Add support for applying ssh_users role to legacy hosts (#73)

This PR adds support for applying the ssh_users role to legacy hosts so that we are able to sync access to all legacy hosts with support for passwordless sudo. It also creates all the users based on the group_vars/all and configures the system so that everybody is able to login with the right permission levels. There is also support for cleaning up (i.e. removing) stale usernames from the host. This implements: #72
ooni · Jul 9, 2024 · f4b0ea0 · f4b0ea0
1 parent 3476d37
commit f4b0ea0
Show file tree

Hide file tree

Showing 10 changed files with 316 additions and 6 deletions.
diff --git a/ansible/group_vars/all/vars.yml b/ansible/group_vars/all/vars.yml
@@ -19,4 +19,5 @@ ssh_users:
       - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEZSA9TKUaYWG8gfnMoyDZO2S6vsy87xma4R/EzNpveZiOZTYSNn+UDL8NpQRuH5YgdWuQV2E7sKw/PIYA0lC/QTiq8Btqf6sEK5YWXtQy+yn9q5kB/rmi8zjaz0FUNigRrjL+26ao+c7NKpgmR+TRqbRd5VeJ46PuFD5M3c+MBeUoF1PT0zfioQFJ1mQoXwVix0n260clEXQDp4t0GZuNpWGTS+YTuJZ2vl6TDZtt8jrnENd99QArr2KU+NMTq8T2KYcPeQOoYsm7v/1TBkbv9UStllhjdE7HZSivPT8oRkF2YZYgytDxtCZG8i5iCK+vbNn6QmZMjuXPoBUeW+Njm70tlsirrKpUX+QiogA2qljxPD9st2eUkA7cATyOBkK7WLh1HYv2xyKpPtkkaELG+EHjmaVjVdyVAgUYwqg+MbIw1OyDpNmMZcW3iOpGpflXPMmLjKNMhee0//G7NxcGfwmIMbIiBkeofOnWDrMo+0PRULFtn6C7aA7ddirck+k="
 
 admin_usernames: [ art, majakomel, mehul ]
+root_usernames: [ art, mehul ]
 non_admin_usernames: [ agrabeli ]
diff --git a/ansible/inventory-legacy b/ansible/inventory-legacy
@@ -0,0 +1,187 @@
+[dom0:children] # `all` should be equal to `dom0`, so it's here to catch errors
+gh
+do
+hetzner
+
+# Digital ocean vms
+[do:children]
+doams
+
+# eclipsis
+[gh:children]
+mia
+hkg
+ams
+
+# VPSes running OONI Probe
+[vpsprobes]
+#168.197.99.40
+#probe-by1.ooni.org
+probe-kz1.ooni.org
+probe-ru1.ooni.org
+probe-tr1.ooni.org
+probe-hk1.ooni.org
+#probe-ua1.ooni.org
+#probe-th1.ooni.org
+#probe-kg1.ooni.org
+#probe-sa1.ooni.org
+#probe-ae1.ooni.org
+
+# Location-specific conf
+[hetzner]
+monitoring.ooni.org
+backend-fsn.ooni.org
+oonidata.ooni.org
+backend-hel.ooni.org
+
+########################################################################
+# location tags
+
+[mia]
+#mia-echoth.ooni.nu
+mia-httpth.ooni.nu
+
+[hkg]
+
+# Eclips.is Amsterdam Hosts
+[ams]
+#amsmatomo.ooni.nu
+#db-1.proteus.ooni.io
+ams-ps.ooni.nu
+#ams-wcth2.ooni.nu
+ams-wcth3.ooni.nu
+ams-slack-1.ooni.org
+
+# Digital Ocean Amsterdam Hosts
+[doams]
+#doams1-countly.ooni.nu
+# FIXME Disabled due to location tags not working as expected
+#ams-pg.ooni.org
+#ams-pg-test.ooni.org
+
+########################################################################
