From e9d602056350c7a020155d5344f09ed2d1e27344 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Wed, 5 Feb 2025 21:49:26 -0600 Subject: [PATCH] all: Set root authorized keys The `root_authorized_keys` variable was originally defined only for the *pyrocufflink* group. This used to effectively be "all" machines, since everything was a member of the AD domain. Now that we're moving away from that deployment model, we still want to have the break-glass option, so we need to define the authorized keys for the _all_ group. --- group_vars/all.yml | 10 ++++++++++ group_vars/pyrocufflink/main.yml | 9 --------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/group_vars/all.yml b/group_vars/all.yml index 7a8480d..e82be4a 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,6 +1,16 @@ ansible_become_method: community.general.doas ansible_become_password: unused +root_authorized_keys: | + {% if ansible_distribution == "Fedora" and ansible_distribution_version|int >= 34 %} + sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINZCN2cxMDwedJ1Ke23Z3CZRcOYjqW8fFqsooRus7RK0AAAABHNzaDo= dustin@rosalina.pyrocufflink.blue + sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAB6xTCSNz+AcQCWcyVKs84tThXN4wpLgCo2Lc48L6EsAAAABHNzaDo= dustin@luma.pyrocufflink.blue + {% else %} + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsL5fSylmiJmBtW0DH/viAAmtU2E/2M17GPvysiyRs+ dustin@rosalina + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBw1T18jnBfR5reKAACOs/LMcs+jbclj6Eh8z56kJE7+ dustin@luma + {% endif %} + + managed_users: - name: dustin comment: Dustin C. Hatch diff --git a/group_vars/pyrocufflink/main.yml b/group_vars/pyrocufflink/main.yml index 0ace68b..f397d9e 100644 --- a/group_vars/pyrocufflink/main.yml +++ b/group_vars/pyrocufflink/main.yml @@ -7,13 +7,4 @@ pam_winbind: true nss_winbind: true pam_mkhomedir: true -root_authorized_keys: | - {% if ansible_distribution == "Fedora" and ansible_distribution_version|int >= 34 %} - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINZCN2cxMDwedJ1Ke23Z3CZRcOYjqW8fFqsooRus7RK0AAAABHNzaDo= dustin@rosalina.pyrocufflink.blue - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAB6xTCSNz+AcQCWcyVKs84tThXN4wpLgCo2Lc48L6EsAAAABHNzaDo= dustin@luma.pyrocufflink.blue - {% else %} - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsL5fSylmiJmBtW0DH/viAAmtU2E/2M17GPvysiyRs+ dustin@rosalina - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBw1T18jnBfR5reKAACOs/LMcs+jbclj6Eh8z56kJE7+ dustin@luma - {% endif %} - fileserver_sftp_only_match: 'Group !server?admins,*'