Centralized SSH key management

group_vars/ssh.yml

@@ -0,0 +1,112 @@
+---
+
+# I need someone to complete this list bellow because Im probably missing most of them
+ssh_roles:
+  - name: admin
+    hosts: all
+    users:
+      - centos
+      - stats
+      - galaxy
+      - root  # can be omitted for now, centos can `sudo su`
+
+  - name: stats
+    hosts:
+      - sn09
+      - sn06
+    users:
+      - stats
+
+  - name: galaxy
+    hosts:
+      - sn09
+      - sn06
+    users:
+      - galaxy
+
+ssh_users:
+  - user: galaxy
+    key:
+      - "{{ galaxy_user_public_key }}"
+    roles:
+      - admin
+
+  - user: bgruening
+    key:
+      - https://github.com/bgruening.keys
+    roles:
+      - admin
+
+  - user: mira-miracolu
+    key:
+      - https://github.com/mira-miracolu.keys
+    roles:
+      - admin
+
+  - user: dominguj
+    key:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZNuF25HySp311FKtDW9lDKUGslH6PGIap1eYniaPsC [email protected]'
+    roles:
+      - admin
+
+  - user: gsaudade
+    key:
+      - '[email protected] AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAXgFT+ynWEgCCAKepVgkSHauy+mLo+KlIGIIj0dkAXeAAAABHNzaDo= [email protected]'
+    roles:
+      - admin
+
+  - user: nate
+    key:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH54+qZEBeU5uwIeWWOViLcC509qxoRW6oN0VHRQr4r nate'
+    roles:
+      - stats
+      - galaxy
+
+  - user: wm75
+    key:
+      - https://github.com/wm75.keys
+    roles:
+      - galaxy
+
+  - user: videmp
+    key:
+      - 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApcUIRRUHl0wVVXz5GX1QnHSq9+nThIKKH3fYM21LfW1n6gGvC7UiCCaDZQUbejJTq3EITbH3J6/Tji2jGAIJ6Xzn0Jf7sQ1yON/dO/75To32Jdo8YWS7XQeA7lU9heSc7FM5yKIBJN7PrpnYAveCsOE/1kkfUSsBZsqj9yyoFe/tquoVm5Y3nFZfKJv7/gszSVkzNxhHvn+0ccClRLpnFUHjqXgXHIQCm7P/9Lf7unSoYRd9Iefwgp52Lcm6AIncQvz5tdAFD2WciP4J15EFPMTKPdc6tfT5Tis/+/oNfYlsnaIGrbV5Hc2909KiYnvuvqKcrSFloXWzAdXJOxhszw== [email protected]'
+      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8/9GdD96Xfc0MavIJQEuNSIrOlaBSYkH4s5RyGhNnc8Al7x3hC7KXt/mcqyNoI1JTvrXp23aDpTr67e3Dnrp6Me7z8nyY9oIy5WHOgwG2ra1Ga8oi89MVgXPhtxvcYnk8hVfuPDmhWkgwS5ILH/7V/1hEKHcS0H7Q0pJp8EGCBDFWrxNfUWqJJuVcXb11CMnaSJX/VhD+S4g4rG01lMr696+k8eKs9y2sq9JpuUD1TNN16RYu1uVlVz8nhIPbEBsnFeKV+EYKLcSRQnjDTNjWqZHHM9NMWfK3wGvr5pfla158ZdsYQTmQtcchTsEoB+7eAQaER3XsEtuo8yQj4zbL videmp@work'
+    roles:
+      - stats
+
+  - user: paul
+    key:
