authorized_keys owner=root group=root
mode=0600 remote_src=false
```
This ensures a synced set of SSH keys from a dir in my playbook repo, where all
stale keys are being removed and all modifications are detected. This makes use
of the fact that SSH accepts multiple keys in a single file.
Best regards,
Daniel
On Fri, 11 Dec 2015 07:11:27 -0800 (PST)
cmacrae wrote:
> Hi everyone.
>
> I've been mulling something over in my head, I've got something I want to
> tackle, but I'm not sure how to go about doing so.
>
> Here's the scenario: I want to put together a tiny role that manages user's
> authorized keys. Keys defined in the inventory
> (host_vars/group_vars/playbook vars, etc.) should be the only ones present
> in the user's authorized_keys file.
>
> I have some keys specified like so:
>
> root_ssh_public_keys:
> member1:
> pubkey: ssh-rsa
> B3NzaC1yc2EBIwAAAQEAvVO3ULx8fNGgInHCFQV6w/gEARBWyS9eA1qRaTEu4njawEjiqSGFHgPuvmgtKlft2MqbnCG3cokFKRAEOZEzy+jUMES8IQEHuSsJuZFnlUC4yzm1mI1OjJk9PwTLDD6OGJDL1gIkz37CYITbsaufS6gFrpoMBZhkVcVKk0JBnmwF/QZUD1uHKFLMtyVwvw8pzWcBcAYBBw5O6hjo2pRIX100bCdMxDrXwFp4yFiJPG6LCya4701whZpqgwk3d/RakJdZLA3pgAlVPZswz8ezj2U5PIYJl+LrUaPE57ZR/eVwNnBE7QPsKCCurIy1bLR0KXiqOmUzdzWDphYCelRurQ==
> member1
> member2:
> pubkey: ssh-rsa
> B3NzaC1yc2EBIwAAAQEAtkScC/o1aDxaXFJdyTMhlF4UewNO/tdQf6EIYJzikSBNKECBjmvrM6bNaIkWA/AzB2dgTS0mug2aVomsBeyN8gAGfV/Wi3bO1kXuI23BmkPUn36OgE5ppQ0O2Gp8VjJaffV9EiYeEY/QlwnshAS9gfDPeTO+u5f0ZP0TZw29m+F3CKIJWPruDJJvXMkyc5qokh5kUpm0qYlhGyDi596st3Gsh/9LF/I2sEJH3LTP0gs0bWjbHN9XcIw8gbPT50zNZvqv9FGvgsMCErYC5lwPVN1670cpOpqLYV4PgU77t751CE9RsmASeB6Elwh0pAKlfxzITBx4W6aVxkl8Utlblw==
> member2
> member3:
> pubkey: ssh-rsa
> B3NzaC1yc2EBIwAAAQEA2nyE+baFvebdFqiuEEjGYtLHxgduypfBg1laG8DP9Re0ln0lIJRsTw2HoB1giKRpkLXUdYkS+QVkzP0oZCNRZWuEgIuJnL8vl6c0S53UaFTNbZliIuSQLSPsEbQfIu1lQ9voZG2pwJQTj4yICnr29dSPs6ef4n8pox7hhDZSf6LBrrWWc51WYrZwXCSeDstqq53goCKLeujSZ6Ww3T7Ac17OzyhIQCl0x1w8LlcMshaczPKbFLxgLltIF8OmX9PLHuX0enFOVGKyRW66MIIyHuK65gxY/+8mjrzTw9aWOiQVvYZsjuzqBIBQy4h85ex8wF0xztR50D2ylvrbXSNl2w==
> member3
>
>
> Currently, I have this task that deploys them and ensures they're the only
> keys in the root user's authorized_keys list:
>
> - name: "Ensure team pubkeys are in root's authorized_keys"
> authorized_key:
> user: root
> manage_dir: yes
> exclusive: yes
> key: |
> {% for _, user in root_ssh_public_keys.items()%}
> {% for _, key in user.items() %}
> {{ key }}
> {% endfor %}
> {% endfor %}
> tags: ssh_keys
>
> Now, what I want to be able to do is chuck this into a little role, and
> have it be usable for any user definitions.
> So, say I had a system with the user 'example' on, and I wanted to specify
> some keys I want that user to have in their authorized_keys list.
> I could go to that system's host_vars and add the following:
>
> example_ssh_public_keys:
> someone:
> pubkey: ssh-rsa
> B3NzaC1yc2EBIwAAAQEAvVO3ULx8fNGgInHCFQV6w/gEARBWyS9eA1qRaTEu4njawEjiqSGFHgPuvmgtKlft2MqbnCG3cokFKRAEOZEzy+jUMES8IQEHuSsJuZFnlUC4yzm1mI1OjJk9PwTLDD6OGJDL1gIkz37CYITbsaufS6gFrpoMBZhkVcVKk0JBnmwF/QZUD1uHKFLMtyVwvw8pzWcBcAYBBw5O6hjo2pRIX100bCdMxDrXwFp4yFiJPG6LCya4701whZpqgwk3d/RakJdZLA3pgAlVPZswz8ezj2U5PIYJl+LrUaPE57ZR/eVwNnBE7QPsKCCurIy1bLR0KXiqOmUzdzWDphYCelRurQ==
> someone
> someone_else:
> pubkey: ssh-rsa
> B3NzaC1yc2EBIwAAAQEAtkScC/o1aDxaXFJdyTMhlF4UewNO/tdQf6EIYJzikSBNKECBjmvrM6bNaIkWA/AzB2dgTS0mug2aVomsBeyN8gAGfV/Wi3bO1kXuI23BmkPUn36OgE5ppQ0O2Gp8VjJaffV9EiYeEY/QlwnshAS9gfDPeTO+u5f0ZP0TZw29m+F3CKIJWPruDJJvXMkyc5qokh5kUpm0qYlhGyDi596st3Gsh/9LF/I2sEJH3LTP0gs0bWjbHN9XcIw8gbPT50zNZvqv9FGvgsMCErYC5lwPVN1670cpOpqLYV4PgU77t751CE9RsmASeB6Elwh0pAKlfxzITBx4W6aVxkl8Utlblw==
> someone_else
>
>
> Notice the variable name is 'example_ssh_public_keys'.
> In my task above, I need a way of dynamically defining both the 'user'
> parameter value (shown above as 'root') and the dictionary I'm operating on
> (shown above as 'root_ssh_public_keys').
>
> My point being I need this to be re-usable for different users.
>
> Am I going about this in a really stupid manner? What would be the best way
> to approach this?
>
> Thanks in advance for any help!
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/84e4429a-c376-42fc-a477-4b2f05b36722%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to