Skip to content

Centralized SSH key management #1673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kysrpex merged 55 commits into from
Dec 4, 2025
Merged

Centralized SSH key management #1673

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
55 commits
Select commit Hold shift + click to select a range
0075f27
first draft
gsaudade99 Oct 15, 2025
b4f375e
add missing role
gsaudade99 Oct 15, 2025
57944c6
refactor role-based access
gsaudade99 Oct 20, 2025
09d3c7f
adding quotes to user galaxy key
gsaudade99 Oct 20, 2025
b59df72
hardned pitfall + more changes related to the conversation
gsaudade99 Oct 22, 2025
d2074f4
fix task name
gsaudade99 Oct 22, 2025
a845b2e
Update group_vars/ssh.yml
gsaudade99 Oct 24, 2025
ea52293
Update group_vars/ssh.yml
gsaudade99 Oct 24, 2025
c6f1909
Rename playbook test-ssh.yml to all.yml
kysrpex Oct 27, 2025
bbc6f6e
Apply `ssh-manager` role to all hosts
kysrpex Oct 27, 2025
2e84023
Use a folder to store group vars that apply to all hosts
kysrpex Oct 27, 2025
fcf4910
Move SSH keys manager vars file to group_vars/all/ssh-keys.yml
kysrpex Oct 27, 2025
fd21843
Use Ansible's inventory_hostnames lookup to match roles to hosts
kysrpex Oct 27, 2025
bb0bf88
Remove `delegate_to: "{{ target_host | default(omit) }}"` statements
kysrpex Oct 27, 2025
78f89ec
Use `~` to refer to the user's home directory when applying SSH keys
kysrpex Oct 27, 2025
4b83cf4
revert role base access to user base access
gsaudade99 Oct 31, 2025
5e46b50
migrate to j2 and dict
gsaudade99 Nov 3, 2025
7b560f1
Revert changes to .gitignore
kysrpex Nov 3, 2025
3f4a611
Merge branch 'master' into feat/ssh-key-managment
kysrpex Nov 3, 2025
d81a23b
rm ssh_unix_users + skip users wihtout authorized_keys
gsaudade99 Nov 3, 2025
e57454d
Namespace variables for role `ssh-manager`
kysrpex Nov 4, 2025
7231e1d
Update group_vars/all/ssh-keys.yml
gsaudade99 Nov 4, 2025
5bc6c69
Update group_vars/all/ssh-keys.yml
gsaudade99 Nov 4, 2025
d0fda49
Update group_vars/all/ssh-keys.yml
gsaudade99 Nov 4, 2025
2daca36
Update group_vars/all/ssh-keys.yml
gsaudade99 Nov 4, 2025
92d4c70
Update group_vars/all/ssh-keys.yml
gsaudade99 Nov 4, 2025
1db9d3a
migrate ssh-manager to independent repo
gsaudade99 Nov 6, 2025
a07df90
Update authorized persons and encrypt their public keys
kysrpex Nov 10, 2025
46e63d5
Merge branch 'master' into feat/ssh-key-managment
kysrpex Nov 10, 2025
7a3378f
Update usegalaxy_eu.ssh_manager to version 0.0.2
kysrpex Nov 10, 2025
a79e928
Merge remote-tracking branch 'gsaudade99/feat/ssh-key-managment' into…
kysrpex Nov 10, 2025
a5930e0
Remove operator UNIX user from authorized persons
kysrpex Nov 11, 2025
03e7462
Use branch `shared_home_directory` of usegalaxy_eu.ssh_manager tempor…
kysrpex Nov 11, 2025
763c8b4
Revert "Use branch `shared_home_directory` of usegalaxy_eu.ssh_manage…
kysrpex Nov 11, 2025
5a02de0
Trust SSH host keys of both Jenkins workers
kysrpex Nov 14, 2025
2d1d251
Verify the usegalaxy.eu SSH cert authority signature for ``*.bi.priva…
kysrpex Nov 14, 2025
a32073b
Verify the usegalaxy.eu SSH cert authority signature for the TPV brok…
kysrpex Nov 14, 2025
d591222
Trust sn10 SSH host key
kysrpex Nov 14, 2025
4a1de84
Trust sn12 SSH host key
kysrpex Nov 14, 2025
028691d
Trust osiris SSH host key
kysrpex Nov 14, 2025
69e64b9
Trust dnbd3-primary SSH host key
kysrpex Nov 14, 2025
f27b481
Set apps Ansible port to 8080
kysrpex Nov 27, 2025
adb2ffc
Add ubuntu UNIX user to authorized persons
kysrpex Nov 27, 2025
af64aac
Trust apps SSH host key
kysrpex Nov 27, 2025
7adac48
Remove sn05 from inventory
kysrpex Dec 4, 2025
2a8b233
Trust upload SSH host key
kysrpex Dec 4, 2025
263307b
Fix indentation for playbook all.yml
kysrpex Dec 4, 2025
b823dd6
Remove Galaxy test host from inventory
kysrpex Dec 4, 2025
0a2fad3
Remove deNBI CVMFS test host from inventory
kysrpex Dec 4, 2025
508957b
Change hostname for beacon host
kysrpex Dec 4, 2025
d38b28f
Remove telescope host from inventory
kysrpex Dec 4, 2025
3b27073
Trust beacon SSH host key
kysrpex Dec 4, 2025
d4931a7
Update group_vars/all/ssh-keys.yml
mira-miracoli Dec 4, 2025
f7916b7
Apply suggestion from @mira-miracoli
mira-miracoli Dec 4, 2025
d3278fe
Use GitHub handles for Bernd and Paul in ssh-keys.yml (and vault file)
kysrpex Dec 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 73 additions & 0 deletions group_vars/ssh.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
---

