feat: allow multiple authorized keys

Xenion1987 · Nov 12, 2024 · deb26b0 · deb26b0
1 parent a2aa3b1
commit deb26b0
Show file tree

Hide file tree

Showing 8 changed files with 108 additions and 85 deletions.
diff --git a/README.md b/README.md
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -18,7 +18,8 @@ user_management_users:
     home_move: false
     primary_group: null
     secondary_groups: []
-    ssh_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDW6k6qtP1YfJ7eOSN1zDf8C6lTJuV+ethOvEJwTKJrGoQrKKukVfedjUL+e7XMszVT57iiV8rC+syZsJ6wkwJR2ahOUlU9hACbRc+X5mmVROLKlO+NaxrbMzsTJXeCJK6Oo+05f2kSPqGfjV3CZSq4Xv5mUMhaDkGUg/rqG5BIdqFDwirqxbUbPOIYeosLT1tbgxHvOTwsUqulEZS5h8mOt1Hahi1ZrfUOyharJvpc5rzYk/hq1zwTXTNtArOLCaSbvY+o61BAsnQBzg6Z+Elyrox53kWW8c0MuG0iPfehqW20eE9xZVBQfwutLmMHMNeUD2UwLDfxnoVXIlgn5T4Z4F2uMyKWKl9IsoIuguizX98SuASEXg4wsAEf2MSCxwk7AGO3yCgqRsnm7sIEEdvxUIewcuZn1ZtN0c3UjcsqRnoXgBOXpynsRStdZTPTM+o1LGma+Wp8FkMH1ZnuQ+BrCQ1ENKcS4oeTcG91Ud9Yiu/qfWVU64RrYpz0JvHWoApdzM73Xro2Sz9BuQH5uSCIya8PNEqGdH1GRDxbDkv41+scWwq/5i5CSlWmNogU377tPld9hqJJA//eniErgKO/QSJKmaDDzFe+eQh6F2Kn/NUVKqbPHbDlkYAZGT37L5iCOG1By55wwnemz40GS2Wo+a4nViDJGhuFty+4yR8fWQ== ansible-playground_20231122_194549
+    ssh_public_keys:
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDW6k6qtP1YfJ7eOSN1zDf8C6lTJuV+ethOvEJwTKJrGoQrKKukVfedjUL+e7XMszVT57iiV8rC+syZsJ6wkwJR2ahOUlU9hACbRc+X5mmVROLKlO+NaxrbMzsTJXeCJK6Oo+05f2kSPqGfjV3CZSq4Xv5mUMhaDkGUg/rqG5BIdqFDwirqxbUbPOIYeosLT1tbgxHvOTwsUqulEZS5h8mOt1Hahi1ZrfUOyharJvpc5rzYk/hq1zwTXTNtArOLCaSbvY+o61BAsnQBzg6Z+Elyrox53kWW8c0MuG0iPfehqW20eE9xZVBQfwutLmMHMNeUD2UwLDfxnoVXIlgn5T4Z4F2uMyKWKl9IsoIuguizX98SuASEXg4wsAEf2MSCxwk7AGO3yCgqRsnm7sIEEdvxUIewcuZn1ZtN0c3UjcsqRnoXgBOXpynsRStdZTPTM+o1LGma+Wp8FkMH1ZnuQ+BrCQ1ENKcS4oeTcG91Ud9Yiu/qfWVU64RrYpz0JvHWoApdzM73Xro2Sz9BuQH5uSCIya8PNEqGdH1GRDxbDkv41+scWwq/5i5CSlWmNogU377tPld9hqJJA//eniErgKO/QSJKmaDDzFe+eQh6F2Kn/NUVKqbPHbDlkYAZGT37L5iCOG1By55wwnemz40GS2Wo+a4nViDJGhuFty+4yR8fWQ== ansible-playground_20231122_194549
     state: absent
     userdel_force: false
     userdel_remove: false