+# PSK (pre-shared key) tags
+
+[psk_amsrepl]
+
+[psk_clickhouse]
+backend-fsn.ooni.org
+backend-hel.ooni.org
+#ams-pg-test.ooni.org
+
+[psk_hkgmetadb]
+
+[psk_oomsm_beta]
+# FIXME: drop `oomsm-beta` user
+
+[psk_metadb_amsapi]
+
+[psk_orchestration]
+#db-1.proteus.ooni.io
+
+[psk_orchestra_prod]
+# Used to populate the vault_orchestra_psiphon_config_file_content var
+ams-ps.ooni.nu
+#ams-pg.ooni.org
+#ams-pg-test.ooni.org
+backend-fsn.ooni.org
+backend-hel.ooni.org
+
+[psk_orchestra_test]
+
+[psk_orchestra_db_prod]
+# FIXME: untie `psk_orchestration` into something more manageable
+#db-1.proteus.ooni.io
+
+[psk_superset_hkgmetadb]
+
+########################################################################
+# role tags
+
+[have_fw]
+#amsmatomo.ooni.nu
+#ams-wcth2.ooni.nu
+ams-wcth3.ooni.nu
+ams-ps.ooni.nu
+#mia-echoth.ooni.nu
+mia-httpth.ooni.nu
+ams-slack-1.ooni.org
+
+[have_nftables]
+#ams-pg.ooni.org
+#ams-pg-test.ooni.org
+backend-fsn.ooni.org
+backend-hel.ooni.org
+
+[have_nginx]
+#amsmatomo.ooni.nu
+ams-ps.ooni.nu
+#ams-wcth2.ooni.nu
+ams-wcth3.ooni.nu
+ams-slack-1.ooni.org
+
+[have_tor] # Tor test-helpers
+
+[have_collector]
+ams-ps.ooni.nu
+
+[have_tcpmetrics]
+ams-ps.ooni.nu
+
+[active_collector]
+ams-ps.ooni.nu
+
+[db_active]
+
+[db_standby]
+
+[have_netdata]
+#ams-pg.ooni.org
+#ams-pg-test.ooni.org
+backend-fsn.ooni.org
+backend-hel.ooni.org
+
+[probe_services]
+ams-ps.ooni.nu
+
+[monitoring]
+monitoring.ooni.org
+
+
+########################################################################
+# TO DELETE.
+# Stopped VMs that should be deleted from GH and DNS after some grace period:
+#
+# since YYYY-MM-DD # fqdn.example.org # as dead as Lenin, see https://github.com/ooni/sysadmin/issues/NNNN
+# since 2024-07-04 # ams-pg-test.ooni.org is stopped
+# since 2024-07-04 # ams-pg.ooni.org is stopped
+# since 2019-10-29 # hkgbouncer.ooni.nu has been migrated to ams-ps.ooni.nu. Check again in a bit to see if it still has traffic
+# since 2019-10-29 # notify.proteus.ooni.io (37.218.242.67)
+# since 2019-10-29 # events.proteus.ooni.io (37.218.242.63)
+# since 2019-10-29 # registry.proteus.ooni.io (37.218.242.65)
+# since 2019-10-29 # proteus.ooni.io (37.218.242.62)
+# since 2019-10-29 # run.ooni.io
+# since 2018-12-12 # a.echo.th.ooni.io # restore onion key to check if it gets traffic
+# since 2018-12-12 # munin.ooni.io # disk idle since 2018-11-25
+# since 2018-12-12 # shark.ooni.nu # disk kept since 2018-11-25, idle since 2018-10-16
+#
+
+
+# Following hosts are as dead as Lenin, we should drop DNS records since they
+# have been droppped from the inventory file and are unreachable.