+      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtMvCQL1Xw/DrzO/U4nfyIL6CE63apSXHjQByWK+vWpfNkBjMh4uwQl6SzWvCn6y7tlMko1P6BG9bVDkWLLjC/kL+ds+FXDwUyLmRcfyhkortBVMWrZO3ZSSimpFugPDcfUeh+iim/Jg2CY1geVmlA9bybY8k0hGTKa5rn9KzbLCoZdsR1c9627PAefV9lr7xTHMamWsG0cIYjkOBqZM85Yw9huftUGZi1SAALjiG3k57XFswZcHrvZkE/L5Q5uU9NC0KYVapzG9PYmgU+O40Oi82PB4C6SWoOM0MG39AIS4DU7DstF3mrl2M/6crbcHIfVTB+GCQI2U9CzfvlhA6qQu+xlAc4ZX/rXeYZvNW6QtU1vvUcL95wSrPyXlqlSA6o/0T0EP8e2LG2JpNtzorcLrj010fWdpH1jY/c9ZACYNmCPuUTD/ASt5FXCqPR0WJnf4Mle10ALmghsbm7vLXQUKDcQSC4bJKpgzdFT2ocmk9jiGqCq3hivSVmR6OvHok= paul@paul-LIFEBOOK-U7410'
+    roles:
+      - stats
+
+  - user: david
+    key:
+      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCoWkk57x20iE5Wf0cDX3QvkJf/XxO4wqIeZIPIosK7rFcvy/SvDF/mwQk4iQrQ7qDam35NFHrFden+5zoE5HJoRVeHYhqNaItmiMNBY9CqgITCXsD2j9/6NdzIcR66uzLHDVvLlXr2hJmrNoeGTzg94+EVtQ0/BARwffAq//2WzgG4oClgYE4RqahQRXbmBygf4g4BAbEb5JnsLJ3qqnhsAgcUYyXg7/dz36QVsvoTwChMMCXDJpPyNb1+PqOKAgl7+yZQiPD0yI5zZG+iF6dsvc6Dhscpmt0nOjr4h+o97wQk3sbvq9ysXPlARqgL950H+0LtSiWnC+KEBK4KOgc83g6NynCE7zGZ9LJiKoT0mmt8BKaJKFRDVob3nlYR3/DDLEq2AkCoxYF0JFUNVta/wEF/likB61Yhsv01gNVMNcCfK9nzZVyTGNwdsFPdi4WL+KfkMgEcA0xrCtLXhkxnU8f3H8a7XcwJWr3fuSK1ndFwNxmfKlA+sRRKYBHouU8rpnC/HCxYsxF/palYxHv8KNcfGIRUBIgfgugsigzFcB5yz4lY73NiEyVEY9ZnBbbXllyX3ICoI/IboMQVUDyccRZiDAeHJ/v29pIsIihkmWIT2I1VqppXuVYgTydPM42CDBaKE7ko3p0CuZDyB2sZaS4XYUQlkRpX9ZARtcC/AQ== david'
+    roles:
+      - stats
+
+  - user: bebatut
+    key:
+      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9itwmMTgcRCrwjO3RCke/NWJsRb3N5lUTF5fubw/V0PlSbFDuv7IMKp5hhFfhiOuVRMoXQBHnnOWWu1xd9jDqZKXmNGHg06JtnddQ/OVprZ6Dpu2g9pZ6uc4r1As94mvpICLVK9lNHPNA60sIwTsTRVFSb1VbXALI4iuLOxPLzIxhrZ1LouK19VWetJIQ/Uq8UalfTDr1KOyQQ/ZgjBeWdD5InSOl3sbPJZhGQLqSHIi0MVxH527CMnh1PQIxiD/vqX8SK7HaKvUZIHHzz5TFrUgrw7BkfRd04UIgr1OhnMf1E413yZdeQzJQV7C1CL9MbAThXX6Ruvs0Rg3ylazpYfwDifMWvqLeRoTCDUbGx94ySO/wzer/kcjpJ27iydNo+en/hImMYz7kktf6A3BzOYxFmOQvnQ9cChP+iuk7fTiQZS7Qtkz+axNIvwCkm7Hmgt7vYizHc+OAtKmzZFTHecozjxCXs9RwynnWpToheP3ZPYgOpKc7pkUngRSjXyc= bebatut@bebatut-ThinkPad-T14-Gen-1'
+    roles:
+      - stats
+
+  - user: catherine
+    key:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH54+qZEBeU5uwIeWWOViLcC509qxoRW6oN0VHRQr4r nate'
+    roles:
+      - stats
+
+  - user: jdavcs
+    key:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPzm/ZHp+16Oz/5TbQkJZMC5yvp/C3OfvgOlRWqEX/Fc [email protected]'
+    roles:
+      - stats
+
+  - user: marius
+    key:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGQxOm1ZlWT4k8+wK9QXSY4Obb/kz7CR7u89XWCJcqW [email protected]'
+    roles:
+      - stats