ssh_users:
- user: galaxy
key:
- {{ galaxy_user_public_key }}
roles: [{{ galaxy_user.name }}]

- user: bgruening
key:
- https://github.com/bgruening.keys
roles: [root,stats,centos, {{ galaxy_user.name }}]

- user: mira-miracolu
key:
- https://github.com/mira-miracolu.keys
roles: [root,stats,centos, {{ galaxy_user.name }}]

- user: dominguj
Copy link
Contributor

@mira-miracoli mira-miracoli Oct 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- user: dominguj
- user: kysrpex

If this is referencing to GH user handles this would be @kysrpex

Copy link
Contributor Author

@gsaudade99 gsaudade99 Oct 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its more for identification purposes. Its not used in playbook (:

Copy link
Contributor

@kysrpex kysrpex Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, this name is not even used in the playbook.

Imo this field should contain something that can be easily traced to a person and a full name would do wonders (after all, our full names are all already here https://usegalaxy-eu.github.io/people).

key:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZNuF25HySp311FKtDW9lDKUGslH6PGIap1eYniaPsC [email protected]'
roles: [root,stats,centos,{{ galaxy_user.name }}]

- user: gsaudade
key:
- '[email protected] AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAXgFT+ynWEgCCAKepVgkSHauy+mLo+KlIGIIj0dkAXeAAAABHNzaDo= [email protected]'
roles: [root,stats,centos,{{ galaxy_user.name }}]

- user: nate
key:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH54+qZEBeU5uwIeWWOViLcC509qxoRW6oN0VHRQr4r nate'
roles: [stats,{{ galaxy_user.name }}]

- user: wm75
key:
- https://github.com/wm75.keys
roles: [{{ galaxy_user.name }}]

