51 lines
1.6 KiB
YAML
51 lines
1.6 KiB
YAML
---
|
|
- name: Validate SSH key rotation inputs
|
|
ansible.builtin.assert:
|
|
that:
|
|
- item.name is defined
|
|
- item.home is defined
|
|
- (item.state | default('present')) in ['present', 'absent']
|
|
- (item.state | default('present')) == 'absent' or (item.keys is defined and item.keys | length > 0)
|
|
fail_msg: >-
|
|
Each entry in debian_ssh_rotation_users must include name, home, and either:
|
|
state=absent, or keys with at least one SSH public key.
|
|
loop: "{{ debian_ssh_rotation_users }}"
|
|
loop_control:
|
|
label: "{{ item.name | default('unknown') }}"
|
|
|
|
- name: Ensure ~/.ssh exists for managed users
|
|
ansible.builtin.file:
|
|
path: "{{ item.home }}/.ssh"
|
|
state: directory
|
|
owner: "{{ item.name }}"
|
|
group: "{{ item.name }}"
|
|
mode: "0700"
|
|
loop: "{{ debian_ssh_rotation_users }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
when: (item.state | default('present')) == 'present'
|
|
|
|
- name: Rotate authorized_keys for managed users
|
|
ansible.builtin.copy:
|
|
dest: "{{ item.home }}/.ssh/authorized_keys"
|
|
owner: "{{ item.name }}"
|
|
group: "{{ item.name }}"
|
|
mode: "0600"
|
|
content: |
|
|
{% for key in item.keys %}
|
|
{{ key }}
|
|
{% endfor %}
|
|
loop: "{{ debian_ssh_rotation_users }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
when: (item.state | default('present')) == 'present'
|
|
|
|
- name: Remove authorized_keys for users marked absent
|
|
ansible.builtin.file:
|
|
path: "{{ item.home }}/.ssh/authorized_keys"
|
|
state: absent
|
|
loop: "{{ debian_ssh_rotation_users }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
when: (item.state | default('present')) == 'absent'
|