From 6fc9d8df9682b3b94b6ab47276c6d742ee09a434 Mon Sep 17 00:00:00 2001
From: polyfloyd <floyd@polyfloyd.net>
Date: Wed, 20 Mar 2024 20:31:54 +0100
Subject: [PATCH] Manage SSH keys with Ansible

---
 authorized_keys/ak.keys                           | 1 +
 authorized_keys/bob.keys                          | 1 +
 authorized_keys/eightdot.keys                     | 1 +
 authorized_keys/jeroen.keys                       | 1 +
 authorized_keys/linor.keys                        | 1 +
 authorized_keys/maeddoc.keys                      | 1 +
 authorized_keys/polyfloyd.keys                    | 1 +
 authorized_keys/wilco.keys                        | 1 +
 bank.yaml                                         | 1 +
 bar.yaml                                          | 1 +
 fotos.yaml                                        | 6 ++++++
 group_vars/all.yaml                               | 4 ++++
 monitoring.yaml                                   | 1 +
 mqtt-internal.yaml                                | 1 +
 music.yaml                                        | 7 +++++++
 pad.yaml                                          | 1 +
 roles/common-bitlair/tasks/main.yaml              | 8 ++++++++
 roles/common-bitlair/templates/authorized_keys.j2 | 5 +++++
 services.yaml                                     | 6 ++++++
 19 files changed, 49 insertions(+)
 create mode 100644 authorized_keys/ak.keys
 create mode 100644 authorized_keys/bob.keys
 create mode 100644 authorized_keys/eightdot.keys
 create mode 100644 authorized_keys/jeroen.keys
 create mode 100644 authorized_keys/linor.keys
 create mode 100644 authorized_keys/maeddoc.keys
 create mode 100644 authorized_keys/polyfloyd.keys
 create mode 100644 authorized_keys/wilco.keys
 create mode 100644 roles/common-bitlair/tasks/main.yaml
 create mode 100644 roles/common-bitlair/templates/authorized_keys.j2

diff --git a/authorized_keys/ak.keys b/authorized_keys/ak.keys
new file mode 100644
index 0000000..75593c5
--- /dev/null
+++ b/authorized_keys/ak.keys
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ0ryG8LT5ryjc3tZggVP0cxjXoKOPzUIwmB9Yez+u3nDHc3RdLR0V/BdcVPCJl9vOQwsFaTE34ZEZ3A6qkcSaz2Npxqq0eFtcEAKTy9w41C6jE586jkwkednSK9ObFFZnlSA3ielYeB5bRuELHyvazHWSUGn+/nzuujAYpEABRGAlt0IV2eMugsb1aEs5v8/Hw3REGz6IeNBwlVOzDznGK4N0b1es270k2fpkD0XMRnga7x2eduD74gRYJHo41sKz6kqHFfXjvrH6Efrn5sNtTF7pIkPfeiX4ukDQYG6Ynxgkdbi1pMg5zGjjjRZ0iExKqNi+jtZhVewqFvj66vLX arjan@koopen.net
diff --git a/authorized_keys/bob.keys b/authorized_keys/bob.keys
new file mode 100644
index 0000000..1c0797e
--- /dev/null
+++ b/authorized_keys/bob.keys
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPw0k0OEI/Gf5eM8/S5+R2Xo3pjGiHyRmGZjrNTJs5dtydEM6t1am7EeBRO1bBuxl3zx+MHoQyjA9GtKibv/uB3WridrLqy2b4bjsRvP9WdbrOacXk8ZkUzRgV7qj/szwnByANOw+jXufBuEEoDfmaprWKGKkTcCnbB/e4E069d2fQxClQ3MDNJSJ2n+9MTv79twJjZqJaMs/LR24nfwTaNNdNIeP6dsUpLBHvhvwxxpi67Y63YjZKFI8watC2D1RNhBLZSRM9lW7zzCmm4H+nBSMKBTRVZsXJPDjvT5WLrxbfOEHWtFucFc9lkKg0ZFgmnrQiFpo9Bmra1AlsPE7P bob@xbmc.org
diff --git a/authorized_keys/eightdot.keys b/authorized_keys/eightdot.keys
new file mode 100644
index 0000000..c49ad8b
--- /dev/null