- user: videmp
key:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApcUIRRUHl0wVVXz5GX1QnHSq9+nThIKKH3fYM21LfW1n6gGvC7UiCCaDZQUbejJTq3EITbH3J6/Tji2jGAIJ6Xzn0Jf7sQ1yON/dO/75To32Jdo8YWS7XQeA7lU9heSc7FM5yKIBJN7PrpnYAveCsOE/1kkfUSsBZsqj9yyoFe/tquoVm5Y3nFZfKJv7/gszSVkzNxhHvn+0ccClRLpnFUHjqXgXHIQCm7P/9Lf7unSoYRd9Iefwgp52Lcm6AIncQvz5tdAFD2WciP4J15EFPMTKPdc6tfT5Tis/+/oNfYlsnaIGrbV5Hc2909KiYnvuvqKcrSFloXWzAdXJOxhszw== [email protected]'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8/9GdD96Xfc0MavIJQEuNSIrOlaBSYkH4s5RyGhNnc8Al7x3hC7KXt/mcqyNoI1JTvrXp23aDpTr67e3Dnrp6Me7z8nyY9oIy5WHOgwG2ra1Ga8oi89MVgXPhtxvcYnk8hVfuPDmhWkgwS5ILH/7V/1hEKHcS0H7Q0pJp8EGCBDFWrxNfUWqJJuVcXb11CMnaSJX/VhD+S4g4rG01lMr696+k8eKs9y2sq9JpuUD1TNN16RYu1uVlVz8nhIPbEBsnFeKV+EYKLcSRQnjDTNjWqZHHM9NMWfK3wGvr5pfla158ZdsYQTmQtcchTsEoB+7eAQaER3XsEtuo8yQj4zbL videmp@work'
roles: [stats]

- user: paul
key:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtMvCQL1Xw/DrzO/U4nfyIL6CE63apSXHjQByWK+vWpfNkBjMh4uwQl6SzWvCn6y7tlMko1P6BG9bVDkWLLjC/kL+ds+FXDwUyLmRcfyhkortBVMWrZO3ZSSimpFugPDcfUeh+iim/Jg2CY1geVmlA9bybY8k0hGTKa5rn9KzbLCoZdsR1c9627PAefV9lr7xTHMamWsG0cIYjkOBqZM85Yw9huftUGZi1SAALjiG3k57XFswZcHrvZkE/L5Q5uU9NC0KYVapzG9PYmgU+O40Oi82PB4C6SWoOM0MG39AIS4DU7DstF3mrl2M/6crbcHIfVTB+GCQI2U9CzfvlhA6qQu+xlAc4ZX/rXeYZvNW6QtU1vvUcL95wSrPyXlqlSA6o/0T0EP8e2LG2JpNtzorcLrj010fWdpH1jY/c9ZACYNmCPuUTD/ASt5FXCqPR0WJnf4Mle10ALmghsbm7vLXQUKDcQSC4bJKpgzdFT2ocmk9jiGqCq3hivSVmR6OvHok= paul@paul-LIFEBOOK-U7410'
roles: [stats]

- user: david
key:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCoWkk57x20iE5Wf0cDX3QvkJf/XxO4wqIeZIPIosK7rFcvy/SvDF/mwQk4iQrQ7qDam35NFHrFden+5zoE5HJoRVeHYhqNaItmiMNBY9CqgITCXsD2j9/6NdzIcR66uzLHDVvLlXr2hJmrNoeGTzg94+EVtQ0/BARwffAq//2WzgG4oClgYE4RqahQRXbmBygf4g4BAbEb5JnsLJ3qqnhsAgcUYyXg7/dz36QVsvoTwChMMCXDJpPyNb1+PqOKAgl7+yZQiPD0yI5zZG+iF6dsvc6Dhscpmt0nOjr4h+o97wQk3sbvq9ysXPlARqgL950H+0LtSiWnC+KEBK4KOgc83g6NynCE7zGZ9LJiKoT0mmt8BKaJKFRDVob3nlYR3/DDLEq2AkCoxYF0JFUNVta/wEF/likB61Yhsv01gNVMNcCfK9nzZVyTGNwdsFPdi4WL+KfkMgEcA0xrCtLXhkxnU8f3H8a7XcwJWr3fuSK1ndFwNxmfKlA+sRRKYBHouU8rpnC/HCxYsxF/palYxHv8KNcfGIRUBIgfgugsigzFcB5yz4lY73NiEyVEY9ZnBbbXllyX3ICoI/IboMQVUDyccRZiDAeHJ/v29pIsIihkmWIT2I1VqppXuVYgTydPM42CDBaKE7ko3p0CuZDyB2sZaS4XYUQlkRpX9ZARtcC/AQ== david'
roles: [stats]

