1

We need deploy keys on the servers, but trick is that the keys are many and do not all of them must have deploy on all servers. Now we do it follows:

in vars roles/authorized_keys/vars/main.yml

ssh_users:
  - name: bob
    key: "{{ lookup('file', 'roles/authorized_keys/vars/bob.pub') }}" 
    state: present
  - name: root
    key: "{{ lookup('file', 'roles/authorized_keys/vars/guru.pub') }}"
    state: present
  - name: root
    key: "{{ lookup('file', 'roles/authorized_keys/vars/user.pub') }}"
    state: absent

in task: roles/authorized_keys/tasks/main.yml

- name: Add ssh key.
    authorized_key: user={{ item.name }} key="{{ item.key }}" state={{ item.state }}
    with_items: ssh_users

in playbook: authorized_keys.yml

---
- hosts: '{{ hosts }}'
  vars_files:
    - '{{ vars }}'
  roles:
    - { role: authorized_keys }

Before start playbook change roles/authorized_keys/vars/main.yml (present or absent). When start playbook add hosts and hosts group:

ansible-playbook -i production --extra-vars "hosts=web:pg:1.2.3.4" authorized_keys.yml

Previously, it was all good, but now increased the number of keys and servers. And now I do not remember whose key is to be on what server.

Tell me please how I can set up the list of hosts for each key? For example something like this:

- name: bob
    key: "{{ lookup('file', 'roles/authorized_keys/vars/bob.pub') }}" 
    servers: web,database,12.12.12.12
    state: present
- name: root
    key: "{{ lookup('file', 'roles/authorized_keys/vars/guru.pub') }}"
    servers: api,pg,30.30.30.30
    state: present
artful
  • 31
  • 1
  • 7
  • In order to reproduce this could you add the complete ansible command? – 030 Jul 11 '16 at 22:45
  • 030, added to post – artful Jul 12 '16 at 05:34
  • You could easily do it the other way around - add list of users to host or group specific var files. In any event, you may want to look for something better suited for identity and access management. Manual hacking of configuration scripts is, as you have seen, not a particularly scalable solution. Nor is it typically considered a good security practice. If you are not looking to deploy an IDM system such as FreeIPA perhaps something like http://sshkeybox.com/ could be of use? – Roy Jul 20 '16 at 04:42

1 Answers1

1

I would use a host variable "ssh_users", which states the users that need their host keys added.

- ssh_users:
   - bob
   - root
   - alice

Then, you have a seperate variable file that defines the name, key and state for each SSH user. Import that variable file, then call your original task pretty much as is.

Christopher Karel
  • 6,582
  • 1
  • 28
  • 34
  • Thanks for the answer. But I need the list of hosts for each key, not for user. Maybe the situation when for one user need add few keys. – artful Jul 21 '16 at 20:54
  • That's essentially what I'm suggesting. Except that instead of storing the list of hosts as a property of the key, you're storing a list of keys to add as a property of the host. (alternately, as a property of a group) This should still achieve the goal of assigning different keys to different users. And if you utilize group_vars, it should require relatively little effort to add a new user's keys to a number of servers. – Christopher Karel Aug 04 '16 at 18:33
  • That's work fine! Thanks! I use variables for children hosts group: key, user and state. And for new key add new file in inventory folder with new children group. I have question: Is it possible create group with all hosts in inventory file? Example `[all]` – artful Aug 07 '16 at 18:32
  • I definitely use the `all` group. By that, I mean I have a file called `group_vars/all`, that applies its variables to every host. But note that it will overwrite variables with the same name if you define them elsewhere -- like in separate groups. – Christopher Karel Aug 09 '16 at 16:03