+++ b/authorized_keys/eightdot.keys
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrNJu4DUU1a0aKcUPR5zF9yhqbBIX5zyMCrjMROhsU3DspZKdMLSlfZEtZurGqY0p1dJEkf5p5IWZq4dlKvuNxc9vTSRpSilpo7wLvZGDBBSlZZoigw98h+roDS+2LGOvvItkd70zyXO+ty1fkxKGs/JzE/Sw+4Y5YDZ1VDyWubF5JKT0vvvnw2y5y6u74yu0cGTXTf2mdVzpEHqs9esigHhrmtBT7KJdTO6B7cylk6etIBmylRntd1GZ9+uEsVvh4vZx+sjqdg0YTAlf+4iFA2d5gMru5ZVPGISKQCVtWpO+UJvGeE/ViSLwMlVEKbLSXDyYrj4nnz7KVdHzxDsFN reinder@E5530
diff --git a/authorized_keys/jeroen.keys b/authorized_keys/jeroen.keys
new file mode 100644
index 0000000..c3732e9
--- /dev/null
+++ b/authorized_keys/jeroen.keys
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAimaAxUzc7TgTXZEmJ2iZOW2eSUqf8mik/ohrMsEq3x9W3BM6m4urWQDvok7JAfUNtQPyfDf404MnMtI0c5U7HSIBSx7Orq4qAIDA5VhvRbSw/4W3rpKl5QfZ9hAfWy6kjjNgZ+IqJiIPmY2d+weRWNVWiBsIluCybc+q8ijNLA9Fr0ftaayBjvuEbTRdB/6VvdvfRzI419yscE2Zj2NgRWVSTSXTDA0VYxo6LULH1YPc0Vj+hucD5h6aPIcdwh8Q+ux4sZOatiy/gH5la8kx7dapPtFG/fLSUOlmvbH1D3J7VZv9lQT3jmaKEo8jKsdIeVOuDo9MzuWQVVXywqkj7IFvdjc66KRpvacc59o3meLKI3D+PvzCCNa7qI6iYATuop+eLlZhRM2LC4EwzHXAm+v84OdZo96m8hVPcBJTzMxWIpZBHZ8rqHC8UMVoS6PPqTU9y8JA22G8NR+MxrU//+fyN99u+95o/IXN+vWSlTqXHpsb4yYovePIhNtLvLCUrYwtITcgpvFI0KhbL3XqJAv2o1qn7dwD2eZsT7J+OLgxf7m1GVJ/cLJU8L9o9YCfe4d/uOzDp/0PACUHcPInSf9JduCfAoHVbnQ5mZbeAlRofkYYNqua8ZnhIW8RWoEX/B5ExKLQQLexo33dutJVIl3nGdfWAn0GyKQz1PuTAeM= jeroen@stroevesoer.nl
diff --git a/authorized_keys/linor.keys b/authorized_keys/linor.keys
new file mode 100644
index 0000000..964affe
--- /dev/null
+++ b/authorized_keys/linor.keys
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3GzlxEWjUMN1Q0SoAIcaX1BQ9J0gxrYKniwYGmv1r6cUxNzZEiZLxbNJ9ayK6SLtAXtvELHM19vYcWmXVYcmthM4a5+CKpGb4h4XzJjNeRTeWHfoAWHMKaotNTSzoE5/seIn/Q9sogConW/e+gOPqtVZOidvimo3EjZ0ih3cfbKqe2M38qIS0o1qJx/XvAC9nt8QGDuxyeegkihnDhxY495emd5qLIkrRBDJEbd5sjkuNF3ow4iC+wa2bjD9aOMfax5l2/hHxRfBm2YPMAp1DbuRPz5ZZOOMyJ2mDl9c7SYBzHv5M39Al46z/y1BR030kTMx2UDzOUYX8HxWdOwnt krijnschaap@Krijns-MacBook-Pro.local
diff --git a/authorized_keys/maeddoc.keys b/authorized_keys/maeddoc.keys
new file mode 100644
index 0000000..68e734b
--- /dev/null
+++ b/authorized_keys/maeddoc.keys
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFP8joeSTbBsRQnEhu9KaNgciA/gAYdZc5GpgywIRF5 max@e595
diff --git a/authorized_keys/polyfloyd.keys b/authorized_keys/polyfloyd.keys
new file mode 100644
index 0000000..00ad993
--- /dev/null
+++ b/authorized_keys/polyfloyd.keys
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBotjHW+sNMI56uKXA87/zoRU8g7EY+d6bkObb6SyXEB polyfloyd@hephaestus
diff --git a/authorized_keys/wilco.keys b/authorized_keys/wilco.keys
new file mode 100644
index 0000000..9ca880c
--- /dev/null
+++ b/authorized_keys/wilco.keys
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq/AHWNITVjD3WZY5XJD20K5cBLbjWuEWJnZQhEtPHrFZESjmGsPYjcPhlYZFzRKazM5d7aM++QhBWFO2fLQJLc9+WNUHWlbsH9xQ0L+mqx3YqDKFNAMU0dQM+x1iDZupD/Hku/1AcXs7gAhOw/kZnSgN5N7d2NWrg6798r6YKN9iawShl7D6Bi+oseVVm0Rf6XIvY6eEV6ez8r94ffUsR/8fHdzBPo7T7wIPQPETXGPWrWWc4cBZJtIsAPluEZirwkEUslvKJBcoLqgyazXghBl0Ifzxh2XY8P27yI+foiM28/bkDtu4XpFpNf23LbQyx0SY3LzFJLJg0uHglV/Kvw== wilcobh@glan
diff --git a/bank.yaml b/bank.yaml
