root_ssh: Support giving root access to only some hosts

ea9f114d · Kristian Klausen · Jelle van der Waa · 08a77ae3 · ea9f114d · ea9f114d
Commit ea9f114d authored 3 years ago by Kristian Klausen Committed by Jelle van der Waa 3 years ago
--- a/group_vars/all/root_access.yml
+++ b/group_vars/all/root_access.yml
@@ -13,13 +13,13 @@ sudo_users:

 # deploy tag 'root_ssh' when this changes
 root_ssh_keys:
-  - foutrelis.pub
-  - freswa.pub
-  - grazzolini.pub
-  - heftig.pub
-  - jelle.pub
-  - svenstaro.pub
-  - anthraxx.pub
+  - key: foutrelis.pub
+  - key: freswa.pub
+  - key: grazzolini.pub
+  - key: heftig.pub
+  - key: jelle.pub
+  - key: svenstaro.pub
+  - key: anthraxx.pub

 # run playbook 'playbooks/tasks/reencrypt-vault-key.yml' when this changes
 # before running it, make sure to gpg --lsign-key all of the below keys

--- a/roles/root_ssh/templates/authorized_keys.j2
+++ b/roles/root_ssh/templates/authorized_keys.j2
 #jinja2: lstrip_blocks: True
-{% for user in root_ssh_keys | sort -%}
-	{{ lookup('file', '../pubkeys/' + user) }}
+{% for user in root_ssh_keys | sort(attribute="key") -%}
+	{% if not user.hosts or inventory_hostname in user.hosts -%}
+		{{ lookup('file', '../pubkeys/' + user.key ) }}
+	{% endif %}
 {% endfor %}