zeitounator/session.txt

## session.txt
$ # Test project structure

$ tree
.
├── test.yml
├── users_initial.yml
└── users_modify.yml

0 directories, 3 files

$ # User data for initial creation

$ cat users_initial.yml
---
users:
  - username: user1
    password: secret1
    public_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDau24KkhJiZ6OfuhZrkoxv/YxWKJRdefI0lULdI+Lhw user1@machine
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGWtkBHm2bLuT40EJMC2d5gFVYl3N6qZcGLdf2BhA9F user1@machine
  - username: user2
    password: secret2
    public_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbQwAiS7z6ea+5cZq3eNU5SZ+XwmYF52Z2ZUGEtS9C2 user2@machine
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8PnDXPKAWBK6G29tjli796Pyj2Y55RiwGWh2JT1oRu user2@machine

$ # User data for subsequent alter of user. Note a key changes for user1 and a key is deleted for user2

$ cat users_modify.yml
---
users:
  - username: user1
    password: secret1
    public_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGHndjn7XPC59Z9KyrJHjX9/ntoIlHMqqTHRC04U+T0 user1@machine
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGWtkBHm2bLuT40EJMC2d5gFVYl3N6qZcGLdf2BhA9F user1@machine
  - username: user2
    password: secret2
    public_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8PnDXPKAWBK6G29tjli796Pyj2Y55RiwGWh2JT1oRu user2@machine

$ # Playbook to test all this

$ cat test.yml
---
- hosts: all
  gather_facts: false
  vars_files:
    - "users_{{ 'modify' if alter_users | d(false) | bool else 'initial' }}.yml"
  vars:
    my_hash_salt: totopipobingo

  tasks:
    - name: Create users in my test docker container
      ansible.builtin.user:
        name: "{{ item.username }}"
        password: "{{ item.password | password_hash('sha512', my_hash_salt) }}"
      loop: "{{ users }}"
      loop_control:
        label: "{{ item.username }}"

    - name: Add keys for each user
      ansible.posix.authorized_key:
        user: "{{ item.username }}"
        key: "{{ item.public_keys | join('\n') }}"
        exclusive: true
      loop: "{{ users }}"
      loop_control:
         label: "{{ item.username }}"

    - name: "[verify]: getauthorized key files contents"
      ansible.builtin.slurp:
        src: /home/{{ item.username }}/.ssh/authorized_keys
      register: key_files
      loop: "{{ users }}"
      loop_control:
         label: "{{ item.username }}"

    - name: "[verify]: show that each user has both keys"
      ansible.builtin.debug:
        msg: "{{ (item.content | b64decode).splitlines() }}"
      loop: "{{ key_files.results }}"
      loop_control:
         label: "{{ item.item.username }}"

$ # span a docker container for testing

$ docker run -d --rm --name testkey python:latest tail -f /dev/null
13d1c4ac20412803364fdea5cecc71bedbbc79a12c5e692b21ddcb878c44f61c

$ # First run with initial data

$ ansible-playbook -i testkey, --connection docker test.yml

PLAY [all] ************************************************************************************************************************************************************************************************

TASK [Create users in my test docker container] ***********************************************************************************************************************************************************
changed: [testkey] => (item=user1)
changed: [testkey] => (item=user2)

TASK [Add keys for each user] *****************************************************************************************************************************************************************************
changed: [testkey] => (item=user1)
changed: [testkey] => (item=user2)

TASK [[verify]: getauthorized key files contents] *********************************************************************************************************************************************************
ok: [testkey] => (item=user1)
ok: [testkey] => (item=user2)

TASK [[verify]: show that each user has both keys] ********************************************************************************************************************************************************
ok: [testkey] => (item=user1) => {
    "msg": [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDau24KkhJiZ6OfuhZrkoxv/YxWKJRdefI0lULdI+Lhw user1@machine",
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGWtkBHm2bLuT40EJMC2d5gFVYl3N6qZcGLdf2BhA9F user1@machine"
    ]
}
ok: [testkey] => (item=user2) => {
    "msg": [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbQwAiS7z6ea+5cZq3eNU5SZ+XwmYF52Z2ZUGEtS9C2 user2@machine",
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8PnDXPKAWBK6G29tjli796Pyj2Y55RiwGWh2JT1oRu user2@machine"
    ]
}

PLAY RECAP ************************************************************************************************************************************************************************************************
testkey                    : ok=4    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0


$ # Make sure we are idempotent: run with same data, nothing should change

$ ansible-playbook -i testkey, --connection docker test.yml

PLAY [all] ************************************************************************************************************************************************************************************************

TASK [Create users in my test docker container] ***********************************************************************************************************************************************************
ok: [testkey] => (item=user1)
ok: [testkey] => (item=user2)

TASK [Add keys for each user] *****************************************************************************************************************************************************************************
ok: [testkey] => (item=user1)
ok: [testkey] => (item=user2)