+#
+# 168.197.99.40              : ok=0    changed=0    unreachable=1    failed=0    skipped=1    rescued=0    ignored=0
+# ams-wcth2.ooni.nu          : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+# amsmatomo.ooni.nu          : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+# db-1.proteus.ooni.io       : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+# doams1-countly.ooni.nu     : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+# mia-echoth.ooni.nu         : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+# probe-ae1.ooni.org         : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+# probe-by1.ooni.org         : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+# probe-kg1.ooni.org         : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+# probe-sa1.ooni.org         : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+# probe-th1.ooni.org         : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+# probe-ua1.ooni.org         : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+# shinri.ooni.org            : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+# ams-pg-test.ooni.org
+# ams-pg.ooni.org
diff --git a/ansible/known_hosts_legacy b/ansible/known_hosts_legacy
@@ -0,0 +1,32 @@
+probe-kz1.ooni.org,94.131.2.196 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNO3l9LeEgvaCygh0zFOXcEqPdpFcGqVf8ytTtrm3OLD10ltbz1xGljLhn4NYUkvkr5hOTSYiv+aRC5zgNw6Ll4=
+probe-kz1.ooni.org,94.131.2.196 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDSc51FBfSsI5gFuYhAozaxDhbtROi3QS9zVo2YOU+cePbltGmGWhR55l4IWrbjBB/D+uAkXD0q2Y208Jbh6wKwtRsh8DB7a6ih8vKZcoR+akI5nlVqVG3+LKE7sZUYgcMQ9I5mBW+cGU2dZbQXTDq7fz5ujLRaGFXWc/CMPf72wg97h6ZR+sZP9smfUe3AjY+km3/teUidRzkOk5ReGlNjzVWDNu8oBCgpSALRJgopQY/PxwgkWlpzIYYNmej068mBKN0065lfX704cQ9iYGQ544JYZSfysnVhWUlXNCnvHCDYLj3uI0fRuEtZRBBTf2WDrtDhh/ZdB6MNnYHwZcgN5e5pOFcSoDKQtNf75Awl0ou5E84ttUDpBSdMyd2lBeGEJNR3oKF3ZWHL52xfz5s+vkMvT7NsAWYFbNBMojyLUBrPZOfXFdtXmwQfexmFXrLVroBmrqRvS719PoWb8FUEP1lkBfIolLBAtARBXJak14wSrz0Nx1I6LOAiyglJxh0=
+probe-kz1.ooni.org,94.131.2.196 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQ3fur9nWCpa9SqGfStbQRBzSuq4FKxI/s7TPLhviaq
+probe-ru1.ooni.org,45.144.31.248 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC64JoK6FOfStM8plLfixZLWaXycwKMEQp8MteLUeLRnsjYxK2thiqK576VSh7Vkm7KjaHcb4p5zp3T3X/Dtdh2lBTfykVseHg9ZlgK4Yn9LSLa9HhQDeb8qwWSm3TG1igi5LsO+6roe1VOcxuXKePEQT0gM6qqd0eInYWRYHxyHemRdnlkDeDxH/Pgz9Dhpfc4fpNY1FtxpevNksJSNt12pfem8AF2fWqFOodozfA9nzum3rqwNIq/VF6GT8k7s2c1DotuN3guBrMtRstYDgUv9VV/7p78G8/SHaI6LYCyXCTgScBETNsH97SS5MBeWvbXGjsYTQ4+v6ipjQ/NFfSadDYEJvvrsplPsh6Ys188O1W+na7Fjz7bJ4V7ZUe1Sg83FZzxHccFev9OlAWsWbhUiOTcgS5HjPgYHgW0O253MOgPlPJuARvt47ojG9m0TUKpyaVvKQMOZrwXzrO93kZmwCnaAhP0GEq7Lzp7GUMPYrPYkmnpFDjKN8TenAxi8sE=
