Add removal of revoked keys

90fda2c7 · Robin Goodall · 6cc7408f · 90fda2c7 · 90fda2c7 · 90fda2c7
Commit 90fda2c7 authored 6 years ago by Robin Goodall
--- a/roles/devops-ssh-users/README.md
+++ b/roles/devops-ssh-users/README.md
 # Role: add-devops-users
-This role adds user accounts for members of the DevOps group. 
+This role adds user accounts for members of the DevOps group.

 ## Required vars

- devops_users (in correct format for gp add_users role see [add_users](https://git.uis.cam.ac.uk/i/uis/infra/ansible.git/blob_plain/HEAD:/gp_roles/add_users/README))
+- devops_users
+
+  list of users and keys to add (in correct format for gp add_sudo_users role, see [add_sudo_users](https://gitlab.developers.cam.ac.uk/uis/devops/infra/ansible/infra/tree/devops/gp_roles/add_sudo_users))

  ```See defaults/main.yml```
-  
+
+## Optional vars
+
+- ssh_revoked_keys
+
+  Keys to be removed (and for which user)
+
 ## Dependencies
 This role depends upon the add_sudo_users gp_roles.


--- a/roles/devops-ssh-users/defaults/main.yml
+++ b/roles/devops-ssh-users/defaults/main.yml
@@ -3,32 +3,30 @@ devops_users:
  - name: 'Steve Ison'
    username: si202
    pub_key: si202.pub
-    shell: '/bin/bash'
  - name: 'Abraham Martin'
    username: amc203
    pub_key: amc203.pub
-    shell: '/bin/bash'
  - name: 'Peter Heiner'
    username: ph448
    pub_key: ph448.pub
-    shell: '/bin/bash'
  - name: 'Robin Goodall'
    username: rjg21
    pub_key: rjg21.pub
-    shell: '/bin/bash'
  - name: 'Sam Wenham'
    username: sdw37
    pub_key: sdw37.pub
-    shell: '/bin/bash'
  - name: 'Rich Wareham'
    username: rjw57
    pub_key: rjw57.pub
-    shell: '/bin/bash'
  - name: 'Mike Bamford'
    username: mb2174
    pub_key: mb2174.pub
-    shell: '/bin/bash'
  - name: 'Janet Wilkins'
    username: jmw11
    pub_key: jmw11.pub
-    shell: '/bin/bash'
+
+ssh_revoked_keys:
+  - username: si202
+    pub_key: si202-revoked.pub
+  - username: jmw11
+    pub_key: jmw11-revoked.pub
--- a/roles/devops-ssh-users/tasks/main.yml
+++ b/roles/devops-ssh-users/tasks/main.yml
@@ -4,3 +4,15 @@
    name: add_sudo_users
  vars:
    users: "{{ devops_users }}"
+  tags:
+    devops-ssh-users
+
+- name: Revoke ssh user keys
+  authorized_key:
+    user: "{{ item.username }}"
+    key: "{{ lookup('file', 'public_keys/' + item.pub_key) }}"
+    state: absent
+  loop: "{{ ssh_revoked_keys }}"
+  when: ssh_revoked_keys is defined
+  tags:
+    devops-ssh-users