I'm fairly new in using Ansible and have been reading here and google and haven't found an answer yet.
My scenario is that I have 1 user on a server but 2-3 different pub keys that need to put in it's authorized_keys file.
I can successfully remove all keys, or add all keys with this script:
---
- hosts: all
tasks:
- name: update SSH keys
authorized_key:
user: <user>
key: "{{ lookup('file', item) }}"
state: present
#exclusive: yes
with_fileglob:
- ../files/pub_keys/*.pub
With the present
flag it reads and adds all the keys. With the absent
flag it removes all keys listed.
Problem is that I have an old key that is only on the server and I want to remove/overwrite it and for future deployments overwrite any unauthorized keys that might be on the server and not in my playbook.
With the exclusive
flag it only takes the last key and adds it. This would be fantastic if it would loop and recusively add all the keys. If there is a way to do this in Ansible I have not found it.
Is there any way to loop over pub files and use the exclusive
option at the same time?
Is there any way to loop over pub files and use the exclusive option at the same time?
No. There is a note about loops and exclusive in the docs:
exclusive: Whether to remove all other non-specified keys from the authorized_keys file. Multiple keys can be specified in a single key string value by separating them by newlines. This option is not loop aware, so if you use with_ , it will be exclusive per iteration of the loop, if you want multiple keys in the file you need to pass them all to key in a single batch as mentioned above.
So you need to join all your keys and send all them at once.
Something like this:
- name: update SSH keys
authorized_key:
user: <user>
key: "{{ lookup('pipe','cat ../files/pub_keys/*.pub') }}"
state: present
exclusive: yes
Check this code before running in production!
If you want to avoid the pipe
lookup (e.g., because the path is not relative to the role), you can also use a combination of file
and fileglob
lookups:
- name: update SSH keys
authorized_key:
user: <user>
key: "{% for key in lookup('fileglob', 'pub_keys/*.pub').split(',') %}{{ lookup('file', key) ~ '\n'}}{% endfor %}"
state: present
exclusive: yes
If your keep your users inside a variable you might use this:
---
- hosts: all
vars_files:
- roles/users/vars/main.yml
tasks:
- name: Allow other users to login to the account
authorized_key:
user: user_name
exclusive: yes
key: "{{ developers|map(attribute='publish_ssh_key')|join('\n') }}"
The roles/users/vars/main.yml
looks like this:
---
developers:
- name: user1
publish_ssh_key: ssh-rsa AAAA...
- name: user2
publish_ssh_key: ssh-rsa AAAA...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With