TASK [[verify]: getauthorized key files contents] *********************************************************************************************************************************************************
ok: [testkey] => (item=user1)
ok: [testkey] => (item=user2)

TASK [[verify]: show that each user has both keys] ********************************************************************************************************************************************************
ok: [testkey] => (item=user1) => {
    "msg": [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDau24KkhJiZ6OfuhZrkoxv/YxWKJRdefI0lULdI+Lhw user1@machine",
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGWtkBHm2bLuT40EJMC2d5gFVYl3N6qZcGLdf2BhA9F user1@machine"
    ]
}
ok: [testkey] => (item=user2) => {
    "msg": [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbQwAiS7z6ea+5cZq3eNU5SZ+XwmYF52Z2ZUGEtS9C2 user2@machine",
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8PnDXPKAWBK6G29tjli796Pyj2Y55RiwGWh2JT1oRu user2@machine"
    ]
}

PLAY RECAP ************************************************************************************************************************************************************************************************
testkey                    : ok=4    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0


$ # Now run with altered data and make sure we only get the wanted keys for each user

$ ansible-playbook -i testkey, --connection docker test.yml -e alter_users=true

PLAY [all] ************************************************************************************************************************************************************************************************

TASK [Create users in my test docker container] ***********************************************************************************************************************************************************
ok: [testkey] => (item=user1)
ok: [testkey] => (item=user2)

TASK [Add keys for each user] *****************************************************************************************************************************************************************************
changed: [testkey] => (item=user1)
changed: [testkey] => (item=user2)

TASK [[verify]: getauthorized key files contents] *********************************************************************************************************************************************************
ok: [testkey] => (item=user1)
ok: [testkey] => (item=user2)

TASK [[verify]: show that each user has both keys] ********************************************************************************************************************************************************
ok: [testkey] => (item=user1) => {
    "msg": [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGWtkBHm2bLuT40EJMC2d5gFVYl3N6qZcGLdf2BhA9F user1@machine",
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGHndjn7XPC59Z9KyrJHjX9/ntoIlHMqqTHRC04U+T0 user1@machine"
    ]
}
ok: [testkey] => (item=user2) => {
    "msg": [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8PnDXPKAWBK6G29tjli796Pyj2Y55RiwGWh2JT1oRu user2@machine"
    ]
}

PLAY RECAP ************************************************************************************************************************************************************************************************
testkey                    : ok=4    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
	$ # Test project structure

	$ tree
	.
	├── test.yml
	├── users_initial.yml
	└── users_modify.yml

	0 directories, 3 files

	$ # User data for initial creation

	$ cat users_initial.yml
	---
	users:
	- username: user1
	password: secret1
	public_keys:
	- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDau24KkhJiZ6OfuhZrkoxv/YxWKJRdefI0lULdI+Lhw user1@machine
	- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGWtkBHm2bLuT40EJMC2d5gFVYl3N6qZcGLdf2BhA9F user1@machine
	- username: user2
	password: secret2
	public_keys:
	- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbQwAiS7z6ea+5cZq3eNU5SZ+XwmYF52Z2ZUGEtS9C2 user2@machine
	- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8PnDXPKAWBK6G29tjli796Pyj2Y55RiwGWh2JT1oRu user2@machine

	$ # User data for subsequent alter of user. Note a key changes for user1 and a key is deleted for user2

	$ cat users_modify.yml
	---
	users:
	- username: user1
	password: secret1
	public_keys:
	- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGHndjn7XPC59Z9KyrJHjX9/ntoIlHMqqTHRC04U+T0 user1@machine
	- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGWtkBHm2bLuT40EJMC2d5gFVYl3N6qZcGLdf2BhA9F user1@machine
	- username: user2
	password: secret2
	public_keys:
	- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8PnDXPKAWBK6G29tjli796Pyj2Y55RiwGWh2JT1oRu user2@machine

	$ # Playbook to test all this

	$ cat test.yml
	---
	- hosts: all
	gather_facts: false
	vars_files:
	- "users_{{ 'modify' if alter_users \| d(false) \| bool else 'initial' }}.yml"
	vars:
	my_hash_salt: totopipobingo

	tasks:
	- name: Create users in my test docker container
	ansible.builtin.user:
	name: "{{ item.username }}"
	password: "{{ item.password \| password_hash('sha512', my_hash_salt) }}"
	loop: "{{ users }}"
	loop_control:
	label: "{{ item.username }}"

	- name: Add keys for each user
	ansible.posix.authorized_key:
	user: "{{ item.username }}"
	key: "{{ item.public_keys \| join('\n') }}"
	exclusive: true
	loop: "{{ users }}"
	loop_control:
	label: "{{ item.username }}"

	- name: "[verify]: getauthorized key files contents"
	ansible.builtin.slurp:
	src: /home/{{ item.username }}/.ssh/authorized_keys
	register: key_files
	loop: "{{ users }}"
	loop_control:
	label: "{{ item.username }}"

