From d7d843d9ef7ca0807efd6f2a5f9d095fed7eb235 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@realraum.at>
Date: Fri, 30 Nov 2018 21:01:19 +0100
Subject: [PATCH] add filter plugin to generate ssh key list

---
 ansible/ansible.cfg                      |    2 ++
 ansible/filter_plugins/users.py          |   30 ++++++++++++++++++++++++++++++
 ansible/group_vars/accesspoints/main.yml |    4 ++--
 ansible/group_vars/all/main.yml          |    7 -------
 ansible/host_vars/torwaechter/main.yml   |    6 +++---
 ansible/roles/base/tasks/main.yml        |    2 +-
 ansible/roles/preseed/tasks/main.yml     |    2 +-
 ansible/roles/vm/install/tasks/main.yml  |    2 +-
 8 files changed, 40 insertions(+), 15 deletions(-)
 create mode 100644 ansible/filter_plugins/users.py

diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
index 4c457eb..ed90222 100644
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -14,6 +14,8 @@ var_compression_level = 9
 
 timeout=30
 
+filter_plugins = ./filter_plugins
+
 [ssh_connection]
 pipelining = True
 ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
diff --git a/ansible/filter_plugins/users.py b/ansible/filter_plugins/users.py
new file mode 100644
index 0000000..9212ce1
--- /dev/null
+++ b/ansible/filter_plugins/users.py
@@ -0,0 +1,30 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible import errors
+
+
+def user_ssh_keys(data, db):
+    try:
+        ssh_keys = []
+        for user in data:
+            try:
+                for key in db[user]['ssh']:
+                    ssh_keys.append(key)
+            except KeyError:
+                pass
+
+        return ssh_keys
+    except Exception as e:
+        raise errors.AnsibleFilterError("user_ssh_keys(): %s" % str(e))
+
+
+class FilterModule(object):
+
+    ''' extract values form users db '''
+    filter_map = {
+        'user_ssh_keys': user_ssh_keys,
+    }
+
+    def filters(self):
+        return self.filter_map
diff --git a/ansible/group_vars/accesspoints/main.yml b/ansible/group_vars/accesspoints/main.yml
index 321c855..51cd80a 100644
--- a/ansible/group_vars/accesspoints/main.yml
+++ b/ansible/group_vars/accesspoints/main.yml
@@ -1,5 +1,5 @@
 ---
-ssh_root_users:
+ssh_users_root:
   - equinox
   - nicoo
 
@@ -146,7 +146,7 @@ openwrt_mixin:
 
   /etc/dropbear/authorized_keys:
     content: |-
-      {% for key in ssh_keys_root %}
+      {% for key in ssh_users_root | user_ssh_keys(users) %}
       {{ key }}
       {% endfor %}
 
diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml
index 32a6b24..2d6e172 100644
--- a/ansible/group_vars/all/main.yml
+++ b/ansible/group_vars/all/main.yml
@@ -12,10 +12,3 @@ root_password: "{{ vault_root_password }}"
 ## SSH keys for root, default to NOC's
 
 ssh_users_root: "{{ user_groups.noc }}"
-## TODO: make this a filter_plugin...
-ssh_keys_root: "{{ ssh_users_root | map('extract', users) | map(attribute='ssh') | flatten | list }}"
-
-## TODO: not used at the moment?
-noc_groups:
-  - adm
-  - sudo
diff --git a/ansible/host_vars/torwaechter/main.yml b/ansible/host_vars/torwaechter/main.yml
index 864a50d..75e16de 100644
--- a/ansible/host_vars/torwaechter/main.yml
+++ b/ansible/host_vars/torwaechter/main.yml
@@ -1,5 +1,5 @@
 ---
-ssh_keys_tuergit: "{{ ssh_keys_root }}"
+ssh_users_tuergit: "{{ user_groups.noc }}"
 
 openwrt_arch: x86
 openwrt_target: geode
@@ -61,13 +61,13 @@ openwrt_mixin:
 
   /etc/ssh/authorized_keys.d/root:
     content: |-
-      {% for key in ssh_keys_root %}
+      {% for key in ssh_users_root | user_ssh_keys(users) %}
       {{ key }}
       {% endfor %}
 
   /etc/ssh/authorized_keys.d/tuergit:
     content: |-
-      {% for key in ssh_keys_tuergit %}
+      {% for key in ssh_users_tuergit | user_ssh_keys(users) %}
       {{ key }}
       {% endfor %}
 
diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml
index b9d8601..b148a6d 100644
--- a/ansible/roles/base/tasks/main.yml
+++ b/ansible/roles/base/tasks/main.yml
@@ -47,7 +47,7 @@
 - name: Set authorized keys for root user
   authorized_key:
     user: root
-    key: "{{ ssh_keys_root | join('\n') }}"
+    key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}"
     exclusive: yes
 
 - name: disable apt suggests and recommends
diff --git a/ansible/roles/preseed/tasks/main.yml b/ansible/roles/preseed/tasks/main.yml
index 7406154..51471c5 100644
--- a/ansible/roles/preseed/tasks/main.yml
+++ b/ansible/roles/preseed/tasks/main.yml
@@ -14,7 +14,7 @@
     user: root
     manage_dir: no
     path: "{{ preseed_tmpdir }}/authorized_keys"
-    key: "{{ ssh_keys_root | join('\n') }}"
+    key: "{{ ssh_users_root | user_ssh_keys(users) | join('\n') }}"
 
 - name: Inject files into initramfs
   shell: cpio -H newc -o | gzip -9 >> 'initrd.preseed.gz'
diff --git a/ansible/roles/vm/install/tasks/main.yml b/ansible/roles/vm/install/tasks/main.yml
index 973f44d..b9201c0 100644
--- a/ansible/roles/vm/install/tasks/main.yml
+++ b/ansible/roles/vm/install/tasks/main.yml
@@ -39,7 +39,7 @@
     - import_role:
         name: preseed
       vars:
-        ssh_keys_root: "{{ hostvars[hostname].ssh_keys_root }}"
+        ssh_users_root: "{{ hostvars[hostname].ssh_users_root }}"
         install_interface: enp1s1
         preseed_tmpdir: "{{ tmpdir.stdout }}"
 
-- 
1.7.10.4