+probe-ru1.ooni.org,45.144.31.248 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKxRe8Avewa5QwSo2opWeHR3vwrBVAvqjOVprDYnxE4HxU7A3E9/DTaDRfVYU2HlMy+aVABusEaiH1IF8zlgUx4=
+probe-ru1.ooni.org,45.144.31.248 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMfMQd+a/gikSOTBNG/XuHEhzjebCddIDudIQ2w6g42P
+probe-tr1.ooni.org,194.116.190.70 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDI2bKFcPNrXZ5lYjcRr1IWuk9IDhmhyRijqN7ANGQrCEx2ggpmBjKixhiga8YISlYKteoZpLJlFk7Z4ClMzIF8=
+probe-tr1.ooni.org,194.116.190.70 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ/0nDBino/S+NSaB5F7SsjtVVPvpFC73Zqe7SU2ZovgVqIKJoKrAF2qA4CBNNS8+q6v0O3ypGyZS35POioqEpbtxqTn/QMzGjJ6EnhDqQMlWIitoQgTpejl7Ia7WDNKbyKJ40ARushZVipVtiSH8sXUde6wX8jWyaVtAlfor06rBX12Ls4Xlq0vv7L4GGRUAvry3pKCvqw83XHL0lq3XF/omCzSc3Ok1Z8fFsx5mtiwTucn82acFyb13ILSxsTSFeEO1tZA5qhROlDoGh6eiGNJFX/m1Opi14REAS6W2NWPnfCAjwsO8lOGHQ7sch8IBPMuLDxGcjdgw9T2/84qaGhd3sXLLxw3Yh599GI05uczVBVXDJ5Y8khcR7DNhSIJyYJHeA8VQfl+kpC1p9l+6A59LRQt1KyUzNFAQy4spoiaj9L3mS5E9I42VbEYgJFqS1hZuGiNJHhU39J84LFYYmyi1VFrs67gfUWSx3wq8VKsNJKW7/I72sYAaDhgawgBM=
+probe-tr1.ooni.org,194.116.190.70 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYslp4XiXJ7qtFwDdpuj6+5rQ8RCimjE+GDPnnV8WQe
+probe-hk1.ooni.org,185.74.222.11 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIek3IBkmmAzsfltWamfTAl0xSmKn2KhI4kf3C1SiMxe
+probe-hk1.ooni.org,185.74.222.11 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCz1TdX53fuFx30vlzIjLsJdx/dv+L5pnpm7PxhPXFUs77ISqvoPxBvqq4PkYFQKgMoUkCiIxcXzhB+uO3mBsVuYnJExNfq1HGcntjYZiXbQhJ230RMUaC+xkPhRzyVe4xuVo0wXNbR+9RJfPrCVr4EYLDUoBw+ScqTME3tnxALn0poZZtyXlEvj6rFXCvn7tWQZgZZtbi2fpVKI6luGk+7ovPq3itUCsd4NpaFLiLExqrGXsF4hCoTGG57L44O+doeO3vUiimkkl522JLXRS3b0N8vPNxcnc/P23IXCfdNz8LFvn6J6G8TxZcBYPFHHCDW17ed6kDNYBgzmX7N5foMuUmu61PGzY73ZzIxPj5OyivJ21188Yi7+64wTAU6oJXqrZVxRrAVaHlOVnXBQ3HLKKeTA8czq9f34Qe4bY+jAb+tYAXM5aXJKh96sh9/MIaXwETNKbY7N89LNsxpxB9lmwUSkIyO4B1tB+N9ayAuZg3+pGX+8h/TsgPHks2it9k=
+probe-hk1.ooni.org,185.74.222.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNnxn7A5WKF8PVpnAexsGi8LDfx+LB5zElG/I2FH5M6IHtix4nidWuzDpM7vhsBJQpQ5G3OM3tDr9g7+8QVGOnI=
+backend-fsn.ooni.org,162.55.247.208 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGjRP12G5nEl8VF6494QEF84ujpNaiXCN36TOPrwLPdCde9BJwaRrSF2jg6KtBIW8F/ZH5KRg52jkAbfvPbpwGtU1cUjZDc1T3oQfmbiF3kIcZ0pc3+TG3Wq8BV9iHPn3o/eOHvXPSw3Xzp10oiupOQOj7YnyEo9hUiyG1O/hpOrq4P6thy8vG9mgW+xVKgO0lmDjXxJnmbej+OrNO2NtjzU8DPcITLdb3XIDhn9DmpZzo6eQhIwOhnrEjxBFoT3AbNsykl+F/pvhIjXRMh6U674qYoEM3toJ5B4j6lvLuDsIllduE65hCHAGRD/YB1nbIvL8X00mrvsu6llWqNlRGSK9xoFWBTfUzeV1cC2JA9vGHLFaYuF36KWncuVi4TKnxpIJyyJKyeCkbe/1YL1blNBL1Tik9YKjRfY2+BKN+6cpPimVIG13cZvhoMGaIPnkLlH1sL7K2iY+ryQj/sA/GFPve4NChNMLssuscrE9lYnz5A/dZYHIHCmcaQvRotp8=
