Add hifis.ssh_keys role

Signed-off-by: Norman Ziegner <[email protected]>

Author: Normo

.github/labeler.yml

@@ -4,6 +4,12 @@
 # SPDX-License-Identifier: Apache-2.0
 
 ---
+ssh_keys:
+  - changed-files:
+      - any-glob-to-any-file:
+          - "roles/ssh_keys/**"
+          - "molecule/ssh_keys/**"
+          - ".github/workflows/ssh_keys.yml"
 unattended_upgrades:
   - changed-files:
       - any-glob-to-any-file:

.github/workflows/ssh_keys.yml

@@ -0,0 +1,85 @@
+# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+name: "hifis.ssh_keys"
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/ssh_keys.yml'
+      - 'roles/ssh_keys/**'
+      - 'molecule/ssh_keys/**'
+      - 'Pipfile'
+      - 'Pipfile.lock'
+  push:
+    branches:
+      - "main"
+    tags:
+      - "v*.*.*"
+    paths:
+      - '.github/workflows/ssh_keys.yml'
+      - 'roles/ssh_keys/**'
+      - 'molecule/ssh_keys/**'
+      - 'Pipfile'
+      - 'Pipfile.lock'
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+
+  test:
+    name: "Run Molecule tests."
+    runs-on: "ubuntu-22.04"
+    env:
+      PY_COLORS: 1
+      ANSIBLE_FORCE_COLOR: 1
+    strategy:
+      fail-fast: false
+      matrix:
+        image:
+          - "ghcr.io/hifis-net/centos-systemd:7"
+          - "ghcr.io/hifis-net/almalinux-systemd:8"
+          - "ghcr.io/hifis-net/almalinux-systemd:9"
+          - "ghcr.io/hifis-net/ubuntu-systemd:18.04"
+          - "ghcr.io/hifis-net/ubuntu-systemd:20.04"
+          - "ghcr.io/hifis-net/ubuntu-systemd:22.04"
+          - "ghcr.io/hifis-net/debian-systemd:10"
+          - "ghcr.io/hifis-net/debian-systemd:11"
+
+    steps:
+      - name: "Check out the codebase."
+        uses: "actions/checkout@v4"
+        with:
+          path: "ansible_collections/hifis/toolkit"
+
+      - name: "Prepare the job environment."
+        uses: "./ansible_collections/hifis/toolkit/.github/workflows/prepare-action"
+
+      # https://github.com/ansible/molecule/issues/3806
+      - name: "Help molecule to find the dependencies"
+        run: |
+          mkdir -p /home/runner/.ansible
+          ln -s /home/runner/work/ansible-collection-toolkit/ansible-collection-toolkit/ansible_collections/hifis/toolkit/roles \
+            /home/runner/.ansible/roles
+
+      - name: "Install modern podman"
+        run: |
+          sudo mkdir -p /etc/apt/keyrings
+          curl -fsSL https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key \
+            | gpg --dearmor \
+            | sudo tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null
+          echo \
+            "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\
+              https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/ /" \
+            | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null
+          sudo apt-get update -qq
+          sudo apt-get -qq -y install podman
+
+      - name: "Run Molecule tests."
+        run: "pipenv run molecule test -s ssh_keys"
+        env:
+          MOLECULE_IMAGE: "${{ matrix.image }}"
+        working-directory: "ansible_collections/hifis/toolkit"

README.md

@@ -10,6 +10,7 @@ SPDX-License-Identifier: Apache-2.0
 [![Latest release](https://img.shields.io/github/v/release/hifis-net/ansible-collection-toolkit)](https://github.com/hifis-net/ansible-collection-toolkit/releases)
 [![hifis.unattended_upgrades](https://github.com/hifis-net/ansible-collection-toolkit/actions/workflows/unattended_upgrades.yml/badge.svg)](https://github.com/hifis-net/ansible-collection-toolkit/actions/workflows/unattended_upgrades.yml)
 [![hifis.zammad](https://github.com/hifis-net/ansible-collection-toolkit/actions/workflows/zammad.yml/badge.svg)](https://github.com/hifis-net/ansible-collection-toolkit/actions/workflows/zammad.yml)
+[![DOI](https://zenodo.org/badge/495697576.svg)](https://zenodo.org/doi/10.5281/zenodo.11147483)
 
 ## Description
 
@@ -28,7 +29,7 @@ software engineers, but not exclusively. The following use cases are supported:
 * OS-related:
   * [**unattended-upgrades**](roles/unattended_upgrades)
   * [netplan](https://github.com/hifis-net/ansible-role-gitlab-netplan) (coming soon!)
-  * managing and distributing authorized [SSH keys](https://github.com/hifis-net/ansible-role-ssh-keys) (coming soon!)
+  * distribute authorized [**SSH keys**](role/ssh_keys) to users
 
