all: Set root authorized keys

The `root_authorized_keys` variable was originally defined only for the *pyrocufflink* group. This used to effectively be "all" machines, since everything was a member of the AD domain. Now that we're moving away from that deployment model, we still want to have the break-glass option, so we need to define the authorized keys for the _all_ group.
2025-02-05 21:49:26 -06:00 · 2025-02-05 21:49:26 -06:00 · e9d6020563
parent d916545e29
commit e9d6020563
2 changed files with 10 additions and 9 deletions
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -1,6 +1,16 @@
 ansible_become_method: community.general.doas
 ansible_become_password: unused

+root_authorized_keys: |
+  {% if ansible_distribution == "Fedora" and ansible_distribution_version|int >= 34 %}
+  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINZCN2cxMDwedJ1Ke23Z3CZRcOYjqW8fFqsooRus7RK0AAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
+  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAB6xTCSNz+AcQCWcyVKs84tThXN4wpLgCo2Lc48L6EsAAAABHNzaDo= dustin@luma.pyrocufflink.blue
+  {% else %}
+  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsL5fSylmiJmBtW0DH/viAAmtU2E/2M17GPvysiyRs+ dustin@rosalina
+  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBw1T18jnBfR5reKAACOs/LMcs+jbclj6Eh8z56kJE7+ dustin@luma
+  {% endif %}
+
+
 managed_users:
 - name: dustin
  comment: Dustin C. Hatch
--- a/group_vars/pyrocufflink/main.yml
+++ b/group_vars/pyrocufflink/main.yml
@ -7,13 +7,4 @@ pam_winbind: true
 nss_winbind: true
 pam_mkhomedir: true

-root_authorized_keys: |
-  {% if ansible_distribution == "Fedora" and ansible_distribution_version|int >= 34 %}
-  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINZCN2cxMDwedJ1Ke23Z3CZRcOYjqW8fFqsooRus7RK0AAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
-  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAB6xTCSNz+AcQCWcyVKs84tThXN4wpLgCo2Lc48L6EsAAAABHNzaDo= dustin@luma.pyrocufflink.blue
-  {% else %}
-  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsL5fSylmiJmBtW0DH/viAAmtU2E/2M17GPvysiyRs+ dustin@rosalina
-  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBw1T18jnBfR5reKAACOs/LMcs+jbclj6Eh8z56kJE7+ dustin@luma
-  {% endif %}
-
 fileserver_sftp_only_match: 'Group !server?admins,*'