Add method to remove inactive SSH keys

2023-09-01 15:42:28 -04:00 · 2023-09-01 15:42:28 -04:00 · ea9fe5570f
parent 25dde4709b
commit ea9fe5570f
2 changed files with 28 additions and 0 deletions
--- a/group_vars/default/base.yml
+++ b/group_vars/default/base.yml
@ -110,6 +110,8 @@ admin_users:
    uid: 500
    keys:
      - "ssh-ed25519 MyKey 2019-06"
+    removed:
+      - "ssh-ed25519 ObsoleteKey 2017-01"

 # Backup user SSH user keys, for remote backups separate from administrative users (e.g. rsync)
 # > Uncomment to activate this functionality.
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@ -838,6 +838,7 @@
  authorized_key:
    user: "{{ deploy_username }}"
    key: "{{ item.1 }}"
+    state: present
  with_subelements:
    - "{{ admin_users }}"
    - keys
@ -845,6 +846,18 @@
    - users
    - user-deploy

+- name: remove authorized keys
+  authorized_key:
+    user: "{{ deploy_username }}"
+    key: "{{ item.1 }}"
+    state: absent
+  with_subelements:
+    - "{{ admin_users }}"
+    - removed
+  tags:
+    - users
+    - user-deploy
+
 # admin_users
 - name: ensure user exists
  user:
@ -890,6 +903,7 @@
  authorized_key:
    user: "{{ item.0.name }}"
    key: "{{ item.1 }}"
+    state: present
  with_subelements:
    - "{{ admin_users }}"
    - keys
@ -897,6 +911,18 @@
    - users
    - user-admin

+- name: remove authorized keys
+  authorized_key:
+    user: "{{ item.0.name }}"
+    key: "{{ item.1 }}"
+    state: absent
+  with_subelements:
+    - "{{ admin_users }}"
+    - removed
+  tags:
+    - users
+    - user-deploy
+
 - name: write bashrc to homedir
  template:
    src: var/home/user/bashrc.j2