hosts

@@ -124,3 +124,6 @@ sn12.galaxyproject.eu
 
 [osiris]
 osiris.denbi.de ansible_ssh_user=rocky
+
+[test-ssh]
+sn09.galaxyproject.eu

roles/ssh-manager/tasks/apply_keys_to_user.yml

@@ -0,0 +1,53 @@
+---
+- name: "Check if user {{ target_user }} exists on target host"
+  ansible.builtin.set_fact:
+    user_exists: "{{ target_user in (getent_passwd_result.ansible_facts.getent_passwd | default({})).keys() }}"
+  delegate_to: "{{ target_host | default(omit) }}"
+
+- name: "Get home directory for user {{ target_user }}"
+  ansible.builtin.set_fact:
+    user_home_dir: "{{ getent_passwd_result.ansible_facts.getent_passwd[target_user][4] }}"
+  when: user_exists | bool
+  delegate_to: "{{ target_host | default(omit) }}"
+
+- name: "Process user {{ target_user }}"
+  block:
+    - name: "Ensure .ssh directory exists for {{ target_user }}"
+      become: true
+      ansible.builtin.file:
+        path: "{{ user_home_dir }}/.ssh"
+        state: directory
+        owner: "{{ target_user }}"
+        group: "{{ getent_passwd_result.ansible_facts.getent_passwd[target_user][2] }}"
+        mode: '0700'
+      delegate_to: "{{ target_host | default(omit) }}"
+
+    - name: "Manage SSH keys for {{ target_user }} (exclusive)"
+      become: true
+      ansible.posix.authorized_key:
+        user: "{{ target_user }}"
+        key: "{{ user_keys_map[target_user] | join('\n') }}"
+        path: "{{ user_home_dir }}/.ssh/authorized_keys"
+        state: present
+        exclusive: true
+      delegate_to: "{{ target_host | default(omit) }}"
+      when: user_keys_map[target_user] | default([]) | length > 0
+
+    - name: "Ensure authorized_keys file exists even if no keys (for {{ target_user }})"
+      become: true
+      ansible.builtin.file:
+        path: "{{ user_home_dir }}/.ssh/authorized_keys"
+        state: touch
+        owner: "{{ target_user }}"
+        group: "{{ getent_passwd_result.ansible_facts.getent_passwd[target_user][2] }}"
+        mode: '0600'
+      delegate_to: "{{ target_host | default(omit) }}"
+      when: user_keys_map[target_user] | default([]) | length == 0
+
+  when: 
+    - user_exists | bool
+
+- name: "Warning for non-existent user {{ target_user }}"
+  ansible.builtin.debug:
+    msg: "Warning: User {{ target_user }} does not exist on {{ target_host | default(inventory_hostname) }}, skipping"
+  when: not (user_exists | bool)