	- name: "[verify]: show that each user has both keys"
	ansible.builtin.debug:
	msg: "{{ (item.content \| b64decode).splitlines() }}"
	loop: "{{ key_files.results }}"
	loop_control:
	label: "{{ item.item.username }}"

	$ # span a docker container for testing

	$ docker run -d --rm --name testkey python:latest tail -f /dev/null
	13d1c4ac20412803364fdea5cecc71bedbbc79a12c5e692b21ddcb878c44f61c

	$ # First run with initial data

	$ ansible-playbook -i testkey, --connection docker test.yml

	PLAY [all] ************************************************************************************************************************************************************************************************

	TASK [Create users in my test docker container] ***********************************************************************************************************************************************************
	changed: [testkey] => (item=user1)
	changed: [testkey] => (item=user2)

	TASK [Add keys for each user] *****************************************************************************************************************************************************************************
	changed: [testkey] => (item=user1)
	changed: [testkey] => (item=user2)

	TASK [[verify]: getauthorized key files contents] *********************************************************************************************************************************************************
	ok: [testkey] => (item=user1)
	ok: [testkey] => (item=user2)

	TASK [[verify]: show that each user has both keys] ********************************************************************************************************************************************************
	ok: [testkey] => (item=user1) => {
	"msg": [
	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDau24KkhJiZ6OfuhZrkoxv/YxWKJRdefI0lULdI+Lhw user1@machine",
	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGWtkBHm2bLuT40EJMC2d5gFVYl3N6qZcGLdf2BhA9F user1@machine"
	]
	}
	ok: [testkey] => (item=user2) => {
	"msg": [
	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbQwAiS7z6ea+5cZq3eNU5SZ+XwmYF52Z2ZUGEtS9C2 user2@machine",
	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8PnDXPKAWBK6G29tjli796Pyj2Y55RiwGWh2JT1oRu user2@machine"
	]
	}

	PLAY RECAP ************************************************************************************************************************************************************************************************
	testkey : ok=4 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0


	$ # Make sure we are idempotent: run with same data, nothing should change

	$ ansible-playbook -i testkey, --connection docker test.yml

	PLAY [all] ************************************************************************************************************************************************************************************************

	TASK [Create users in my test docker container] ***********************************************************************************************************************************************************
	ok: [testkey] => (item=user1)
	ok: [testkey] => (item=user2)

	TASK [Add keys for each user] *****************************************************************************************************************************************************************************
	ok: [testkey] => (item=user1)
	ok: [testkey] => (item=user2)

	TASK [[verify]: getauthorized key files contents] *********************************************************************************************************************************************************
	ok: [testkey] => (item=user1)
	ok: [testkey] => (item=user2)

	TASK [[verify]: show that each user has both keys] ********************************************************************************************************************************************************
	ok: [testkey] => (item=user1) => {
	"msg": [
	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDau24KkhJiZ6OfuhZrkoxv/YxWKJRdefI0lULdI+Lhw user1@machine",
	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGWtkBHm2bLuT40EJMC2d5gFVYl3N6qZcGLdf2BhA9F user1@machine"
	]
	}
	ok: [testkey] => (item=user2) => {
	"msg": [
	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbQwAiS7z6ea+5cZq3eNU5SZ+XwmYF52Z2ZUGEtS9C2 user2@machine",
	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8PnDXPKAWBK6G29tjli796Pyj2Y55RiwGWh2JT1oRu user2@machine"
	]
	}

	PLAY RECAP ************************************************************************************************************************************************************************************************
	testkey : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0


	$ # Now run with altered data and make sure we only get the wanted keys for each user

	$ ansible-playbook -i testkey, --connection docker test.yml -e alter_users=true

	PLAY [all] ************************************************************************************************************************************************************************************************

	TASK [Create users in my test docker container] ***********************************************************************************************************************************************************
	ok: [testkey] => (item=user1)
	ok: [testkey] => (item=user2)

	TASK [Add keys for each user] *****************************************************************************************************************************************************************************
	changed: [testkey] => (item=user1)
	changed: [testkey] => (item=user2)

	TASK [[verify]: getauthorized key files contents] *********************************************************************************************************************************************************
	ok: [testkey] => (item=user1)
	ok: [testkey] => (item=user2)

	TASK [[verify]: show that each user has both keys] ********************************************************************************************************************************************************
	ok: [testkey] => (item=user1) => {
	"msg": [
	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGWtkBHm2bLuT40EJMC2d5gFVYl3N6qZcGLdf2BhA9F user1@machine",
	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGHndjn7XPC59Z9KyrJHjX9/ntoIlHMqqTHRC04U+T0 user1@machine"
	]
	}
	ok: [testkey] => (item=user2) => {
	"msg": [
	"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8PnDXPKAWBK6G29tjli796Pyj2Y55RiwGWh2JT1oRu user2@machine"
	]
	}

	PLAY RECAP ************************************************************************************************************************************************************************************************
	testkey : ok=4 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0