- user: bebatut
key:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9itwmMTgcRCrwjO3RCke/NWJsRb3N5lUTF5fubw/V0PlSbFDuv7IMKp5hhFfhiOuVRMoXQBHnnOWWu1xd9jDqZKXmNGHg06JtnddQ/OVprZ6Dpu2g9pZ6uc4r1As94mvpICLVK9lNHPNA60sIwTsTRVFSb1VbXALI4iuLOxPLzIxhrZ1LouK19VWetJIQ/Uq8UalfTDr1KOyQQ/ZgjBeWdD5InSOl3sbPJZhGQLqSHIi0MVxH527CMnh1PQIxiD/vqX8SK7HaKvUZIHHzz5TFrUgrw7BkfRd04UIgr1OhnMf1E413yZdeQzJQV7C1CL9MbAThXX6Ruvs0Rg3ylazpYfwDifMWvqLeRoTCDUbGx94ySO/wzer/kcjpJ27iydNo+en/hImMYz7kktf6A3BzOYxFmOQvnQ9cChP+iuk7fTiQZS7Qtkz+axNIvwCkm7Hmgt7vYizHc+OAtKmzZFTHecozjxCXs9RwynnWpToheP3ZPYgOpKc7pkUngRSjXyc= bebatut@bebatut-ThinkPad-T14-Gen-1'
roles: [stats]

- user: catherine
key:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH54+qZEBeU5uwIeWWOViLcC509qxoRW6oN0VHRQr4r nate'
roles: [stats]

- user: jdavcs
key:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPzm/ZHp+16Oz/5TbQkJZMC5yvp/C3OfvgOlRWqEX/Fc [email protected]'
roles: [stats]

- user: marius
key:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGQxOm1ZlWT4k8+wK9QXSY4Obb/kz7CR7u89XWCJcqW [email protected]'
roles: [stats]
28 changes: 28 additions & 0 deletions roles/ssh-manager/tasks/fetch_user_keys_from_urls.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---

- name: Initialize user_keys_map entry for {{ user_account }} if missing
ansible.builtin.set_fact:
user_keys_map: "{{ user_keys_map | default({}) | combine({ user_account: (user_keys_map[user_account] | default([])) }) }}"
delegate_to: "{{ target_host | default(omit) }}"

- name: Loop over user's URL list and append fetched keys
ansible.builtin.set_fact:
user_keys_map: >-
{{
user_keys_map
| default({})
| combine({
user_account: (
(user_keys_map[user_account] | default([]))
+ (
lookup('url', url_item)
| default('')
| split(',')
)
)
})
}}
loop: "{{ user_url_list }}"
loop_control:
loop_var: url_item
delegate_to: "{{ target_host | default(omit) }}"
80 changes: 80 additions & 0 deletions roles/ssh-manager/tasks/generic.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
---

- name: Compute non-root role accounts
ansible.builtin.set_fact:
non_root_role_accounts: >-
{{ ssh_users
| map(attribute='roles')
| flatten
| reject('equalto', 'root')
| unique
| list }}
delegate_to: "{{ target_host | default(omit) }}"

- name: Get passwd database on target
ansible.builtin.getent:
database: passwd
register: getent_passwd_result
delegate_to: "{{ target_host | default(omit) }}"

- name: Compute existing non-root role accounts
ansible.builtin.set_fact:
existing_role_accounts: >-
{{ non_root_role_accounts
| intersect((getent_passwd_result.ansible_facts.getent_passwd | default({})).keys() | list) }}
delegate_to: "{{ target_host | default(omit) }}"