roles/ssh-manager/tasks/collect_role_keys.yml

@@ -0,0 +1,80 @@
+---
+- name: "Process role: {{ current_role.name }}"
+  ansible.builtin.debug:
+    msg: "Processing role {{ current_role.name }} for host {{ target_host | default(inventory_hostname) }}"
+
+- name: "Collect SSH keys for role: {{ current_role.name }}"
+  ansible.builtin.set_fact:
+    role_keys: >-
+      {{ ssh_users
+         | selectattr('roles', 'contains', current_role.name)
+         | map(attribute='key')
+         | flatten
+         | reject('match', '^https?://')
+         | list }}
+  delegate_to: "{{ target_host | default(omit) }}"
+
+- name: "Collect SSH keys from URLs for role: {{ current_role.name }}"
+  ansible.builtin.set_fact:
+    role_url_keys: >-
+      {{ ssh_users
+         | selectattr('roles', 'contains', current_role.name)
+         | map(attribute='key')
+         | flatten
+         | select('match', '^https?://')
+         | list }}
+  delegate_to: "{{ target_host | default(omit) }}"
+
+
+
+- name: "Fetch keys from URLs for role: {{ current_role.name }}"
+  ansible.builtin.set_fact:
+    fetched_keys: >-
+      {{ fetched_keys | default([]) + (
+           lookup('url', item) 
+           | default('') 
+           | replace(',', '\n')
+           | split('\n') 
+           | map('trim') 
+           | reject('equalto', '') 
+           | select('match', '^(ssh-rsa|ssh-dss|ssh-ed25519|ecdsa-sha2-|[email protected]|sk-ecdsa-sha2-)') 
+           | list
+         ) }}
+  loop: "{{ role_url_keys | default([]) | unique }}"
+  when: role_url_keys | default([]) | length > 0
+  delegate_to: "{{ target_host | default(omit) }}"
+
+
+
+- name: "Combine all keys for role: {{ current_role.name }}"
+  ansible.builtin.set_fact:
+    all_role_keys: >-
+      {{ (role_keys | default([])) + (fetched_keys | default([])) 
+         | map('trim') 
+         | reject('equalto', '') 
+         | unique 
+         | list }}
+  delegate_to: "{{ target_host | default(omit) }}"
+
+
+
+- name: "Add role keys to each target user in user_keys_map"
+  ansible.builtin.set_fact:
+    user_keys_map: >-
+      {{ user_keys_map | combine({
+           item: (user_keys_map.get(item, []) + all_role_keys) | unique | list
+         }) }}
+  loop: "{{ current_role.users }}"
+  when: 
+    - current_role.users is defined
+    - current_role.users | length > 0
+    - all_role_keys | length > 0
+  delegate_to: "{{ target_host | default(omit) }}"
+
+- name: "Reset variables for next role"
+  ansible.builtin.set_fact:
+    role_keys: []
+    role_url_keys: []
+    fetched_keys: []
+    all_role_keys: []
+  delegate_to: "{{ target_host | default(omit) }}"

roles/ssh-manager/tasks/main.yml

@@ -0,0 +1,47 @@
+#SPDX-License-Identifier: MIT-0
+---
+- name: Get passwd database on target to find user home directories
+  ansible.builtin.getent:
+    database: passwd
+  register: getent_passwd_result
+  delegate_to: "{{ target_host | default(omit) }}"
+
+- name: Find applicable SSH roles for current target host
+  ansible.builtin.set_fact:
+    applicable_roles: >-
+      {{ ssh_roles
+         | selectattr('hosts', 'contains', target_host | default(inventory_hostname))
+         | list }}
+  delegate_to: "{{ target_host | default(omit) }}"
+
+- name: Initialize user_keys_map
+  ansible.builtin.set_fact:
+    user_keys_map: {}
+  delegate_to: "{{ target_host | default(omit) }}"
+
+- name: Collect all target users from applicable roles
+  ansible.builtin.set_fact:
+    all_target_users: >-
+      {{ applicable_roles
+         | map(attribute='users')
+         | flatten
+         | unique
+         | list }}
+  delegate_to: "{{ target_host | default(omit) }}"
+
+- name: Process each applicable role to collect keys per user
+  ansible.builtin.include_tasks: collect_role_keys.yml
+  loop: "{{ applicable_roles }}"
+  loop_control:
+    loop_var: current_role
+  when: applicable_roles | length > 0
+
+- name: Apply collected keys to each target user
+  ansible.builtin.include_tasks: apply_keys_to_user.yml
+  loop: "{{ all_target_users }}"
+  loop_control:
+    loop_var: target_user
+  when:
+    - all_target_users | length > 0
+    - target_user in user_keys_map
+    - user_keys_map[target_user] | length > 0

test-ssh.yml

@@ -0,0 +1,22 @@
+---
+# ansible-playbook test-ssh.yml --check --diff
+# it should output the changes to the authorized_keys file
+- hosts: localhost
+  gather_facts: false
+  vars_files:
+    - group_vars/ssh.yml
+
+  pre_tasks:
+    - name: Get all hosts matching the pattern
+      delegate_to: localhost
+      ansible.builtin.set_fact:
+        matched_hosts: "{{ query('inventory_hostnames', 'test-ssh') }}"
+      run_once: true
+
+  tasks:
+    - name: Run ssh-manager role for each matched host
+      ansible.builtin.include_role:
+        name: ssh-manager
+      loop: "{{ matched_hosts }}"
+      loop_control:
+        loop_var: target_host