vm/install: Bake authorized_keys in the initrd

This is less error-prone than cramming the SSH keys into the preseed.
Also, support setting VM-specific SSH keys.

diff --git a/ansible/roles/vm/install/tasks/main.yml b/ansible/roles/vm/install/tasks/main.yml
index 39e625f..aaa881e 100644 (file)
--- a/ansible/roles/vm/install/tasks/main.yml
+++ b/ansible/roles/vm/install/tasks/main.yml
@@ -19,12 +19,19 @@
         src: "preseed_{{ vmdistro }}-{{ vmdistcodename }}.cfg.j2"
         dest: "{{ tmpdir }}/preseed.cfg"
 
+    - name: generate authorized_keys file
+      authorized_key:
+        user: root
+        path: "{{ tmpdir }}/authorized_keys"
+        key: "{{ hostvars[vmname].ssh_keys | default(noc_ssh_keys) | join('\n') }}"
+
     - name: Inject files into initramfs
       shell: cpio -H newc -o | gzip -9 >> {{ initramfs }}
       args:
         chdir: "{{ tmpdir }}"
         stdin: |
           preseed.cfg
+          authorized_keys
 
   always:
     - name: Delete temporary directory

diff --git a/ansible/roles/vm/install/templates/preseed_debian-stretch.cfg.j2 b/ansible/roles/vm/install/templates/preseed_debian-stretch.cfg.j2
index 6d48fd2..6cf4b9b 100644 (file)
--- a/ansible/roles/vm/install/templates/preseed_debian-stretch.cfg.j2
+++ b/ansible/roles/vm/install/templates/preseed_debian-stretch.cfg.j2
@@ -102,5 +102,7 @@ d-i finish-install/reboot_in_progress note
 d-i preseed/late_command string \
     lvremove -f {{ vmname }}/dummy; \
     in-target bash -c "apt-get update -q && apt-get full-upgrade -y -q"; \
-    in-target bash -c "passwd -d root; passwd -l root; umask 077; mkdir -p /root/.ssh/; echo -e '{{ noc_ssh_keys | join('\\n') }}' > /root/.ssh/authorized_keys"; \
+    in-target bash -c "passwd -d root && passwd -l root"; \
+    mkdir -p -m 0700 /target/root/.ssh; \
+    cp /authorized_keys /target/root/.ssh/; \
     in-target bash -c "sed -e 's/^\(\s*#*\s*Port.*\)/Port 22000/' -i /etc/ssh/sshd_config"