diff --git a/meta/argument_specs.yml b/meta/argument_specs.yml
@@ -31,7 +31,7 @@ argument_specs:
         default: ["*"]
         description:
           - Default, global `from=""` value added to `authorized_keys` for each
-          - user having `user_management_users.ssh_public_key` defined
+          - user having `user_management_users.ssh_public_keys` defined
         # elements: str
         required: false
         type: list
@@ -173,7 +173,7 @@ argument_specs:
             default: []
             description:
               - '`from=""` value added to `authorized_keys` if user'
-              - has `user_management_users.ssh_public_key` defined.
+              - has `user_management_users.ssh_public_keys` defined.
               - If `user_management_default_ssh_from` or `custom_ssh_from` is
               - defined and not set to `'*'`, all values will be concatenated.
             # elements: str
@@ -240,11 +240,12 @@ argument_specs:
               - Overwrites 'user_management_default_shell'
             required: false
             type: str
-          ssh_public_key:
+          ssh_public_keys:
+            default: []
             description:
-              - The SSH public key(s), as a string or (since Ansible 1.9) url
+              - The SSH public key(s), as a list or (since Ansible 1.9) url
             required: false
-            type: str
+            type: list
           state:
             choices:
               - "absent"
@@ -292,7 +293,7 @@ argument_specs:
             default: []
             description:
               - '`from=""` value added to `authorized_keys` if user'
-              - has `user_management_users.ssh_public_key` defined.
+              - has `user_management_users.ssh_public_keys` defined.
               - If `user_management_default_ssh_from` or `custom_ssh_from` is
               - defined and not set to `'*'`, all values will be concatenated.
             # elements: str
@@ -304,11 +305,11 @@ argument_specs:
               - User's Linux login name
             required: true
             type: str
-          ssh_public_key:
+          ssh_public_keys:
             description:
-              - The SSH public key(s), as a string or (since Ansible 1.9) url
+              - A list of the SSH public key(s), as a string or (since Ansible 1.9) url
             required: false
-            type: str
+            type: list
           state:
             choices:
               - "absent"

diff --git a/meta/main.yml b/meta/main.yml
@@ -1,6 +1,5 @@
 ---
 collections:
-  - ansible.posix
   - community.general
 
 dependencies: []