+backend-fsn.ooni.org,162.55.247.208 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFynXiTdEENcLiRU8d3AXvaV1xKvFUCpMYuHyh5uWNukkPW3tsJsGjh0UgPemwAnr85BXWItps+73H4x6nQeuB4=
+backend-fsn.ooni.org,162.55.247.208 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPaMuLaalKDjcHg3N/vQucVdWoAX89kmMWBRvu2kDzCV
+backend-hel.ooni.org,65.108.192.151 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFevWpZD9/K2Rn4sjlMd2odUc9tLo2RuXP5H8mN6lON6yccwN4C0lHkk+fBAMbwo/iDtyt45q8r0KFFkVj9/oR0=
+backend-hel.ooni.org,65.108.192.151 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1IOqjuIHXBeCONdMzE56vjMspAzo9qZMY/GHnURu8FpP/IjYet9dZjCxOQQqU7rcjFSsiuU2aO6lSSFsm0rB97DZPp7BNY71EInINJyYvlcWl3onqSHEi8vV/QHZMLvjBqSxowV+u0cDFrlxd92Nc9+undVCJOaIhuIrQiWNP3D4eceW6qYLTbSPwLuRCSFXX/Zuo0vsj1miaLEMmXPLwNAx4E4e4kXmm3FsJojnuwlF4OTBWnO79jNN+rp2h/2Ao86FJaUvJvnzFYe4t5BFxFZA7pynMpCw5748Ucz95AWw7vldnhXW5YW3+dIS6Uq2sM7z2PQpu1b2ymtjxRKCsulOhtVnH3Vr43NwCIRPsMNGn+MG0vXo2ZZI0jNzTWph5PKVtDvvgHTs5eWFGlGLt0wT8LK293P4p0ErZuEv0Ni2eQceqBabXK/r+a36yUcq9dqcTGU/Dc1opnt4nQn0xx2Qf1oqvhiitlR8i/s8kpWmesn43HTdI5RAwudC+B1E=
+backend-hel.ooni.org,65.108.192.151 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOXjeAgnZpuqhDnjiJzhWe8VNEao/A3HRwzuZO3rTbXA
+ams-ps.ooni.nu,37.218.245.90 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqRLSvswGmathjxcHFUvDxG/x5sHoMYxEMAuPNCG2G3XGJORdMclExWkNsIk66MxJhpnSlsnh7po2E6FUz95Y1Zkq8w+bqOBE6Zng4TE0t/NVx7Ef7yNW3f8M+jEp6sUgw96q/Ap+hm4a7IWQr4dqsC8Whl5MfBwjvpOT3yV83RBK5Y7RkTo5kGbhq2dlj6sruvl++tcGT6esw0PETG90MvNfJRiN1Q9m1te4IsUQjEpZ/qRYZTyqWk1gf+U30bLBHsn2e8MK9x49TRyfyGkteRjMeLOhJBWfrDJEbOEb9C9a5NgMwb+tgRLbkoCDbEIo4zP3bh/1p7wZsBGkw0X8P
+ams-ps.ooni.nu,37.218.245.90 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKLKJ+Nq28NVAuAqPkMvlhsiiftrx3B7hElAHIIfMjHJ
+ams-wcth3.ooni.nu,37.218.245.117 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+X3BPyIuRdyJSjUAUkffPAZYBSbs8eqxuV1JbNERh43bGc9BenojRmI4h5SDO45Ho4uh5/ssCl6B1DBaXolbkNMfONkPxRDrQu4WwqN/Y/u5C1POYCVKY/Ka8amorJhUH6HZt0im18BE/xGHLex6L+dl6ffumCW758MqvIzUiQSXqeeqmQUdFHombFGJ/U3sEALsdPN87who7il/pKd3pAbb4+Kp5Y4OnrM7WS1sqLfoXEN+CaPXHkZnnSGEqAgQlve/P0SOT9446cw0plzq9r6VjSvUzNs7X5fro7VNb4otlHkVuKcVwDSFErKTwG5sVPT+DGQwsrSVAetWuqrO7
+ams-wcth3.ooni.nu,37.218.245.117 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZ0pVdOA3qb+3BA/25dHggc0uiqCusJjVTN/JeJwiS6
