Default variable details
Some of debops.authorized_keys
default variables have more extensive
configuration than simple strings or lists, here you can find documentation and
examples for them.
authorized_keys__list
The authorized_keys__list
, authorized_keys__group_list
,
authorized_keys__host_list
and authorized_keys__dependent_list
variables are used to define what SSH keys should be present in each user
file located in /etc/ssh/authorized_keys/
directory. Each list entry is
a YAML dictionary with specific parameters:
name
Required. Name of the user account to configure. This will be used as the name of the file located in the
/etc/ssh/authorized_keys/
directory.
These parameters are related to SSH public key management:
sshkeys
Optional. String containing either a SSH public key, or an URL to a resource which returns a file with SSH public keys (only one URL is allowed at the moment), or a YAML list of SSH public keys.
github
Optional. String with the name of a GitHub account. SSH public keys belonging to this account will be added to, or removed from, the specified user file. The SSH keys will be downloaded from:
https://github.com/<username>.keys
Only one GitHub account is allowed at a time.options
Optional. String or list of SSH options which should be set for each key specified on the
sshkeys
list. You can find more about available options in authorized_keys(5).If this parameter is not specified, SSH public keys will use options set in the
authorized_keys__default_options
variable. To override this variable for a particular entry, set theitem.options
parameter as empty string or list.The specified SSH key options are applied to all keys specified in the
sshkeys
orgithub
parameters in this specific entry. To use different key options for different SSH keys, specify them in separate entries on the list.key_options
Optional. Additional set of options to add to the SSH public keys. This can be used with
item.options
parameter to easily combine a list of options from another variable with a custom additional options. For example:authorized_keys__list: - name: 'user' github: 'user' options: '{{ authorized_keys__options_map.strict }}' key_options: 'command="ls -l /home/user"'
exclusive
Optional, boolean. If defined and
True
, role will remove all other SSH public keys located in the user file and set only the SSH public keys present in theitem.sshkeys
oritem.github
parameters.state
Optional. If undefined or
present
, the SSH public keys specified in theitem.sshkeys
oritem.github
parameters will be added to the user file. Ifabsent
, the specified SSH public keys will be removed from the user file.
These parameters are related to the files located in the
/etc/ssh/authorized_keys/
directory:
readonly
Optional, boolean. If defined and
True
, or if the correspondingauthorized_keys__readonly
variable isTrue
, the role will set the owner and group of the user file asroot:<item.group|primary group of user|root>
and its permissions will be set to0640
, so that the respective users being in their own groups can still access the file and use it for authentication, but they cannot change it.If this parameter is set to
False
or the correspondingauthorized_keys__readonly
variable isFalse
, to role will not modify the file ownership or permissions set by theauthorized_key
Ansible module.owner
Optional. Set the owner of the user file. If the owner account does not exist,
root
will become the owner.group
Optional. Name of the primary group of a given user file. If the specified group does not exist, it will be automatically created by the role.
If the
item.group
parameter is not specified, the role will try to set the group of the file the same as the specified user initem.name
parameter with the assumption that the corresponding primary group exists. If it does not exist, the primary group of the user file will beroot
.system
Optional, boolean. If undefined or
True
, the group created by the role will be a "system" group, with GID < 1000. IfFalse
, the created group will be a "normal" group with GID >= 1000. The existing groups are not modified.gid
Optional. Specify the GID a given group should use.
mode
Optional. Set the mode of the user file. If not specified, mode
0640
or0600
will be set depending on read only configuration parameters.file_state
Optional. If undefined or
present
, the user file will be present. Ifabsent
, the user file will be removed.
Examples
Ensure that given SSH public keys are present in the user file:
authorized_keys__list:
- name: 'user1'
sshkeys: [ 'ssh-rsa AAAAB3NzaC1yc2EAAAA...', 'ssh-rsa AAAAB3NzaC1yc2EAAAA...' ]
Add SSH public keys from specified URL:
authorized_keys__list:
- name: 'user2'
sshkeys: 'https://auth.example.com/api/ssh/user2'
Add SSH keys from two GitHub accounts to specified user account:
authorized_keys__list:
- name: 'app1'
github: 'user-one'
- name: 'app1'
github: 'user-two'
Set SSH keys from a file on Ansible Controller as the only keys on a given user account:
authorized_keys__list:
- name: 'user3'
sshkeys: '{{ lookup("file", "/path/to/user3.pub") }}'
exclusive: True