feat: optimize authorized keys management

join keys if exists instead of using a nested loop

closes #13

defaults/main.yml

@@ -12,7 +12,8 @@
 #     home_create: yes
 #     home: /path/to/user/home
 #     system: no
-#     authorized_keys: []           (required)
+#     authorized_keys: []
+#     authorized_keys_exclusive: yes
 #     ssh_key_type: rsa
 #     ssh_key_bits: 2048
 #     ssh_key_password: ""
@@ -31,3 +32,8 @@ users_group:
 users_groups: []
 # default user home directory permissions
 users_home_mode: "0755"
+
+# you can set these variables to define the default values for all users
+users_default_ssh_key_type: rsa
+users_default_ssh_key_bits: 2048
+users_default_authorized_keys_exclusive: no

tasks/manage.yml

@@ -1,34 +1,38 @@
 ---
 
 - name: Adding primary group
-  group: name="{{ users_group }}" state=present
+  group:
+    name: "{{ users_group }}"
+    state: present
   when: users_group is defined and users_group
 
 - name: Adding secondary groups
-  group: name="{{ item }}" state=present
-  with_items: "{{ users_groups|default([]) }}"
+  group:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ users_groups | default([]) }}"
 
 - name: Adding users
   user:
     name: "{{ item.username }}"
-    uid: "{{ item.uid|default(omit) }}"
-    home: "{{ item.home|default(users_home ~ '/' ~ item.username ) }}"
-    comment: "{{ item.name|default(omit) }}"
-    system: "{{ item.system|default(omit) }}"
-    generate_ssh_key: "{{ item.ssh_key_generate|default(omit) }}"
+    uid: "{{ item.uid | default(omit) }}"
+    home: "{{ item.home | default(users_home ~ '/' ~ item.username ) }}"
+    comment: "{{ item.name | default(omit) }}"
+    system: "{{ item.system | default(omit) }}"
+    generate_ssh_key: "{{ item.ssh_key_generate | default(omit) }}"
     group: "{{ omit if item.group is defined and item.group == item.username else (item.group if item.group is defined else (users_group if users_group else omit)) }}"
     groups: "{{ item.groups|join(',') if item.groups is defined else users_groups|join(',')}}"
-    password: "{{ item.password|default(omit) }}"
-    ssh_key_file: ".ssh/id_{{ item.ssh_key_type|default('rsa') }}"
-    ssh_key_passphrase: "{{ item.ssh_key_password|default('') }}"
-    ssh_key_bits: "{{ item.ssh_key_bits|default(2048) }}"
-    createhome: "{{ item.home_create|default(omit) }}"
-    shell: "{{ item.shell|default(omit) }}"
+    password: "{{ item.password | default(omit) }}"
+    ssh_key_file: ".ssh/id_{{ item.ssh_key_type | default(users_default_ssh_key_type) }}"
+    ssh_key_passphrase: "{{ item.ssh_key_password | default(omit) }}"
+    ssh_key_bits: "{{ item.ssh_key_bits | default(users_default_ssh_key_bits) }}"
+    createhome: "{{ item.home_create | default(omit) }}"
+    shell: "{{ item.shell | default(omit) }}"
   with_items: "{{ users }}"
 
 - name: Setting user's home permission
   file:
-    dest: "{{ item.home|default(users_home ~ '/' ~ item.username) }}"
+    dest: "{{ item.home | default(users_home ~ '/' ~ item.username) }}"
     owner: "{{ item.username }}"
     group: "{{ item.group if item.group is defined else (users_group if users_group else item.username) }}"
     mode: "{{ item.home_mode if item.home_mode is defined else users_home_mode }}"
@@ -37,29 +41,28 @@
 
 - name: Adding user's .ssh directory
   file:
-    path: "{{ item.home|default(users_home ~ '/' ~ item.username) }}/.ssh"
+    path: "{{ item.home | default(users_home ~ '/' ~ item.username) }}/.ssh"
     owner: "{{ item.username }}"
     group: "{{ item.group if item.group is defined else (users_group if users_group else item.username) }}"
     state: directory
-    mode: 0700
+    mode: '0700'
   when: item.home_create is not defined or item.home_create
   with_items: "{{ users }}"
 
 - name: Adding user's private key
   template:
     src: home-user-ssh-private-key.j2
-    dest: "{{ item.home|default(users_home ~ '/' ~ item.username) }}/.ssh/id_{{ item.ssh_key_type|default('rsa') }}"
+    dest: "{{ item.home | default(users_home ~ '/' ~ item.username) }}/.ssh/id_{{ item.ssh_key_type | default('rsa') }}"
     owner: "{{ item.username }}"
     group: "{{ item.group if item.group is defined else (users_group if users_group else item.username) }}"
-    mode: 0600
+    mode: '0600'
   when: (item.home_create is not defined or item.home_create) and item.ssh_key is defined
   with_items: "{{ users }}"
 
