From 26e57d7b6ff21db1884c41f10424a782aca3712c Mon Sep 17 00:00:00 2001
From: Markus Pesch <markus.pesch@cryptic.systems>
Date: Tue, 19 Jul 2022 17:54:56 +0200
Subject: [PATCH] fix: config ssh client config

---
 defaults/default.yml         | 42 +++++++++++++++++--------------
 tasks/create_unix_user.yml   | 48 ++++++++++++++++++++++++++++++++++--
 tasks/main.yml               | 20 +++++++--------
 tasks/remove_unix_group.yml  |  2 +-
 tasks/remove_unix_user.yml   |  4 +--
 templates/authorized_keys.j2 |  4 +--
 templates/config.j2          | 14 +++++++++++
 7 files changed, 98 insertions(+), 36 deletions(-)
 create mode 100644 templates/config.j2

diff --git a/defaults/default.yml b/defaults/default.yml
index ec41d61..e758271 100644
--- a/defaults/default.yml
+++ b/defaults/default.yml
@@ -1,26 +1,30 @@
 ---
 
-# unix_groups:
-#   kah:
-#     gid: 568
+unix_groups: {}
+#   alice:
+#     gid: 1001
 #     state: present
-#   markus: {}
-#   movies:
+#   bob:
+#     gid: 1001
 #     state: absent
 
-# unix_users:
-#   markus:
-#     name: "Markus Pesch"
-#     ssh_keys:
-#       public:
-#       - markus@markus-pc.pub
-#       - markus@markus-nb.pub
+unix_users: {}
+#   alice:
+#     state: "present"
+#     name: "Alice"
+#     uid: "1000"
+#     ssh:
+#       config:
+#       - Host: "*"
+#         StrictHostKeyChecking: "no"
+#         UserKnownHostFile: /dev/null
+#       authorized_keys:
+#       - alice@alice-pc.pub
+#       private_keys:
+#       - alice@alice-pc.ed25519.key
+#     home: /home/alice
 #     shell: /bin/bash
-#     group: markus
-#     groups:
-#     - movies
-#     - music
-#     - series
+#     group: alice
+#     groups: []
 #     password: ""
-#     email: markus.pesch@cryptic.systems
-#     state: present
+#     email: alice@example.local
diff --git a/tasks/create_unix_user.yml b/tasks/create_unix_user.yml
index bc55074..eccbb55 100644
--- a/tasks/create_unix_user.yml
+++ b/tasks/create_unix_user.yml
@@ -71,13 +71,57 @@
     owner: "{{ unix_user.key }}"
     group: "{{ unix_user.value.group | default('users') }}"
     mode: 0600
-  when: unix_user.value.ssh_keys is defined and unix_user.value.ssh_keys.public | length > 0
+  when: unix_user.value.ssh.authorized_keys is defined and unix_user.value.ssh.authorized_keys | length > 0
 
 - name: Remove authorized_keys file for user {{ unix_user.key }}
   file:
     path: "{{ user_user_home }}/.ssh/authorized_keys"
     state: absent
-  when: unix_user.value.ssh_keys.public is not defined or unix_user.value.ssh_keys.public | length <= 0
+  when: unix_user.value.ssh.authorized_keys is not defined or unix_user.value.ssh.authorized_keys | length <= 0
+
+- name: Create private SSH keys for user {{ unix_user.key }}
+  copy:
+    src: "{{ playbook_dir }}/ssh/private_keys/{{ item }}"
+    dest: "{{ user_user_home }}/.ssh/{{ item }}"
+    owner: "{{ unix_user.key }}"
+    group: "{{ unix_user.value.group | default('users') }}"
+    mode: 0600
+  with_items:
+  - "{{ unix_user.value.ssh.private_keys }}"
+  when: unix_user.value.ssh.private_keys is defined and unix_user.value.ssh.private_keys | length >= 0
+
+- name: Extract public SSH keys from private keys for user {{ unix_user.key }}
+  command: "ssh-keygen -y -f {{ user_user_home }}/.ssh/{{ item }} > {{ user_user_home }}/.ssh/{{ item }}.pub"
+  args:
+    creates: "{{ user_user_home }}/.ssh/{{ item }}.pub"
+  with_items:
+  - "{{ unix_user.value.ssh.private_keys }}"
+  when: unix_user.value.ssh.private_keys is defined and unix_user.value.ssh.private_keys | length >= 0
+
+- name: Correct permissions of public SSH keys for user {{ unix_user.key }}
+  file:
+    path: "{{ user_user_home }}/.ssh/{{ item }}.pub"
+    owner: "{{ unix_user.key }}"
+    group: "{{ unix_user.value.group | default('users') }}"
+    mode: 0644
+  with_items:
+  - "{{ unix_user.value.ssh.private_keys }}"
+  when: unix_user.value.ssh.private_keys is defined and unix_user.value.ssh.private_keys | length >= 0
+
+- name: Create custom SSH client config for user {{ unix_user.key }}
+  template:
+    src: config.j2
+    dest: "{{ user_user_home }}/.ssh/config"
+    owner: "{{ unix_user.key }}"
+    group: "{{ unix_user.value.group | default('users') }}"
+    mode: 0644
+  when: unix_user.value.ssh.config is defined and unix_user.value.ssh.config | length >= 0
+
+- name: Remove custom SSH client config for user {{ unix_user.key }}
+  file:
+    path: "{{ user_user_home }}/.ssh/config"
+    state: absent
+  when: unix_user.value.ssh.config is not defined
 
 - name: Create .forward file to forward emails for user {{ unix_user.key }}
   template:
diff --git a/tasks/main.yml b/tasks/main.yml
index 70853d2..28bf3b9 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,15 +1,5 @@
 ---
 
-- name: Remove unix groups
-  include_tasks: remove_unix_group.yml
-  with_dict: "{{ unix_groups }}"
-  loop_control:
-    loop_var: unix_group
-  when: unix_groups is defined and
-        unix_groups | length > 0 and
-        unix_group.value.state is defined and
-        unix_group.value.state == 'absent'
-
 - name: Remove unix user
   include_tasks: remove_unix_user.yml
   with_dict: "{{ unix_users }}"
@@ -20,6 +10,16 @@
         unix_user.value.state is defined and
         unix_user.value.state == 'absent'
 
+- name: Remove unix groups
+  include_tasks: remove_unix_group.yml
+  with_dict: "{{ unix_groups }}"
+  loop_control:
+    loop_var: unix_group
+  when: unix_groups is defined and
+        unix_groups | length > 0 and
+        unix_group.value.state is defined and
+        unix_group.value.state == 'absent'
+
 - name: Create unix groups
   include_tasks: create_unix_group.yml
   with_dict: "{{ unix_groups }}"
diff --git a/tasks/remove_unix_group.yml b/tasks/remove_unix_group.yml
index 7f7e9c6..fd45ddd 100644
--- a/tasks/remove_unix_group.yml
+++ b/tasks/remove_unix_group.yml
@@ -2,5 +2,5 @@
 
 - name: Remove unix group {{ unix_group.key }}
   group:
-    name: "{{ unix_group.value.name }}"
+    name: "{{ unix_group.key }}"
     state: absent
\ No newline at end of file
diff --git a/tasks/remove_unix_user.yml b/tasks/remove_unix_user.yml
index 6205202..372b7a2 100644
--- a/tasks/remove_unix_user.yml
+++ b/tasks/remove_unix_user.yml
@@ -1,7 +1,7 @@
 ---
 
 - name: Remove unix user {{ unix_user.key }}
-  group:
-    name: "{{ unix_user.value.name }}"
+  user:
+    name: "{{ unix_user.key }}"
     state: absent
     remove: yes
\ No newline at end of file
diff --git a/templates/authorized_keys.j2 b/templates/authorized_keys.j2
index 459c4c7..1a246ed 100644
--- a/templates/authorized_keys.j2
+++ b/templates/authorized_keys.j2
@@ -2,6 +2,6 @@
 #
 # {{ ansible_managed }}
 #
-{% for key in unix_user.value.ssh_keys.public %}
-{{ lookup('file', 'ssh/pubkeys/' + key) }}
+{% for key in unix_user.value.ssh.authorized_keys %}
+{{ lookup('file', 'ssh/authorized_keys/' + key) }}
 {% endfor %}
diff --git a/templates/config.j2 b/templates/config.j2
new file mode 100644
index 0000000..ec88203
--- /dev/null
+++ b/templates/config.j2
@@ -0,0 +1,14 @@
+#jinja2: lstrip_blocks: True
+#
+# {{ ansible_managed }}
+#
+
+{% for config in unix_user.value.ssh.config %}
+{% for property, value in config.items() %}
+{% if property == "Host" %}
+{{ property }} {{ value }}
+{% else %}
+  {{ property }} = {{ value }}
+{% endif %}
+{% endfor %}
+{% endfor %}
\ No newline at end of file