Merge branch 'archusers-support-staff' into 'master'

Support creating support-staff accounts on mail.al.org for mail + create user for klausenbusk and denisse See merge request !430

Merge branch 'archusers-support-staff' into 'master'
Support creating support-staff accounts on mail.al.org for mail + create user for klausenbusk and denisse See merge request !430
bb5ce6ef · Kristian Klausen · 0d2c553d · ba9bda23 · bb5ce6ef · bb5ce6ef
Commit bb5ce6ef authored Jul 04, 2021 by Kristian Klausen 🎉
--- a/group_vars/all/archusers.yml
+++ b/group_vars/all/archusers.yml
@@ -7,6 +7,7 @@ arch_groups:
  - multilib
  - archboxes-sudo
  - docker-image-sudo
+  - support-staff
 arch_users:
  alertmanager:
@@ -149,6 +150,13 @@ arch_users:
      - dev
      - tu
      - multilib
+  denisse:
+    name: "Andrea Denisse Gómez-Martínez"
+    ssh_key: denisse.pub
+    hosts:
+      - mail.archlinux.org
+    groups:
+      - support-staff
  diabonas:
    name: "Jonas Witschel"
    ssh_key: diabonas.pub
@@ -322,6 +330,17 @@ arch_users:
    groups:
      - tu
      - multilib
+  klausenbusk:
+    name: "Kristian Klausen"
+    ssh_key: klausenbusk.pub
+    hosts:
+      - mail.archlinux.org
+    groups:
+      - support-staff
+    additional_ssh_keys:
+      - name: klausenbusk_2.pub
+        hosts:
+          - all
  lcarlier:
    name: "Laurent Carlier"
    ssh_key: lcarlier.pub

--- a/pubkeys/denisse.pub
+++ b/pubkeys/denisse.pub
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKo2Uddwkt9dx+V4UO9AnP0RIKqkfqOEx1osQszQpzK1 andrea@youdu
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGTMR5HHwFsKQWlvAk4UGhYxiB15dHY5pPoVufBSPNDF andrea@diyu
--- a/roles/archusers/tasks/main.yml
+++ b/roles/archusers/tasks/main.yml
@@ -4,6 +4,11 @@
  group: name="{{ item }}" state=present system=no
  with_items: "{{ arch_groups }}"
+- name: filter arch_users for users with non-matching hosts
+  set_fact: arch_users_filtered="{{ (arch_users_filtered | default([])) + [ item ] }}"
+  when: item.value.hosts is not defined or inventory_hostname in item.value.hosts
+  with_dict: "{{ arch_users }}"
 - name: create Arch Linux-specific users
  user:
    name: "{{ item.key }}"
@@ -14,21 +19,21 @@
    password: ""
    update_password: on_create
    state: present
-  with_dict: "{{ arch_users }}"
+  loop: "{{ arch_users_filtered }}"
 - name: create .ssh directory
  file: path=/home/{{ item.key }}/.ssh state=directory owner={{ item.key }} group=users mode=0700
-  with_dict: "{{ arch_users }}"
+  loop: "{{ arch_users_filtered }}"
 - name: configure ssh keys
  template: src=authorized_keys.j2 dest=/home/{{ item.key }}/.ssh/authorized_keys owner={{ item.key }} group=users mode=0600
  when: item.value.ssh_key is defined
-  with_dict: "{{ arch_users }}"
+  loop: "{{ arch_users_filtered }}"
 - name: remove ssh keys if undefined
  file: path=/home/{{ item.key }}/.ssh/authorized_keys state=absent
  when: item.value.ssh_key is not defined
-  with_dict: "{{ arch_users }}"
+  loop: "{{ arch_users_filtered }}"
 - name: get list of remote users
  find: paths="/home" file_type="directory"
@@ -37,5 +42,5 @@
  # TODO: this removes the keys of svn-packages and svn-community on gemini temporarily. add some form of whitelist for those users?
 - name: disable ssh keys of disabled users
  file: path="/home/{{ item }}/.ssh/authorized_keys" state=absent
-  when: item not in arch_users
+  when: item not in (arch_users_filtered | map(attribute='key'))
  with_items: "{{ all_users.files | map(attribute='path') | map('basename') | list }}"