fix: config ssh client config

defaults/default.yml

@@ -1,26 +1,30 @@
 ---
 
-# unix_groups:
+unix_groups: {}
-#   kah:
+#   alice:
-#     gid: 568
+#     gid: 1001
 #     state: present
-#   markus: {}
+#   bob:
-#   movies:
+#     gid: 1001
 #     state: absent
 
-# unix_users:
+unix_users: {}
-#   markus:
+#   alice:
-#     name: "Markus Pesch"
+#     state: "present"
-#     ssh_keys:
+#     name: "Alice"
-#       public:
+#     uid: "1000"
-#       - markus@markus-pc.pub
+#     ssh:
-#       - markus@markus-nb.pub
+#       config:
+#       - Host: "*"
+#         StrictHostKeyChecking: "no"
+#         UserKnownHostFile: /dev/null
+#       authorized_keys:
+#       - alice@alice-pc.pub
+#       private_keys:
+#       - alice@alice-pc.ed25519.key
+#     home: /home/alice
 #     shell: /bin/bash
-#     group: markus
+#     group: alice
-#     groups:
+#     groups: []
-#     - movies
-#     - music
-#     - series
 #     password: ""
-#     email: markus.pesch@cryptic.systems
+#     email: alice@example.local
-#     state: present

tasks/create_unix_user.yml

@@ -71,13 +71,57 @@
     owner: "{{ unix_user.key }}"
     group: "{{ unix_user.value.group | default('users') }}"
     mode: 0600
-  when: unix_user.value.ssh_keys is defined and unix_user.value.ssh_keys.public | length > 0
+  when: unix_user.value.ssh.authorized_keys is defined and unix_user.value.ssh.authorized_keys | length > 0
 
 - name: Remove authorized_keys file for user {{ unix_user.key }}
   file:
     path: "{{ user_user_home }}/.ssh/authorized_keys"
     state: absent
-  when: unix_user.value.ssh_keys.public is not defined or unix_user.value.ssh_keys.public | length <= 0
+  when: unix_user.value.ssh.authorized_keys is not defined or unix_user.value.ssh.authorized_keys | length <= 0
+
+- name: Create private SSH keys for user {{ unix_user.key }}
+  copy:
+    src: "{{ playbook_dir }}/ssh/private_keys/{{ item }}"
+    dest: "{{ user_user_home }}/.ssh/{{ item }}"
+    owner: "{{ unix_user.key }}"
+    group: "{{ unix_user.value.group | default('users') }}"
+    mode: 0600
+  with_items:
+  - "{{ unix_user.value.ssh.private_keys }}"
+  when: unix_user.value.ssh.private_keys is defined and unix_user.value.ssh.private_keys | length >= 0
+
+- name: Extract public SSH keys from private keys for user {{ unix_user.key }}
+  command: "ssh-keygen -y -f {{ user_user_home }}/.ssh/{{ item }} > {{ user_user_home }}/.ssh/{{ item }}.pub"
+  args:
+    creates: "{{ user_user_home }}/.ssh/{{ item }}.pub"
+  with_items:
+  - "{{ unix_user.value.ssh.private_keys }}"
+  when: unix_user.value.ssh.private_keys is defined and unix_user.value.ssh.private_keys | length >= 0
+
+- name: Correct permissions of public SSH keys for user {{ unix_user.key }}
+  file:
+    path: "{{ user_user_home }}/.ssh/{{ item }}.pub"
+    owner: "{{ unix_user.key }}"
+    group: "{{ unix_user.value.group | default('users') }}"
+    mode: 0644
+  with_items:
+  - "{{ unix_user.value.ssh.private_keys }}"
+  when: unix_user.value.ssh.private_keys is defined and unix_user.value.ssh.private_keys | length >= 0
+
+- name: Create custom SSH client config for user {{ unix_user.key }}
+  template:
+    src: config.j2
+    dest: "{{ user_user_home }}/.ssh/config"
+    owner: "{{ unix_user.key }}"
+    group: "{{ unix_user.value.group | default('users') }}"
+    mode: 0644
+  when: unix_user.value.ssh.config is defined and unix_user.value.ssh.config | length >= 0
+
+- name: Remove custom SSH client config for user {{ unix_user.key }}
+  file:
+    path: "{{ user_user_home }}/.ssh/config"
+    state: absent
+  when: unix_user.value.ssh.config is not defined
 
 - name: Create .forward file to forward emails for user {{ unix_user.key }}
   template:

tasks/main.yml

@@ -1,15 +1,5 @@
 ---
 
-- name: Remove unix groups
-  include_tasks: remove_unix_group.yml
-  with_dict: "{{ unix_groups }}"
-  loop_control:
-    loop_var: unix_group
-  when: unix_groups is defined and
-        unix_groups | length > 0 and
-        unix_group.value.state is defined and
-        unix_group.value.state == 'absent'
-
 - name: Remove unix user
   include_tasks: remove_unix_user.yml
   with_dict: "{{ unix_users }}"
@@ -20,6 +10,16 @@
         unix_user.value.state is defined and
         unix_user.value.state == 'absent'
 
+- name: Remove unix groups
+  include_tasks: remove_unix_group.yml
+  with_dict: "{{ unix_groups }}"
+  loop_control:
+    loop_var: unix_group
+  when: unix_groups is defined and
+        unix_groups | length > 0 and
+        unix_group.value.state is defined and
+        unix_group.value.state == 'absent'
+
 - name: Create unix groups
   include_tasks: create_unix_group.yml
   with_dict: "{{ unix_groups }}"

tasks/remove_unix_group.yml

@@ -2,5 +2,5 @@
 
 - name: Remove unix group {{ unix_group.key }}
   group:
-    name: "{{ unix_group.value.name }}"
+    name: "{{ unix_group.key }}"
     state: absent

tasks/remove_unix_user.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Remove unix user {{ unix_user.key }}
-  group:
+  user:
-    name: "{{ unix_user.value.name }}"
+    name: "{{ unix_user.key }}"
     state: absent
     remove: yes

templates/authorized_keys.j2

@@ -2,6 +2,6 @@
 #
 # {{ ansible_managed }}
 #
-{% for key in unix_user.value.ssh_keys.public %}
+{% for key in unix_user.value.ssh.authorized_keys %}
-{{ lookup('file', 'ssh/pubkeys/' + key) }}
+{{ lookup('file', 'ssh/authorized_keys/' + key) }}
 {% endfor %}

templates/config.j2

@@ -0,0 +1,14 @@
+#jinja2: lstrip_blocks: True
+#
+# {{ ansible_managed }}
+#
+
+{% for config in unix_user.value.ssh.config %}
+{% for property, value in config.items() %}
+{% if property == "Host" %}
+{{ property }} {{ value }}
+{% else %}
+  {{ property }} = {{ value }}
+{% endif %}
+{% endfor %}
+{% endfor %}