From 93710958734c163fa51c6b652eca3a938b9df57e Mon Sep 17 00:00:00 2001 From: Christian Berendt Date: Thu, 21 Sep 2023 10:14:37 +0200 Subject: [PATCH] operator: add operator_authorized_github_accounts parameter Supports a list of Github accounts from which the public keys are added to the authorized keys. Related to SovereignCloudStack/issues#433 Signed-off-by: Christian Berendt --- roles/operator/README.rst | 7 ++++++- roles/operator/defaults/main.yml | 1 + roles/operator/tasks/main.yml | 7 +++++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/roles/operator/README.rst b/roles/operator/README.rst index e690c1cc..cf783056 100644 --- a/roles/operator/README.rst +++ b/roles/operator/README.rst @@ -30,7 +30,12 @@ The default shell for the operator. .. zuul:rolevar:: operator_authorized_keys :default: [] -A list of ssh authorized keys to add. +List of SSH public keys to add to the authorized keys for the operator account. + +.. zuul:rolevar:: operator_authorized_github_accounts + :default: [] + +List of Github accounts from which the SSH public keys are added to the authorized keys. .. zuul:rolevar:: operator_password diff --git a/roles/operator/defaults/main.yml b/roles/operator/defaults/main.yml index 608f0ec3..c903c93f 100644 --- a/roles/operator/defaults/main.yml +++ b/roles/operator/defaults/main.yml @@ -8,6 +8,7 @@ operator_group_id: 45000 operator_shell: /bin/bash operator_authorized_keys: [] +operator_authorized_github_accounts: [] # NOTE: Use "mkpasswd --method=sha-512" to generate a password # operator_password: diff --git a/roles/operator/tasks/main.yml b/roles/operator/tasks/main.yml index 4b36312e..64b38851 100644 --- a/roles/operator/tasks/main.yml +++ b/roles/operator/tasks/main.yml @@ -65,6 +65,13 @@ loop: "{{ operator_authorized_keys }}" no_log: true +- name: Set authorized github accounts + become: true + ansible.posix.authorized_key: + key: "{{ lookup('url', 'https://github.com/' + item + '.keys', split_lines=False) }}" + user: "{{ operator_user }}" + loop: "{{ operator_authorized_github_accounts }}" + - name: Set password of operator user become: true ansible.builtin.user: