add filter plugin to generate ssh key list

author Christian Pointner <equinox@realraum.at>

Fri, 30 Nov 2018 20:01:19 +0000 (21:01 +0100)

committer Christian Pointner <equinox@realraum.at>

Fri, 30 Nov 2018 20:02:14 +0000 (21:02 +0100)
author Christian Pointner <equinox@realraum.at>
Fri, 30 Nov 2018 20:01:19 +0000 (21:01 +0100)
committer Christian Pointner <equinox@realraum.at>
Fri, 30 Nov 2018 20:02:14 +0000 (21:02 +0100)
diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg

index 4c457eb..ed90222 100644 (file)
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -14,6 +14,8 @@ var_compression_level = 9
  
  timeout=30
  
+filter_plugins = ./filter_plugins
+
  [ssh_connection]
  pipelining = True
  ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
diff --git a/ansible/filter_plugins/users.py b/ansible/filter_plugins/users.py

new file mode 100644 (file)

index 0000000..9212ce1
--- /dev/null
+++ b/ansible/filter_plugins/users.py
@@ -0,0 +1,30 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible import errors
+
+
+def user_ssh_keys(data, db):
+    try:
+        ssh_keys = []
+        for user in data:
+            try:
+                for key in db[user]['ssh']:
+                    ssh_keys.append(key)
+            except KeyError:
+                pass
+
+        return ssh_keys
+    except Exception as e:
+        raise errors.AnsibleFilterError("user_ssh_keys(): %s" % str(e))
+
+
+class FilterModule(object):
+
+    ''' extract values form users db '''
+    filter_map = {
+        'user_ssh_keys': user_ssh_keys,
+    }
+
+    def filters(self):
+        return self.filter_map
diff --git a/ansible/group_vars/accesspoints/main.yml b/ansible/group_vars/accesspoints/main.yml

index 321c855..51cd80a 100644 (file)
--- a/ansible/group_vars/accesspoints/main.yml
+++ b/ansible/group_vars/accesspoints/main.yml
@@ -1,5 +1,5 @@
  ---
-ssh_root_users:
+ssh_users_root:
    - equinox
    - nicoo
  
@@ -146,7 +146,7 @@ openwrt_mixin:
  
    /etc/dropbear/authorized_keys:
      content: |-
-      {% for key in ssh_keys_root %}
+      {% for key in ssh_users_root | user_ssh_keys(users) %}
        {{ key }}
        {% endfor %}
  
diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml

index 32a6b24..2d6e172 100644 (file)
--- a/ansible/group_vars/all/main.yml
+++ b/ansible/group_vars/all/main.yml
@@ -12,10 +12,3 @@ root_password: "{{ vault_root_password }}"
  ## SSH keys for root, default to NOC's
  
  ssh_users_root: "{{ user_groups.noc }}"
-## TODO: make this a filter_plugin...
-ssh_keys_root: "{{ ssh_users_root | map('extract', users) | map(attribute='ssh') | flatten | list }}"
-
-## TODO: not used at the moment?
-noc_groups:
-  - adm
-  - sudo
diff --git a/ansible/host_vars/torwaechter/main.yml b/ansible/host_vars/torwaechter/main.yml

index 864a50d..75e16de 100644 (file)
--- a/ansible/host_vars/torwaechter/main.yml
+++ b/ansible/host_vars/torwaechter/main.yml
@@ -1,5 +1,5 @@
  ---
-ssh_keys_tuergit: "{{ ssh_keys_root }}"
+ssh_users_tuergit: "{{ user_groups.noc }}"
  
  openwrt_arch: x86
  openwrt_target: geode
@@ -61,13 +61,13 @@ openwrt_mixin:
  
    /etc/ssh/authorized_keys.d/root:
      content: |-
-      {% for key in ssh_keys_root %}
+      {% for key in ssh_users_root | user_ssh_keys(users) %}
        {{ key }}
        {% endfor %}
  
    /etc/ssh/authorized_keys.d/tuergit:
      content: |-
-      {% for key in ssh_keys_tuergit %}
+      {% for key in ssh_users_tuergit | user_ssh_keys(users) %}
        {{ key }}
        {% endfor %}
  
diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml

index b9d8601..b148a6d 100644 (file)
--- a/ansible/roles/base/tasks/main.yml
+++ b/ansible/roles/base/tasks/main.yml
@@ -47,7 +47,7 @@
  - name: Set authorized keys for root user
    authorized_key:
      user: root
-    key: "{{ ssh_keys_root | join('\n') }}"
+    key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}"
      exclusive: yes
  
  - name: disable apt suggests and recommends
diff --git a/ansible/roles/preseed/tasks/main.yml b/ansible/roles/preseed/tasks/main.yml

index 7406154..51471c5 100644 (file)
--- a/ansible/roles/preseed/tasks/main.yml
+++ b/ansible/roles/preseed/tasks/main.yml
@@ -14,7 +14,7 @@
      user: root
      manage_dir: no
      path: "{{ preseed_tmpdir }}/authorized_keys"
-    key: "{{ ssh_keys_root | join('\n') }}"
+    key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}"
  
  - name: Inject files into initramfs
    shell: cpio -H newc -o | gzip -9 >> 'initrd.preseed.gz'
diff --git a/ansible/roles/vm/install/tasks/main.yml b/ansible/roles/vm/install/tasks/main.yml

index 973f44d..b9201c0 100644 (file)
--- a/ansible/roles/vm/install/tasks/main.yml
+++ b/ansible/roles/vm/install/tasks/main.yml
@@ -39,7 +39,7 @@
      - import_role:
          name: preseed
        vars:
-        ssh_keys_root: "{{ hostvars[hostname].ssh_keys_root }}"
+        ssh_users_root: "{{ hostvars[hostname].ssh_users_root }}"
          install_interface: enp1s1
          preseed_tmpdir: "{{ tmpdir.stdout }}"
author	Christian Pointner <equinox@realraum.at>
	Fri, 30 Nov 2018 20:01:19 +0000 (21:01 +0100)
committer	Christian Pointner <equinox@realraum.at>
	Fri, 30 Nov 2018 20:02:14 +0000 (21:02 +0100)
ansible/ansible.cfg		patch \| blob \| history
ansible/filter_plugins/users.py	[new file with mode: 0644]	patch \| blob
ansible/group_vars/accesspoints/main.yml		patch \| blob \| history
ansible/group_vars/all/main.yml		patch \| blob \| history
ansible/host_vars/torwaechter/main.yml		patch \| blob \| history
ansible/roles/base/tasks/main.yml		patch \| blob \| history
ansible/roles/preseed/tasks/main.yml		patch \| blob \| history
ansible/roles/vm/install/tasks/main.yml		patch \| blob \| history