If you specify user SSH keys as a list of keys, you can user them like this
using with_subelements:
- name: User SSH keys
authorized_key: user="{{ item.0.username }}" key="{{ item.1 }}"
when: item.0.username in users_add
with_subelements:
- users
- ssh_key
This works for me without a problem. Just modify the when: condition to be
like your one.
On Saturday, May 10, 2014 3:46:48 PM UTC+2, Ernest0x wrote:
>
> On 05/07/2014 09:32 PM, Bruce Pennypacker wrote:
>
> Ah, thanks! All the documentation for the authorized_key module implies
> that it works on just one key at a time, not a file/string that contains
> multiple keys. That documentation should really be updated...
>
> -Bruce
>
> On Wednesday, May 7, 2014 2:13:42 PM UTC-4, Matt Martz wrote:
>>
>> I'd recommend storing you keys in files, and using lookup('file', ...)
>>
>> The. You can store multiple keys in a single file.
>>
>> Additionally you could just store multiple keys as a string with new
>> lines in your current data structure and not try using a list.
>>
>> On Wednesday, May 7, 2014, Bruce Pennypacker <[email protected]>
>> wrote:
>>
>>> We have a role that defines user accounts as follows:
>>>
>>> users:
>>> - username: user1
>>> comment: User 1
>>> uid: 3001
>>> ssh_key: "xxx"
>>>
>>> - username: user2
>>> comment: User 2
>>> uid: 3002
>>> ssh_key: "yyy"
>>>
>>> Users are then grouped by name into other lists:
>>>
>>> regular_users:
>>> - user1
>>> - user2
>>> ...
>>>
>>> ops_users:
>>> - user3
>>> - user4
>>> ...
>>>
>>> Our hosts then have a fact called user_roles that's a list of each
>>> group of users and individual usernames to create accounts for. We then
>>> have tasks defined like this:
>>>
>>> - name: add users
>>> user: name={{ item.username }}
>>> comment="{{ item.comment }}"
>>> uid={{ item.uid }}
>>> when: item.username in lookup('flattened',user_roles)
>>> with_items: users
>>>
>>> - name: add SSH keys
>>> authorized_key: user={{ item.username }}
>>> key="{{ item.ssh_key }}"
>>> when: item.username in lookup('flattened',user_roles) and item.ssh_key
>>> is defined
>>> with_items: users
>>>
>>> All of this is working great. We're managing about 50 different user
>>> accounts over 80 servers in varying groups without any difficulty. But now
>>> I'd like to be able to extend this to support multiple SSH keys for each
>>> user. So I'd like to be able to define a user along these lines:
>>>
>>> - username: userFoo
>>> comment: User Foo
>>> uid: 4321
>>> ssh_keys: [ 'xxx', 'yyy', 'zzz']
>>>
>>> But if I do this then I'm at a complete loss of how to rewrite the
>>> authorized_key task to handle it properly. At first glance I would expect
>>> that I'd need to use with_nested but I'm not entirely sure how to go about
>>> doing it. I tried variations of this, but haven't gotten anything to work:
>>>
>>> - name: add multiple SSH keys
>>> authorized_key: user={{ item[0].username }}
>>> key="{{ item.[1] }}"
>>> when: item[0].username in lookup('flattened',user_roles) and
>>> item[0].ssh_keys is defined
>>> with_nested:
>>> - users
>>> - item[0].ssh_keys
>>>
>>> Is there a better way of managing a dynamic list of ssh keys? Or am I
>>> just trying something that's too complex for Ansible to handle cleanly?
>>>
>>> -Bruce
>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To post to this group, send email to [email protected].
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/ed9760ef-ae4d-4403-b145-2e8d0ec84d34%40googlegroups.com<https://groups.google.com/d/msgid/ansible-project/ed9760ef-ae4d-4403-b145-2e8d0ec84d34%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>> --
>> Matt Martz
>> [email protected]
>> http://sivel.net/
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected] <javascript:>.
> To post to this group, send email to [email protected]<javascript:>
> .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/567aee32-6cf7-4ef2-8caf-f398087f4940%40googlegroups.com<https://groups.google.com/d/msgid/ansible-project/567aee32-6cf7-4ef2-8caf-f398087f4940%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
>
> You can store multiple keys in a single file, but that means that you
> would have to manually create a separate file for each key combination you
> want to deploy.
> Instead, take a look at my pull request for with_nested (
> https://github.com/ansible/ansible/pull/7278) and the example I have
> given in my previous post at the "Nested looping with hash/dict so I can
> override values" thread. It would allow you to do what you want more
> cleanly.
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/f25c26ab-e647-4d76-914f-eb11d0c47105%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