+mia-httpth.ooni.nu,37.218.241.94 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPLQCQqSyzUEcsbZfhmioh9x6LlFcpXv3YtHte/H2aAX3Eq2rI6+ckz3ccnTioNkCo/b5eyW+yD9m63CAmtFRuAnadzY2BRNJqagBVKDNuQodRDdDvDZVVX4xwew5tGWm9zpLeq5gUOTqoNTH5gTsO6//qMMXc3TKNJAdOUnPFy/F1KnVKe0mGbbJ8nJ2hwxkdLqAiSPW3/VyMgCtnxl9jXW09ioMtrKMHs2o9DNUHB5IZXE431JShGnbB94Gvx5uuvh0Uww2VIGu84pMj0+K9J5c6h/khJQPLq0FbpurLcsJYYY+RqB3QuhKHIyzQU/f6841aQjDgwjvAo2wbEM95
+mia-httpth.ooni.nu,37.218.241.94 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnHv3b0WB1uCv7B5avbuIkaCVJfa9NXFK86qwwG9Isf
+ams-slack-1.ooni.org,37.218.247.98 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3b8xKPnY+glk3trOKqwfzQ/X2bN63ovax595nCThV4WNU+0qW1rXOlegnOBwKVl25CN9w6ZHimrIiuo5OTqpOPxcFnAeAFLuvr4XizBfmXdTXwu5oQy3TxYsMRw4XGzcWOJ3az1gPGXIqyKGkEkqMSIWdmgLzA7Pfo0/xfATCQy8ZaFZHPtvhnR1XyooC6JiKr8sZdHLblR3dSjOgTOGCJVJqJGl9AE/zwpngAuf61SRyiRKFFjo9wMAOfy+Jy30MMY2IPpSwdT5vbENsgtBcX2RH74uoArnCV419kHz4dDmc+duzWZSj6Bqe2YQOFstz/JSJWfIJhrzIiIjP2BiR
+ams-slack-1.ooni.org,37.218.247.98 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMo4t+t2dp9WVV3DWVYXceF/4+v1p6iUt+ST9jQ9OJyX
+monitoring.ooni.org,5.9.112.244 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2GXzja9urWybbqkGzHIqHCSMUfWee9A2msZbtufsbyC7BH4hvsQGjLI2NIBr4CyOUz3kWmeT9QzObP5+1CN+sdzriWqqltnZ+iF/AQjPKirf7s3neCpCpvINomwxvdwEqxCX/H9tYonpxoHkk3eG6AFgn0bQMmNIUcxOT3Bv4RuwPlFbe7d2EP8/kD2BBBJCEp5rJz0PnR/U76V08Zl6gt2X/xqiGCpzEKSn2gs+mdY9ZO2YGVWS5TiqNXuHPHb53DrGN+hxdVH4Ofml34FPM8oHqe+bHlKKpipVCy1QI9+xtYO48tkA0Xcyh9Ec50egoaSRhS+3nMqSqrlNSd6qN7TFdewP0pLrbiQXBNNLQyE39lQxP8zZfJvMzGcgEGLjsXtw4RkWF2fbdal/BS2j2ITSPm2mES6L6d9g9p8DVebh9GOs3lxTUPJTDgF+qmNZsut7w1p4c7oXRwjveAuBccAT+qVpOkiMxXripRNE6P1TOE+1owXU+lcziwboy5+s=
+monitoring.ooni.org,5.9.112.244 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOvVixfPBwCQY0JyEQ7ZHPyD9tByXfEw9OQ7oO/tzfM4R+3A6N4OFVOqiibcRcPgl+Be+Hie8NtQD2oZRqI32N0=
+monitoring.ooni.org,5.9.112.244 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXlzsjVe+m2i3bhpHef79WPbSQce2ah7BBg0hXSpXUf
+oonidata.ooni.org,142.132.254.225 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDNwKxk6TKfTnJOxaczMJH/ME/0hMeEPW4G0hVwF2gp15IQZrNlYjQPFwBzPSv8zqF8vHEPtQ2SA2UdoEBzvEL9kKFcaowW1pg+wOEXCN9JtQS/fXj8ON3ZgSytuarjEpsN5Ld4h424uwaXrlW39NGuCmTLHEWNNc7Xpd5ytutTSXE5PDRqvM6AUoH+KgfT4EAvx4khFOq2EJv8JvV6us/JE/vuEtbHCF+JOaWPHNd5NN9ouxBM4MbWDtGRfRg99O4jFWURztcRiL2fZx+gncwhhQlI7LWIM4QSrVX70Iiure0cx1qm/6urdguyQH1sPxe5FwZNzW8PfT5jrh7839C3YIB3fzJTBxNh805MOmDBN9b9IM6WFkcSpFPg8L7t9NoEGrNf5dbt+7kJN09UomwlsuFHY8Fv7kkIA3M1Xd1u7x8NyQS+j+YZzcafhC+qddkqH1R+zVZDst7Piuqxn8V11pW5rLQsRZqibSwhCFJo6Synjnl5dkoit2H/WhZN48M=
