From d40f8922277a9a36dd902a26438473a0ffd805ec Mon Sep 17 00:00:00 2001 From: Gaudenz Steinlin Date: Wed, 27 Mar 2024 23:21:16 +0100 Subject: [PATCH] Support follow parameter for authorized_keys Support the `follow` parameter for the authorized_keys module where it makes sense. This allows having the `authorized_keys` file symlinked. The default behaviour remains unchanged. --- ansible/roles/authorized_keys/tasks/main.yml | 1 + ansible/roles/root_account/defaults/main.yml | 6 ++++++ ansible/roles/root_account/tasks/main.yml | 1 + ansible/roles/system_users/tasks/main.yml | 1 + ansible/roles/users/tasks/main.yml | 1 + docs/ansible/roles/authorized_keys/defaults-detailed.rst | 4 ++++ docs/ansible/roles/system_users/defaults-detailed.rst | 4 ++++ docs/ansible/roles/users/defaults-detailed.rst | 4 ++++ 8 files changed, 22 insertions(+) diff --git a/ansible/roles/authorized_keys/tasks/main.yml b/ansible/roles/authorized_keys/tasks/main.yml index 4383f5725f..f62fc1df0a 100644 --- a/ansible/roles/authorized_keys/tasks/main.yml +++ b/ansible/roles/authorized_keys/tasks/main.yml @@ -59,6 +59,7 @@ comment: '{{ item.comment | d(omit) }}' path: '{{ item.path | d(omit) }}' exclusive: '{{ item.exclusive | d(omit) }}' + follow: '{{ item.follow | d(omit) }}' loop: '{{ lookup("template", "lookup/authorized_keys__identities.j2") | from_yaml }}' loop_control: label: '{{ {"identity": item.identity, diff --git a/ansible/roles/root_account/defaults/main.yml b/ansible/roles/root_account/defaults/main.yml index 243f6ec7e6..8b11bf6a28 100644 --- a/ansible/roles/root_account/defaults/main.yml +++ b/ansible/roles/root_account/defaults/main.yml @@ -201,6 +201,12 @@ root_account__combined_authorized_keys: '{{ root_account__authorized_keys # to the existing keys on the ``root`` account. root_account__authorized_keys_exclusive: False + # ]]] +# .. envvar:: root_account__authorized_keys_follow [[[ +# +# If ``True``, follow symlinks instead of replacing the file. +root_account__authorized_keys_follow: False + # ]]] # .. envvar:: root_account__authorized_keys_state [[[ # diff --git a/ansible/roles/root_account/tasks/main.yml b/ansible/roles/root_account/tasks/main.yml index 394cf310a2..7a2ca006a2 100644 --- a/ansible/roles/root_account/tasks/main.yml +++ b/ansible/roles/root_account/tasks/main.yml @@ -85,6 +85,7 @@ exclusive: '{{ root_account__authorized_keys_exclusive | bool }}' state: 'present' user: 'root' + follow: '{{ root_account__authorized_keys_follow | bool }}' when: root_account__enabled|bool and root_account__authorized_keys_state != 'absent' - name: Remove /root/.ssh/authorized_keys file if requested diff --git a/ansible/roles/system_users/tasks/main.yml b/ansible/roles/system_users/tasks/main.yml index 8b68da9763..28ff5edf3d 100644 --- a/ansible/roles/system_users/tasks/main.yml +++ b/ansible/roles/system_users/tasks/main.yml @@ -226,6 +226,7 @@ state: 'present' user: '{{ (item.prefix | d(system_users__prefix)) + item.name }}' exclusive: '{{ item.sshkeys_exclusive | d(omit) }}' + follow: '{{ item.sshkeys_follow | d(omit) }}' loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items }}' loop_control: label: '{{ {"name": (item.prefix | d(system_users__prefix)) + item.name, diff --git a/ansible/roles/users/tasks/main.yml b/ansible/roles/users/tasks/main.yml index c8848a7b09..26a77ed946 100644 --- a/ansible/roles/users/tasks/main.yml +++ b/ansible/roles/users/tasks/main.yml @@ -212,6 +212,7 @@ state: 'present' user: '{{ item.name }}' exclusive: '{{ item.sshkeys_exclusive | d(omit) }}' + follow: '{{ item.sshkeys_follow | d(omit) }}' loop: '{{ users__combined_accounts | debops.debops.parse_kv_items }}' loop_control: label: '{{ {"name": item.name, diff --git a/docs/ansible/roles/authorized_keys/defaults-detailed.rst b/docs/ansible/roles/authorized_keys/defaults-detailed.rst index 6194a5edbf..730e237ed8 100644 --- a/docs/ansible/roles/authorized_keys/defaults-detailed.rst +++ b/docs/ansible/roles/authorized_keys/defaults-detailed.rst @@ -317,6 +317,10 @@ Each list entry is a YAML dictionary with specific parameters: this option can break idempotency if multiple entries with the same ``name`` parameter are used. + ``follow`` + Optional, boolean. If defined and ``True``, the role will follow symlinks to + the :file:`authorized_keys` file instead of replacing them. + ``home`` Optional, boolean. If not specified or ``False``, the SSH keys will be managed in the :file:`/etc/ssh/authorized_keys/` directory, with custom diff --git a/docs/ansible/roles/system_users/defaults-detailed.rst b/docs/ansible/roles/system_users/defaults-detailed.rst index af23f136e7..8c7303e134 100644 --- a/docs/ansible/roles/system_users/defaults-detailed.rst +++ b/docs/ansible/roles/system_users/defaults-detailed.rst @@ -284,6 +284,10 @@ Parameters related to public SSH keys ``~/.ssh/authorized_keys`` file that are not specified in the ``sshkeys`` parameter. +``sshkeys_follow`` + Optional, boolean. If ``True``, the role will follow symlinks to the user's + ``~/.ssh/authorized_keys`` file instead of replacing them. + ``sshkeys_state`` Optional. If not specified or ``present``, the SSH keys will be set on the user's account. If ``absent``, the ``~/.ssh/authorized_keys`` file will be diff --git a/docs/ansible/roles/users/defaults-detailed.rst b/docs/ansible/roles/users/defaults-detailed.rst index 694d3bc11f..79ea90b205 100644 --- a/docs/ansible/roles/users/defaults-detailed.rst +++ b/docs/ansible/roles/users/defaults-detailed.rst @@ -298,6 +298,10 @@ Parameters related to public SSH keys ``~/.ssh/authorized_keys`` file that are not specified in the ``sshkeys`` parameter. +``sshkeys_follow`` + Optional, boolean. If ``True``, the role will follow symlinks to the user's + ``~/.ssh/authorized_keys`` file instead of replacing them. + ``sshkeys_state`` Optional. If not specified or ``present``, the SSH keys will be set on the user's account. If ``absent``, the ``~/.ssh/authorized_keys`` file will be