 ## Minimum required Ansible-version
 

UNATTENDED_UPGRADES_CHANGELOG.md

@@ -1,3 +1,10 @@
+<!--
+SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR)
+
+SPDX-License-Identifier: Apache-2.0
+-->
+
 # Changelog
 
 ## [v3.3.0](https://github.com/hifis-net/ansible-collection-toolkit/tree/v3.3.0) (2024-03-01)

UNATTENDED_UPGRADES_CHANGELOG.md.license

@@ -0,0 +1,22 @@
+# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+- name: "Converge"
+  hosts: "all"
+  vars:
+    ssh_user_list:
+      - name: "dummyuser"
+        authorized_keys:
+          - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJi3wBlOT+oR8Rd+YQsV8tUoQOd3NSUuyzJYQp8finD6 [email protected]"
+        create_user_account: true
+      - name: "root"
+        authorized_keys:
+          - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJi3wBlOT+oR8Rd+YQsV8tUoQOd3NSUuyzJYQp8finD6 [email protected]"
+          - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDXkvy8jMmw45grnmYK+Ylk/mcc7IyG9taNseNiVrGjR8KRHVJpzEntW1g6SAomIGIpBLvviiyhal4E1v1bhpv2JopbiM3JDOck6gwc4AfpanjuZFPuq6stq5pF7bb2C+zliw16zTFL7bp09tD7nNs30GlchB5DU2sSn1zq4iC+eQ== [email protected]" # noqa 204
+  tasks:
+    - name: "Include ssh_keys role"
+      ansible.builtin.include_role:
+        name: "hifis.toolkit.ssh_keys"

molecule/ssh_keys/converge.yml

@@ -0,0 +1,24 @@
+# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+dependency:
+  name: "galaxy"
+  options:
+    requirements-file: "molecule/ssh_keys/requirements.yml"
+driver:
+  name: "podman"
+platforms:
+  - name: "instance"
+    image: "${MOLECULE_IMAGE:-ghcr.io/hifis-net/ubuntu-systemd:22.04}"
+    pre_build_image: true
+    privileged: true
+    override_command: false
+    systemd: true
+    tty: true
+provisioner:
+  name: "ansible"
+verifier:
+  name: "ansible"

molecule/ssh_keys/molecule.yml

@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+
+collections:
+  - name: "ansible.posix"

molecule/ssh_keys/requirements.yml

@@ -0,0 +1,42 @@
+# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+- name: "Verify"
+  hosts: "all"
+  tasks:
+    - name: "Ensure ssh dummy user is present"
+      ansible.builtin.user:
+        name: "dummyuser"
+        state: "present"
+      register: "dummyuser"
+      failed_when: "dummyuser.changed"
+
+    - name: "Ensure ssh key for newly created user is present"
+      ansible.builtin.lineinfile:
+        path: "/home/dummyuser/.ssh/authorized_keys"
+        regexp: '^{{ ssh_public_key }}(.*)$'
+        line: '{{ ssh_public_key }}\1'
+        state: "present"
+        backrefs: true
+      check_mode: true
+      register: "line_in_file"
+      failed_when: "(line_in_file.changed) or (line_in_file.failed)"
+      vars:
+        ssh_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJi3wBlOT+oR8Rd+YQsV8tUoQOd3NSUuyzJYQp8finD6 [email protected]"
+
+    - name: "Ensure ssh key for existing user is present"
+      ansible.builtin.lineinfile:
+        path: "/root/.ssh/authorized_keys"
+        regexp: '^{{ item }}(.*)$'
+        line: '{{ item }}\1'
+        state: "present"
+        backrefs: true
+      check_mode: true
+      register: "line_in_file"
+      failed_when: "(line_in_file.changed) or (line_in_file.failed)"
+      loop:
+        - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJi3wBlOT+oR8Rd+YQsV8tUoQOd3NSUuyzJYQp8finD6 [email protected]"
+        - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDXkvy8jMmw45grnmYK+Ylk/mcc7IyG9taNseNiVrGjR8KRHVJpzEntW1g6SAomIGIpBLvviiyhal4E1v1bhpv2JopbiM3JDOck6gwc4AfpanjuZFPuq6stq5pF7bb2C+zliw16zTFL7bp09tD7nNs30GlchB5DU2sSn1zq4iC+eQ== [email protected]" # noqa 204

molecule/ssh_keys/verify.yml

@@ -6,4 +6,5 @@
 ---
 
 collections:
+  - name: "ansible.posix"
   - name: "community.crypto"