- name: Ensure .ssh directory exists
become: true
ansible.builtin.file:
path: "/home/{{ item }}/.ssh"
state: directory
owner: "{{ item }}"
group: "{{ item }}"
mode: '0700'
loop: "{{ existing_role_accounts }}"
delegate_to: "{{ target_host | default(omit) }}"

- name: Initialize user_keys_map with non-https keys for each existing account
ansible.builtin.set_fact:
user_keys_map: >-
{{ user_keys_map | default({}) | combine({
item: (
ssh_users
| selectattr('roles','contains', item)
| map(attribute='key')
| flatten
| reject('match','^https?://')
| list
)
}) }}
loop: "{{ existing_role_accounts }}"
delegate_to: "{{ target_host | default(omit) }}"

- name: Fetch and append keys from https:// URLs per user
include_tasks: fetch_user_keys_from_urls.yml
loop: "{{ existing_role_accounts }}"
loop_control:
loop_var: user_account
vars:
user_url_list: >-
{{ ssh_users
| selectattr('roles','contains', user_account)
| map(attribute='key')
| flatten
| select('match','^https?://')
| list }}
when: user_url_list | length > 0

- name: Deduplicate keys and write authorized_keys for each user
become: true
vars:
keys_for_user: "{{ (user_keys_map[item] | default([])) | map('trim') | reject('equalto','') | unique | list }}"
ansible.builtin.copy:
dest: "/home/{{ item }}/.ssh/authorized_keys"
content: "{{ keys_for_user | join('\n') + (keys_for_user | length > 0 and '\n' or '') }}"
owner: "{{ item }}"
group: "{{ item }}"
mode: '0600'
loop: "{{ existing_role_accounts }}"
delegate_to: "{{ target_host | default(omit) }}"
7 changes: 7 additions & 0 deletions roles/ssh-manager/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#SPDX-License-Identifier: MIT-0
---
- name: Include SSH Keys for root users
ansible.builtin.include_tasks: root.yml

- name: Include SSH Keys for other role users
ansible.builtin.include_tasks: generic.yml
54 changes: 54 additions & 0 deletions roles/ssh-manager/tasks/root.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# fixed tasks for root account management
- name: Ensure .ssh directory exists for root
become: true
ansible.builtin.file:
path: /root/.ssh
state: directory
owner: root
group: root
mode: '0700'
delegate_to: "{{ target_host | default(omit) }}"

- name: Add Keys to Github
become: false
ansible.builtin.set_fact:
root_keys_list: >-
{{ ssh_users
| selectattr('roles','contains','root')
| map(attribute='key')
| flatten
| reject('match', '^https://')
| list }}
delegate_to: "{{ target_host | default(omit) }}"

- name: Append keys fetched from Github
become: false
ansible.builtin.set_fact:
root_keys_list: >-
{{
root_keys_list +
(
lookup('url', item)
| default('')
| split(',')
)
}}
loop: "{{ ssh_users | selectattr('roles','contains','root') | map(attribute='key') | flatten | select('match','^https://') | list }}"
when: (ssh_users | selectattr('roles','contains','root') | map(attribute='key') | flatten | select('match','^https://') | list) | length > 0
delegate_to: "{{ target_host | default(omit) }}"

- name: Deduplicate root_keys_list
become: false
ansible.builtin.set_fact:
root_keys_list: "{{ root_keys_list | default([]) | unique | list }}"
delegate_to: "{{ target_host | default(omit) }}"

- name: Write /root/.ssh/authorized_keys
become: true
ansible.builtin.copy:
dest: /root/.ssh/authorized_keys
content: "{{ (root_keys_list | default([])) | join('\n') + (root_keys_list | length > 0 and '\n' or '') }}"
owner: root
group: root
mode: '0600'
delegate_to: "{{ target_host | default(omit) }}"
Loading