From 546a3bb370a8394d133228236a835a0b606ae8a8 Mon Sep 17 00:00:00 2001 From: Matthew Fennell Date: Wed, 14 Jan 2026 23:11:39 +0000 Subject: Ensure all authorized_keys are copied to host I have two keys, one for interactive access, and one for automated jobs. On migration to the new host, I added the interactive key via the VPS provider's form, but neglected to add the key for automated jobs. This led to the backup jobs failing. Therefore, define keys in the inventory that should be copied to the host, and ensure they are installed to root. The subsequent step then copies these to the admin account. There is one problem with this approach: ssh remains open to root. Although privilege escalation from admin is possible, I would like to take steps to reduce root access where possible. However, the playbook currently has to work both on first run when bootstrapping the box, as well as subsequent runs. On the first run, the playbook only has access to root and must create the admin account. However, once the admin account has been created, the playbook should never again interact with root. Therefore, in the near future, I'd like to introduce a "bootstrap" action to the playbook, that should only be run on the first deploy to the host, and disable ssh access to root once finished. Subsequent runs should only interact via admin. --- playbook.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'playbook.yaml') diff --git a/playbook.yaml b/playbook.yaml index be2e655..48262c2 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -9,6 +9,16 @@ hosts: all tasks: + - name: Ensure all authorized keys are copied to root account + remote_user: root + ansible.posix.authorized_key: + key: | + {% for key in authorized_key_files %} + {{ lookup('file', key) }} + {% endfor %} + user: root + exclusive: true + # Now, we create a non-root user with sudo privileges - name: Ensure wheel group exists remote_user: root -- cgit v1.2.3