diff --git a/group_vars/all/archusers.yml b/group_vars/all/archusers.yml
index e9bed79a612cbae26d8596f4d502c53623b96657..34eb37350f5c56700c65ade8cdb56507a3970055 100644
--- a/group_vars/all/archusers.yml
+++ b/group_vars/all/archusers.yml
@@ -7,6 +7,7 @@ arch_groups:
- multilib
- archboxes-sudo
- docker-image-sudo
+ - support-staff
arch_users:
alertmanager:
@@ -149,6 +150,13 @@ arch_users:
- dev
- tu
- multilib
+ denisse:
+ name: "Andrea Denisse Gómez-MartÃnez"
+ ssh_key: denisse.pub
+ hosts:
+ - mail.archlinux.org
+ groups:
+ - support-staff
diabonas:
name: "Jonas Witschel"
ssh_key: diabonas.pub
@@ -322,6 +330,17 @@ arch_users:
groups:
- tu
- multilib
+ klausenbusk:
+ name: "Kristian Klausen"
+ ssh_key: klausenbusk.pub
+ hosts:
+ - mail.archlinux.org
+ groups:
+ - support-staff
+ additional_ssh_keys:
+ - name: klausenbusk_2.pub
+ hosts:
+ - all
lcarlier:
name: "Laurent Carlier"
ssh_key: lcarlier.pub
diff --git a/pubkeys/denisse.pub b/pubkeys/denisse.pub
new file mode 100644
index 0000000000000000000000000000000000000000..3e954a04f955d9fb2d0a66fde53add20d0dc8b05
--- /dev/null
+++ b/pubkeys/denisse.pub
@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKo2Uddwkt9dx+V4UO9AnP0RIKqkfqOEx1osQszQpzK1 andrea@youdu
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGTMR5HHwFsKQWlvAk4UGhYxiB15dHY5pPoVufBSPNDF andrea@diyu
diff --git a/roles/archusers/tasks/main.yml b/roles/archusers/tasks/main.yml
index dc069496af0d1f995f3026619722d49e1ab27cc7..595e2b2ec0023050271784e4e6332ee676fa9b5a 100644
--- a/roles/archusers/tasks/main.yml
+++ b/roles/archusers/tasks/main.yml
@@ -4,6 +4,11 @@
group: name="{{ item }}" state=present system=no
with_items: "{{ arch_groups }}"
+- name: filter arch_users for users with non-matching hosts
+ set_fact: arch_users_filtered="{{ (arch_users_filtered | default([])) + [ item ] }}"
+ when: item.value.hosts is not defined or inventory_hostname in item.value.hosts
+ with_dict: "{{ arch_users }}"
+
- name: create Arch Linux-specific users
user:
name: "{{ item.key }}"
@@ -14,21 +19,21 @@
password: ""
update_password: on_create
state: present
- with_dict: "{{ arch_users }}"
+ loop: "{{ arch_users_filtered }}"
- name: create .ssh directory
file: path=/home/{{ item.key }}/.ssh state=directory owner={{ item.key }} group=users mode=0700
- with_dict: "{{ arch_users }}"
+ loop: "{{ arch_users_filtered }}"
- name: configure ssh keys
template: src=authorized_keys.j2 dest=/home/{{ item.key }}/.ssh/authorized_keys owner={{ item.key }} group=users mode=0600
when: item.value.ssh_key is defined
- with_dict: "{{ arch_users }}"
+ loop: "{{ arch_users_filtered }}"
- name: remove ssh keys if undefined
file: path=/home/{{ item.key }}/.ssh/authorized_keys state=absent
when: item.value.ssh_key is not defined
- with_dict: "{{ arch_users }}"
+ loop: "{{ arch_users_filtered }}"
- name: get list of remote users
find: paths="/home" file_type="directory"
@@ -37,5 +42,5 @@
# TODO: this removes the keys of svn-packages and svn-community on gemini temporarily. add some form of whitelist for those users?
- name: disable ssh keys of disabled users
file: path="/home/{{ item }}/.ssh/authorized_keys" state=absent
- when: item not in arch_users
+ when: item not in (arch_users_filtered | map(attribute='key'))
with_items: "{{ all_users.files | map(attribute='path') | map('basename') | list }}"