fix: support ssh allowedSignersFile and revocationFile

2025-03-19 23:30:19 +01:00 · 2025-03-19 23:30:19 +01:00 · ab3618b924
commit ab3618b924
parent 1765f54bfe
4 changed files with 26 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -5,6 +5,10 @@ git_package_name_merge_tool: meld

 git_users: []
  # github:
+  #   allowedSignersFile:
+  #   - principals:
+  #     - max.mustermann@example.com
+  #     publicSSHKey: ssh-rsa AAAAX1...
  #   config:
  #     commit:
  #       gpgSign: "true"
@ -12,3 +16,5 @@ git_users: []
  #       name: "root"
  #       email: root@localhost
  #       signingKey: gpg-fingerprint
+  #   revocationFile:
+  #   - ssh-rsa AAAAX1...
--- a/tasks/git_user.yml
+++ b/tasks/git_user.yml
@ -21,8 +21,10 @@
    group: "{{ getent_passwd[item.key][2] }}"
    mode: "0644"
  with_items:
+  - .config/git/allowedSignersFile
  - .config/git/config
  - .config/git/message
  - .config/git/ignore
+  - .config/git/revocationFile
  loop_control:
    loop_var: filename
--- a/templates/.config/git/allowedSignersFile.j2
+++ b/templates/.config/git/allowedSignersFile.j2
@ -0,0 +1,9 @@
+#
+# {{ ansible_managed }}
+#
+
+{% if item.value.allowedSignersFile is defined and item.value.allowedSignersFile | length > 0%}
+{% for entry in item.value.allowedSignersFile %}
+{{ entry.principals | join(',') }} {{ entry.publicSSHKey }}
+{% endfor %}
+{% endif %}
--- a/templates/.config/git/revocationFile.j2
+++ b/templates/.config/git/revocationFile.j2
@ -0,0 +1,9 @@
+#
+# {{ ansible_managed }}
+#
+
+{% if item.value.revocationFile is defined and item.value.revocationFile | length > 0%}
+{% for entry in item.value.revocationFile %}
+{{ entry }}
+{% endfor %}
+{% endif %}