index 273fe33..e3f5930 100644
--- a/bank.yaml
+++ b/bank.yaml
@@ -2,6 +2,7 @@
 - hosts: bank
   roles:
     - common
+    - common-bitlair
     - bank
   vars:
     bank_revbank_git: https://github.com/bitlair/revbank.git
diff --git a/bar.yaml b/bar.yaml
index 05912a3..4ef9f78 100644
--- a/bar.yaml
+++ b/bar.yaml
@@ -4,4 +4,5 @@
     raspi_rotate_display: "2"
   roles:
     - raspi
+    - common-bitlair
     - bank-terminal
diff --git a/fotos.yaml b/fotos.yaml
index e141485..88ded8b 100644
--- a/fotos.yaml
+++ b/fotos.yaml
@@ -2,4 +2,10 @@
 - hosts: fotos
   roles:
     - common
+    - common-bitlair
     - photos
+  vars:
+    root_access:
+      - ak
+      - linor
+      - polyfloyd
diff --git a/group_vars/all.yaml b/group_vars/all.yaml
index 516740a..a8a40cc 100644
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@@ -13,5 +13,9 @@ trusted_ranges:
   - { v: ipv6, cidr: "fe80::/10" }
   - { v: ipv6, cidr: "2a02:166b:92::/48" }
 
+root_access:
+  - ak
+  - polyfloyd
+
 mqtt_internal_host: mqtt.bitlair.nl
 mqtt_public_host: bitlair.nl
diff --git a/monitoring.yaml b/monitoring.yaml
index 7ac7e32..c439507 100644
--- a/monitoring.yaml
+++ b/monitoring.yaml
@@ -2,5 +2,6 @@
 - hosts: monitoring
   roles:
     - common
+    - common-bitlair
     - acme
     - monitoring
diff --git a/mqtt-internal.yaml b/mqtt-internal.yaml
index 20d0cb7..93a00a5 100644
--- a/mqtt-internal.yaml
+++ b/mqtt-internal.yaml
@@ -2,4 +2,5 @@
 - hosts: mqtt_internal
   roles:
     - common
+    - common-bitlair
     - mqtt-internal
diff --git a/music.yaml b/music.yaml
index b6fe086..3495ff3 100644
--- a/music.yaml
+++ b/music.yaml
@@ -2,6 +2,13 @@
 - hosts: music
   roles:
     - common
+    - common-bitlair
     - acme
     - go
     - music
+  vars:
+    root_access:
+      - ak
+      - bob
+      - eightdot
+      - polyfloyd
diff --git a/pad.yaml b/pad.yaml
index 63d91b1..2325204 100644
--- a/pad.yaml
+++ b/pad.yaml
@@ -5,5 +5,6 @@
       - [ pad.bitlair.nl ]
   roles:
     - common
+    - common-bitlair
     - acme
     - etherpad
diff --git a/roles/common-bitlair/tasks/main.yaml b/roles/common-bitlair/tasks/main.yaml
new file mode 100644
index 0000000..57f98a8
--- /dev/null
+++ b/roles/common-bitlair/tasks/main.yaml
@@ -0,0 +1,8 @@
+---
+- name: Update authorized_keys
+  tags: authorized_keys
+  template:
+    src: authorized_keys.j2
+    dest: /root/.ssh/authorized_keys
+    mode: 0600
+  when: root_access is defined and root_access
diff --git a/roles/common-bitlair/templates/authorized_keys.j2 b/roles/common-bitlair/templates/authorized_keys.j2
new file mode 100644
index 0000000..f310024
--- /dev/null
+++ b/roles/common-bitlair/templates/authorized_keys.j2
@@ -0,0 +1,5 @@
+# Managed by Ansible
+
+{% for name in root_access %}
+{{ lookup('file', 'authorized_keys/'+name+'.keys') }}
+{% endfor %}
diff --git a/services.yaml b/services.yaml
index 5bfcdef..62acf97 100644
--- a/services.yaml
+++ b/services.yaml
@@ -2,4 +2,10 @@
 - hosts: services
   roles:
     - common
+    - common-bitlair
     - services
+  vars:
+    root_access:
+      - ak
+      - wilco
+      - polyfloyd