diff --git a/requirements.yml b/requirements.yml
@@ -1,4 +1,3 @@
 ---
 collections:
-  - ansible.posix
   - community.general
diff --git a/tasks/manage_authorized_keys.yml b/tasks/manage_authorized_keys.yml
@@ -1,17 +1,19 @@
 ---
-- name: Manage authorized key for {{ item.name }}
+- name: Ensure {{ item.name }}'s '.ssh' directory exists
+  ansible.builtin.file:
+    state: directory
+    path: "{{ item.absolute_home_path }}/.ssh"
+    mode: "0700"
+    owner: "{{ item.name }}"
+    group: "{{ item.primary_group if item.primary_group is defined and item.primary_group else item.name }}"
+
+- name: Manage authorized key(s) for {{ item.name }}
   when:
     - item.state == "present"
-    - item.ssh_public_key is defined
-  ansible.posix.authorized_key:
-    exclusive: true
-    key: "{{ item.ssh_public_key | default('') }}"
-    key_options: |-
-      {%- set from_options_global = user_management_default_ssh_from -%}
-      {%- set from_options_custom_host = host_vars_ssh_from | default([]) -%}
-      {%- set from_options_custom_item = item.custom_ssh_from | default([]) -%}
-      {%- set from_options_custom = from_options_custom_host + from_options_custom_item | default([]) -%}
-      {%- set from_options = from_options_global + from_options_custom | default([]) -%}
-      from="{% if from_options %}{{ from_options | join(',') }}{% else %}*{% endif %}"
-    state: present
-    user: "{{ item.name }}"
+    - item.ssh_public_keys is defined
+  ansible.builtin.template:
+    src: authorized_keys.j2
+    dest: "{{ item.absolute_home_path }}/.ssh/authorized_keys"
+    mode: "0600"
+    owner: "{{ item.name }}"
+    group: "{{ item.primary_group if item.primary_group is defined and item.primary_group else item.name }}"
diff --git a/templates/authorized_keys.j2 b/templates/authorized_keys.j2
@@ -0,0 +1,10 @@
+{%- for ssh_key in item.ssh_public_keys -%}
+{%- set from_options_global = user_management_default_ssh_from -%}
+{%- set from_options_custom_host = host_vars_ssh_from | default([]) -%}
+{%- set from_options_custom_item = item.custom_ssh_from | default([]) -%}
+{%- set from_options_custom = from_options_custom_host + from_options_custom_item | default([]) -%}
+{%- set from_options = from_options_global + from_options_custom | default([]) -%}
+{%- if ssh_key is defined -%}
+from="{% if from_options %}{{ from_options | join(',') }}{% else %}*{% endif %}" {{ ssh_key }}
+{% endif %}
+{% endfor %}
diff --git a/tests/test.yml b/tests/test.yml
@@ -7,7 +7,8 @@
     user_management_users:
       - name: john.doe
         state: present
-        ssh_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDW6k6qtP1YfJ7eOSN1zDf8C6lTJuV+ethOvEJwTKJrGoQrKKukVfedjUL+e7XMszVT57iiV8rC+syZsJ6wkwJR2ahOUlU9hACbRc+X5mmVROLKlO+NaxrbMzsTJXeCJK6Oo+05f2kSPqGfjV3CZSq4Xv5mUMhaDkGUg/rqG5BIdqFDwirqxbUbPOIYeosLT1tbgxHvOTwsUqulEZS5h8mOt1Hahi1ZrfUOyharJvpc5rzYk/hq1zwTXTNtArOLCaSbvY+o61BAsnQBzg6Z+Elyrox53kWW8c0MuG0iPfehqW20eE9xZVBQfwutLmMHMNeUD2UwLDfxnoVXIlgn5T4Z4F2uMyKWKl9IsoIuguizX98SuASEXg4wsAEf2MSCxwk7AGO3yCgqRsnm7sIEEdvxUIewcuZn1ZtN0c3UjcsqRnoXgBOXpynsRStdZTPTM+o1LGma+Wp8FkMH1ZnuQ+BrCQ1ENKcS4oeTcG91Ud9Yiu/qfWVU64RrYpz0JvHWoApdzM73Xro2Sz9BuQH5uSCIya8PNEqGdH1GRDxbDkv41+scWwq/5i5CSlWmNogU377tPld9hqJJA//eniErgKO/QSJKmaDDzFe+eQh6F2Kn/NUVKqbPHbDlkYAZGT37L5iCOG1By55wwnemz40GS2Wo+a4nViDJGhuFty+4yR8fWQ== ansible-playground_20231122_194549
+        ssh_public_keys:
+          - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDW6k6qtP1YfJ7eOSN1zDf8C6lTJuV+ethOvEJwTKJrGoQrKKukVfedjUL+e7XMszVT57iiV8rC+syZsJ6wkwJR2ahOUlU9hACbRc+X5mmVROLKlO+NaxrbMzsTJXeCJK6Oo+05f2kSPqGfjV3CZSq4Xv5mUMhaDkGUg/rqG5BIdqFDwirqxbUbPOIYeosLT1tbgxHvOTwsUqulEZS5h8mOt1Hahi1ZrfUOyharJvpc5rzYk/hq1zwTXTNtArOLCaSbvY+o61BAsnQBzg6Z+Elyrox53kWW8c0MuG0iPfehqW20eE9xZVBQfwutLmMHMNeUD2UwLDfxnoVXIlgn5T4Z4F2uMyKWKl9IsoIuguizX98SuASEXg4wsAEf2MSCxwk7AGO3yCgqRsnm7sIEEdvxUIewcuZn1ZtN0c3UjcsqRnoXgBOXpynsRStdZTPTM+o1LGma+Wp8FkMH1ZnuQ+BrCQ1ENKcS4oeTcG91Ud9Yiu/qfWVU64RrYpz0JvHWoApdzM73Xro2Sz9BuQH5uSCIya8PNEqGdH1GRDxbDkv41+scWwq/5i5CSlWmNogU377tPld9hqJJA//eniErgKO/QSJKmaDDzFe+eQh6F2Kn/NUVKqbPHbDlkYAZGT37L5iCOG1By55wwnemz40GS2Wo+a4nViDJGhuFty+4yR8fWQ== ansible-playground_20231122_194549
     user_management_manage_sudoers_users: true
     user_management_sudoers_users:
       - name: 30-john.doe