 - name: Adding user's authorized keys
   authorized_key:
-    key: "{{ item.1 }}"
-    user: "{{ item.0.username }}"
-  when: item.0.home_create is not defined or item.0.home_create
-  with_subelements:
-    - "{{ users }}"
-    - authorized_keys
+    key: "{{ item.authorized_keys | default([]) | join('\n') }}"
+    user: "{{ item.username }}"
+    exclusive: "{{ item.authorized_keys_exclusive | default(users_default_authorized_keys_exclusive) }}"
+  when: item.home_create is not defined or item.home_create
+  with_items: "{{ users }}"

tests/main.yml

@@ -1,42 +1,34 @@
 ---
 
 - hosts: all
-  sudo: yes
   roles:
     - franklinkim.users
   vars:
     users:
       - username: foobar
         name: Foo Bar 1
-        authorized_keys: []
       - username: foobar_authorized_keys
         authorized_keys:
           - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key"
         home_create: yes
       - username: foobar_nohome
-        authorized_keys: []
         home_create: no
       - username: foobar_groups
-        authorized_keys: []
         groups:
           - users
       - username: foobar_groups_reset
-        authorized_keys: []
         groups: []
         group: foobar_groups_reset
       - username: foobar_home_mode
-        authorized_keys: []
         home_mode: "0750"
       - username: foobar_key
-        authorized_keys: []
         ssh_key: "-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzI\nw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoP\nkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2\nhMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NO\nTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcW\nyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQIBIwKCAQEA4iqWPJXtzZA68mKd\nELs4jJsdyky+ewdZeNds5tjcnHU5zUYE25K+ffJED9qUWICcLZDc81TGWjHyAqD1\nBw7XpgUwFgeUJwUlzQurAv+/ySnxiwuaGJfhFM1CaQHzfXphgVml+fZUvnJUTvzf\nTK2Lg6EdbUE9TarUlBf/xPfuEhMSlIE5keb/Zz3/LUlRg8yDqz5w+QWVJ4utnKnK\niqwZN0mwpwU7YSyJhlT4YV1F3n4YjLswM5wJs2oqm0jssQu/BT0tyEXNDYBLEF4A\nsClaWuSJ2kjq7KhrrYXzagqhnSei9ODYFShJu8UWVec3Ihb5ZXlzO6vdNQ1J9Xsf\n4m+2ywKBgQD6qFxx/Rv9CNN96l/4rb14HKirC2o/orApiHmHDsURs5rUKDx0f9iP\ncXN7S1uePXuJRK/5hsubaOCx3Owd2u9gD6Oq0CsMkE4CUSiJcYrMANtx54cGH7Rk\nEjFZxK8xAv1ldELEyxrFqkbE4BKd8QOt414qjvTGyAK+OLD3M2QdCQKBgQDtx8pN\nCAxR7yhHbIWT1AH66+XWN8bXq7l3RO/ukeaci98JfkbkxURZhtxV/HHuvUhnPLdX\n3TwygPBYZFNo4pzVEhzWoTtnEtrFueKxyc3+LjZpuo+mBlQ6ORtfgkr9gBVphXZG\nYEzkCD3lVdl8L4cw9BVpKrJCs1c5taGjDgdInQKBgHm/fVvv96bJxc9x1tffXAcj\n3OVdUN0UgXNCSaf/3A/phbeBQe9xS+3mpc4r6qvx+iy69mNBeNZ0xOitIjpjBo2+\ndBEjSBwLk5q5tJqHmy/jKMJL4n9ROlx93XS+njxgibTvU6Fp9w+NOFD/HvxB3Tcz\n6+jJF85D5BNAG3DBMKBjAoGBAOAxZvgsKN+JuENXsST7F89Tck2iTcQIT8g5rwWC\nP9Vt74yboe2kDT531w8+egz7nAmRBKNM751U/95P9t88EDacDI/Z2OwnuFQHCPDF\nllYOUI+SpLJ6/vURRbHSnnn8a/XG+nzedGH5JGqEJNQsz+xT2axM0/W/CRknmGaJ\nkda/AoGANWrLCz708y7VYgAtW2Uf1DPOIYMdvo6fxIB5i9ZfISgcJ/bbCUkFrhoH\n+vq/5CIWxCPp0f85R4qxxQ5ihxJ0YDQT9Jpx4TMss4PSavPaBH3RXow5Ohe+bYoQ\nNE5OgEXk2wVfZczCZpigBKbKZHNYcelXtTt/nP3rsCuGcM4h53s=\n-----END RSA PRIVATE KEY-----\n"
       - username: foobar_key_generate
-        authorized_keys: []
         ssh_key_generate: yes
         ssh_key_password: secret
       - username: foobar_system
-        authorized_keys: []
         system: yes
     users_group: staff
     users_groups:
       - www-data
+    users_default_authorized_keys_exclusive: yes