From: nicoo Date: Fri, 30 Nov 2018 23:11:53 +0000 (+0100) Subject: Merge PR#43: nicer handling for ssh keys X-Git-Url: https://git.realraum.at/?p=noc.git;a=commitdiff_plain;h=edd429a61acd8b6a392c6e0fffc5aef18ed8d218;hp=253adcddf073279e89c6645eb1817175e76a5953 Merge PR#43: nicer handling for ssh keys --- diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 4c457eb..ed90222 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -14,6 +14,8 @@ var_compression_level = 9 timeout=30 +filter_plugins = ./filter_plugins + [ssh_connection] pipelining = True ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s diff --git a/ansible/filter_plugins/users.py b/ansible/filter_plugins/users.py new file mode 100644 index 0000000..9212ce1 --- /dev/null +++ b/ansible/filter_plugins/users.py @@ -0,0 +1,30 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +from ansible import errors + + +def user_ssh_keys(data, db): + try: + ssh_keys = [] + for user in data: + try: + for key in db[user]['ssh']: + ssh_keys.append(key) + except KeyError: + pass + + return ssh_keys + except Exception as e: + raise errors.AnsibleFilterError("user_ssh_keys(): %s" % str(e)) + + +class FilterModule(object): + + ''' extract values form users db ''' + filter_map = { + 'user_ssh_keys': user_ssh_keys, + } + + def filters(self): + return self.filter_map diff --git a/ansible/group_vars/accesspoints/main.yml b/ansible/group_vars/accesspoints/main.yml index 7d4b030..7147bbd 100644 --- a/ansible/group_vars/accesspoints/main.yml +++ b/ansible/group_vars/accesspoints/main.yml @@ -1,4 +1,8 @@ --- +ssh_users_root: + - equinox + - nicoo + accesspoint_wifi_channels: 2.4g: ap0: 3 @@ -141,10 +145,7 @@ openwrt_mixin: net.ipv6.conf.all.forwarding=0 /etc/dropbear/authorized_keys: - content: |- - {% for key in noc_ssh_keys %} - {{ key }} - {% endfor %} + content: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}\n" /etc/htoprc: file: "{{ global_files_dir }}/common/htoprc" diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml index d617779..2d6e172 100644 --- a/ansible/group_vars/all/main.yml +++ b/ansible/group_vars/all/main.yml @@ -10,4 +10,5 @@ global_files_dir: "{{ inventory_dir }}/files" ## Root password; by default, undefined root_password: "{{ vault_root_password }}" ## SSH keys for root, default to NOC's -ssh_keys: "{{ noc_ssh_keys }}" + +ssh_users_root: "{{ user_groups.noc }}" diff --git a/ansible/group_vars/all/users.yml b/ansible/group_vars/all/users.yml index ac2b99b..f6ede15 100644 --- a/ansible/group_vars/all/users.yml +++ b/ansible/group_vars/all/users.yml @@ -30,9 +30,3 @@ users: gpg: 0xE3468B9CE81EB4F91486 ssh: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDsT6W8Yz9iQ9FXuyrBmLC3o1j26ugzKfJDjvYAOehtjbYj+JjNrLoob1Evg5wWbDI9w+GiaBRKpfMw/66rMty8UXnYvpr28AsMdsxmvCp7k6eW55WcWNC26Nw3cWJo8MBxDaWDfjPdVzhKU7iFTCEVz/mUqUrbyg+Y6R1psqY84zXwelyPNPUVNBSaWMORmWR397v8UaEx2jsO4Nxaw1w4RnJSyq5feXResLigh6yelCNDWu3ISQrmZtjKRCPWlVzIDAT5m0UZzHjfGtixei8QNo3Y1sNUyFmrR0jcy6Uvkcl2ryGsUApCqaIGHz9zNvVJo7lGFH7yDVnaFx2XHnbDrZqhcvtvKK9kJkXwpTwASnSg7CB4VUFxdfzOlwnGUqMrePYqN5CaFKLNNQ5vIharK+iikvgkibrCSH69Tdb26IvBpXojuoIHDpBNcAAy5d66P+EoUXv7xWVmWiDLyJd66GvNzAzwel16KrjlgYZoKaj5rAB04qafSi6gRKJMuxQTBGGBc45JojDDZUEQht0/0N9GEWZDAO2z3eyB0lsODNvJBh9jAvwEOMcNnm59GYnYrk4bKLS1GEvq6a0aQvAxJDj0OxENNsx3SloYnP+ufHUZvWI9Ccu+9PMcoNqsFomiFg5nraL7NVaaOegVVYVGr4xZm9Yl/fnfnkH/lccsPw== xro@realraum.at - -noc_groups: - - adm - - sudo - -noc_ssh_keys: "{{ user_groups.noc | map('extract', users) | map(attribute='ssh') | flatten | list }}" diff --git a/ansible/host_vars/torwaechter/main.yml b/ansible/host_vars/torwaechter/main.yml index 016ec44..85a516f 100644 --- a/ansible/host_vars/torwaechter/main.yml +++ b/ansible/host_vars/torwaechter/main.yml @@ -1,4 +1,6 @@ --- +ssh_users_tuergit: "{{ user_groups.noc }}" + openwrt_arch: x86 openwrt_target: geode openwrt_output_image_suffixes: @@ -58,16 +60,10 @@ openwrt_mixin: AuthorizedKeysCommandUser tuergit /etc/ssh/authorized_keys.d/root: - content: |- - {% for key in noc_ssh_keys %} - {{ key }} - {% endfor %} + content: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}\n" /etc/ssh/authorized_keys.d/tuergit: - content: |- - {% for key in noc_ssh_keys %} - {{ key }} - {% endfor %} + content: "{{ ssh_users_tuergit | user_ssh_keys(users) | join('\n') }}\n" openwrt_uci: system: diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml index 7fb9d24..b148a6d 100644 --- a/ansible/roles/base/tasks/main.yml +++ b/ansible/roles/base/tasks/main.yml @@ -47,7 +47,7 @@ - name: Set authorized keys for root user authorized_key: user: root - key: "{{ ssh_keys | join('\n') }}" + key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}" exclusive: yes - name: disable apt suggests and recommends diff --git a/ansible/roles/preseed/tasks/main.yml b/ansible/roles/preseed/tasks/main.yml index 8289eb6..51471c5 100644 --- a/ansible/roles/preseed/tasks/main.yml +++ b/ansible/roles/preseed/tasks/main.yml @@ -14,7 +14,7 @@ user: root manage_dir: no path: "{{ preseed_tmpdir }}/authorized_keys" - key: "{{ ssh_keys | join('\n') }}" + key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}" - name: Inject files into initramfs shell: cpio -H newc -o | gzip -9 >> 'initrd.preseed.gz' diff --git a/ansible/roles/vm/install/tasks/main.yml b/ansible/roles/vm/install/tasks/main.yml index f14ea50..b9201c0 100644 --- a/ansible/roles/vm/install/tasks/main.yml +++ b/ansible/roles/vm/install/tasks/main.yml @@ -39,7 +39,7 @@ - import_role: name: preseed vars: - ssh_keys: "{{ hostvars[hostname].ssh_keys }}" + ssh_users_root: "{{ hostvars[hostname].ssh_users_root }}" install_interface: enp1s1 preseed_tmpdir: "{{ tmpdir.stdout }}"