+oonidata.ooni.org,142.132.254.225 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGNutB+sBpOt7b+qfPsY5ESiAAgYSAVNs8ELZzXibr7HRKIXN7Noi02nrkRBWPLWn7EKRre9rmY/RMM0t5I6o28=
+oonidata.ooni.org,142.132.254.225 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkZFk6XHES7j5EJYPw/6bJ2V2C/fF8bU3DUruLijTb/
diff --git a/ansible/controller-playbook.yml → ansible/playbook-controller.yml b/ansible/controller-playbook.yml → ansible/playbook-controller.yml
diff --git a/ansible/playbook-generate-known-hosts.yml b/ansible/playbook-generate-known-hosts.yml
@@ -0,0 +1,26 @@
+---
+- name: Gather facts from 'all' hosts in inventory
+  hosts: all
+  vars:
+    ansible_host_key_checking: false
+    ansible_ssh_extra_args: '-o UserKnownHostsFile=/dev/null'
+  tasks:
+    - name: Get network info
+      ansible.builtin.setup:
+        gather_subset: network
+
+- name: Add public keys to known_hosts file
+  hosts: localhost
+  connection: local
+  vars:
+    ssh_known_hosts_file: "{{ lookup('env','HOME') + '/.ssh/known_hosts' }}"
+    ssh_known_hosts: "{{ groups['all'] }}"
+  tasks:
+    - name: Add to known_hosts
+      ansible.builtin.known_hosts:
+        path: '{{ ssh_known_hosts_file }}'
+        name: '{{ item }}'
+        key: "{{ lookup('pipe', 'ssh-keyscan -T 10 ' + item + ',' + lookup('dig', item)) }}"
+        state: present
+      with_items: '{{ ssh_known_hosts }}'
+      become: false
diff --git a/ansible/playbook-legacy-hosts.yml b/ansible/playbook-legacy-hosts.yml
@@ -0,0 +1,7 @@
+---
+- hosts: all:!no_ssh_users
+  become: yes
+  vars:
+    admin_group_name: adm
+  roles:
+    - ssh_users
diff --git a/ansible/roles/ansible_controller/tasks/main.yml b/ansible/roles/ansible_controller/tasks/main.yml
@@ -20,3 +20,48 @@
   ansible.builtin.git:
     repo: "https://github.com/ooni/devops.git"
     dest: /srv/devops
+
+- name: Set permissions on /src/devops
+  ansible.builtin.file:
+    path: /srv/devops
+    state: directory
+    recurse: yes
+    owner: ubuntu
+    group: admin
+    mode: "u=rwX,g=rwX,o=r"
+
+- name: set global gitconfig for each user
+  ansible.builtin.copy:
+    dest: "/home/{{ item }}/.gitconfig"
+    content: |
+      # Do not edit! ansible managed via ooni/devops
+      [safe]
+        directory = /srv/devops
+  with_items: "{{ non_admin_usernames | union(admin_usernames) }}"
+
+- name: setup .ssh config for user
+  ansible.builtin.copy:
+    dest: "/home/{{ item }}/.ssh/config"
+    content: |
+      # Do not edit! ansible managed via ooni/devops
+      UserKnownHostsFile ~/.ssh/known_hosts /srv/devops/ansible/known_hosts /srv/devops/ansible/known_hosts_legacy
