From f66203ba863a37f21cd403df3bfaeea8aa158854 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?victor=20h=C3=A9ry?= <git@lecygnenoir.info>
Date: Thu, 8 Feb 2018 13:49:02 +0100
Subject: [PATCH] sortie du deploiement de clef ssh du role common vers un role
 dedie, avec utilisation de dictionnaires au lieu de liste pour utiliser la
 possibilite d'ansible de merger des dictionnaire. WARN : transformez votre
 variable admin_ssh_keys en dictionnaire ! (cd README)

---
 README.md                     |  7 ++++++-
 postint-full.yml              |  1 +
 postint.yml                   |  1 +
 roles/common/tasks/main.yml   | 10 ----------
 roles/ssh-keys/tasks/main.yml | 34 ++++++++++++++++++++++++++++++++++
 5 files changed, 42 insertions(+), 11 deletions(-)
 create mode 100644 roles/ssh-keys/tasks/main.yml

diff --git a/README.md b/README.md
index 12edbfa..49e786b 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,10 @@ Yet another ansible's playbook repository
 * Common
  * provides **common** configuration
  * https://github.com/nojhan/liquidprompt <3
+* SSH keys
+ * provides ssh keys deployement and blacklist
+ * possibility to use dictionnaries to list keys
+ * possibility to deploy different pools of keys on different servers with ansible hash_behaviour = merge
 * Update
  * allow install all update on  hosts (tag normal)
  * allow update specific packages from list (tags packages)
@@ -77,7 +81,8 @@ Yet another ansible's playbook repository
 ```yaml
 
 ---
-admin_ssh_keys: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZXK3ufonx+zNQ1x6cSWuUWckB/xf9sKZ+mRgY5SPXzqrxSkqNSmr9JQ6xzvhxKEVcFWsi50op1WWtRo3HG3p3+EHKXeCyzt5QnczDlVOoQbB8kgI0byKcvXux1inL4/Q4DbVLUbDFnynD/C5aAyYMYePahMxR+AQr60DD+7Ty6pcEVih1wwHIlxWziY1EF6sEzQwz/PiTxWIZkKHl/WPGagS9Pp/5nQfdZy0AS/JqbzNyMEg51+XedADuqseV4GXDzrzDYLJXJFv1PFVJxRWLrjChKrUMqyszUySkZMr5YSPXlsV0bi+0xivYEsXvIkLORV96JTZosYbV+0aFKDPv root@debian
+admin_ssh_keys: 
+ 0: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZXK3ufonx+zNQ1x6cSWuUWckB/xf9sKZ+mRgY5SPXzqrxSkqNSmr9JQ6xzvhxKEVcFWsi50op1WWtRo3HG3p3+EHKXeCyzt5QnczDlVOoQbB8kgI0byKcvXux1inL4/Q4DbVLUbDFnynD/C5aAyYMYePahMxR+AQr60DD+7Ty6pcEVih1wwHIlxWziY1EF6sEzQwz/PiTxWIZkKHl/WPGagS9Pp/5nQfdZy0AS/JqbzNyMEg51+XedADuqseV4GXDzrzDYLJXJFv1PFVJxRWLrjChKrUMqyszUySkZMr5YSPXlsV0bi+0xivYEsXvIkLORV96JTZosYbV+0aFKDPv root@debian
 
 default_packages_debian: htop
 
diff --git a/postint-full.yml b/postint-full.yml
index 3593949..c1dfe94 100644
--- a/postint-full.yml
+++ b/postint-full.yml
@@ -8,6 +8,7 @@
 
   roles:
     - common
+    - ssh-keys
     - xymon-client
     - rudder-node
 
diff --git a/postint.yml b/postint.yml
index 186f9e8..14f5391 100644
--- a/postint.yml
+++ b/postint.yml
@@ -8,5 +8,6 @@
 
   roles:
     - common
+    - ssh-keys
 
 # vim: set textwidth=0 ft=yaml ts=2 sw=2 expandtab:
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index de551ce..2ae5ce6 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -10,10 +10,6 @@
   when: ansible_distribution == 'Debian'
 
 # Check mandatory variables
-- name: Check vars
-  fail: msg="Missing variable admin_ssh_keys"
-  when: admin_ssh_keys is not defined
-
 - name: Check vars
   fail: msg="Missing variable default_packages_debian"
   when: default_packages_debian is not defined
@@ -30,12 +26,6 @@
   fail: msg="Missing variable disable_ipv6"
   when: disable_ipv6 is not defined
 
-# SSH
-- name: Deploy SSH keys
-  tags: ssh_keys
-  authorized_key: user=root key="{{item}}"
-  with_items: "{{ admin_ssh_keys }}"
-
 # Packages
 
 - name: Install default packages Debian.
diff --git a/roles/ssh-keys/tasks/main.yml b/roles/ssh-keys/tasks/main.yml
new file mode 100644
index 0000000..04bb33c
--- /dev/null
+++ b/roles/ssh-keys/tasks/main.yml
@@ -0,0 +1,34 @@
+---
+# Synchronization des clefs SSH avec option de suppression via admin_blacklist_ssh_keys
+# En utilisant la variable hash_behaviour = merge dans la configuration ansible,
+# permet de deployer differentes clefs sur differentes serveurs en mergeant les dictionnaire
+
+- name: Check vars
+  fail: 
+    msg: "Missing variable admin_ssh_keys"
+  tags: ssh_keys
+  when: admin_ssh_keys is not defined
+
+- name: Install libselinux-python needed for centos
+  tags: ssh_keys
+  yum: 
+    name: libselinux-python
+    state: installed
+  when: ansible_distribution == 'CentOS'
+
+- name: Remove old SSH keys
+  tags: ssh_keys
+  authorized_key: 
+    user: root 
+    key: "{{ item.value }}"
+    state: absent
+  with_dict: "{{ admin_blacklist_ssh_keys }}"
+  when: admin_blacklist_ssh_keys is defined
+
+- name: Deploy SSH keys
+  tags: ssh_keys
+  authorized_key: 
+    user: root 
+    key: "{{ item.value }}"
+    state: present
+  with_dict: "{{ admin_ssh_keys }}"
\ No newline at end of file