+      IdentitiesOnly yes
+  with_items: "{{ non_admin_usernames | union(admin_usernames) }}"
+
+- name: Create config.d directory for each user
+  ansible.builtin.file:
+    path: "/home/{{ item }}/.ssh/config.d/"
+    state: directory
+    owner: "{{ item }}"
+    mode: "700"
+  with_items: "{{ non_admin_usernames | union(admin_usernames) }}"
+
+- name: Include per-user custom config
+  ansible.builtin.copy:
+    dest: "/home/{{ item }}/.ssh/config"
+    content: |
+      # Do not edit! ansible managed via ooni/devops
+      UserKnownHostsFile ~/.ssh/known_hosts /srv/devops/ansible/known_hosts /srv/devops/ansible/known_hosts_legacy
+      IdentitiesOnly yes
+      Include config.d/*
+  with_items: "{{ non_admin_usernames | union(admin_usernames) }}"
diff --git a/ansible/roles/ssh_users/defaults/main.yml b/ansible/roles/ssh_users/defaults/main.yml
@@ -0,0 +1 @@
+admin_group_name: admin
diff --git a/ansible/roles/ssh_users/tasks/main.yml b/ansible/roles/ssh_users/tasks/main.yml
@@ -3,7 +3,7 @@
   tags: ssh_users
   user:
     name: "{{ item }}"
-    group: "admin"
+    group: "{{ admin_group_name }}"
     comment: "{{ ssh_users[item].comment }}"
     shell: /bin/bash
     state: present
@@ -25,7 +25,6 @@
     path: "/home/{{item}}/.ssh"
     state: directory
     owner: "{{item}}"
-    group: "admin"
     mode: 0700
   with_items: "{{ admin_usernames }}"
 
@@ -35,7 +34,6 @@
     path: "/home/{{item}}/.ssh"
     state: directory
     owner: "{{item}}"
-    group: "users"
     mode: 0700
   with_items: "{{ non_admin_usernames }}"
 
@@ -44,7 +42,6 @@
   template:
     src: authorized_keys
     dest: "/home/{{item}}/.ssh/authorized_keys"
-    owner: "{{item}}"
     mode: 0400
   with_items: "{{ admin_usernames | union(non_admin_usernames) }}"
 
@@ -60,6 +57,16 @@
   with_items: user_list.stdout_lines
   when: "item != 'nobody' and item not in (admin_usernames | union(non_admin_usernames))"
 
-
 - name: sudoers.d/80-admins
-  template: src=sudoers dest=/etc/sudoers.d/80-admins owner=root group=root mode=0440 validate='visudo -cf %s'
+  template:
+    src: sudoers
+    dest: /etc/sudoers.d/80-admins
+    owner: root
+    group: root
+    mode: 0440
+    validate: 'visudo -cf %s'
+
+- name: sudoers.d/adm
+  ansible.builtin.file:
+    path: /etc/sudoers.d/adm
+    state: absent
diff --git a/ansible/roles/ssh_users/templates/root_authorized_keys b/ansible/roles/ssh_users/templates/root_authorized_keys
@@ -0,0 +1,4 @@
+# ansible-managed in roles/ssh_users/templates/root_authorized_keys
+{% for k in ssh_users[item]['keys'] %}
+{{ k }}
+{% endfor %}