Allow removal of old SSH keys on provision

[dalepgrant]

Rel: #1087

This PR adds the ability to enable removing old SSH keys from the server.

The added task replaces all SSH keys on the server for the users defined in Trellis with the first found SSH key set in group_vars/all/users.yml. This allows for cases where the Trellis defaults ~/.ssh/id_rsa.pub and ~/.ssh/id_ed25519.pub don't exist. The existing task "Add user SSH keys" then adds the remaining keys as usual.

Given this has the power to lock a user out of their server, a flag has been added to allow making this an optional task to run. To enable, set reset_user_ssh_keys: true. I've placed this in group_vars/all/security.yml but arguments can be made for this in users.yml or main.yml.

Scenarios

Given the default Trellis keys:

  keys:
      - "{{ lookup('file', '~/.ssh/id_rsa.pub', errors='ignore') }}"
      - "{{ lookup('file', '~/.ssh/id_ed25519.pub', errors='ignore') }}"
      # - https://github.com/username.keys

If...

• ~/.ssh/id_rsa.pub does not exist, ~/.ssh/id_ed25519.pub does exist
  • keys becomes ["", "ssh-ed25519 AAAAC3NzaC1.."] (example)
  • select('truthy') filters out empty strings, keys becomes ["ssh-ed25519 AAAAC3NzaC1.."]
  • The value of ~/.ssh/id_ed25519.pub is used (e.g. ssh-ed25519 AAAAC3NzaC1..)
  • The task is run. Note: Until the subsequent (existing) task is run, access is temporarily only available to ~/.ssh/id_ed25519.pub.
• Neither ~/.ssh/id_rsa.pub nor ~/.ssh/id_ed25519.pub exist
  • keys becomes ["", ""]
  • select('truthy') filters out empty strings, keys becomes []
  • The when clause (item['keys'] | select('truthy') | list | length) > 0 evaluates to false
  • The task is skipped - no SSH keys removed from the server.

[dalepgrant]

Happy to add documentation if this gets merged.

roots/docs#542

[swalkinshaw]

🤔 seems useful because it's opt-in. I wonder if we should actually not even define this by default in group_vars/all/security.yml and instead just have docs on it that say to use it as an extra var from the CLI? Then it's only ever set for a single provision. Of course anyone could define it but this will reduce the chances and make it clear how it should be used.

[dalepgrant]

So you'd end up with TRELLIS_RESET_USER_SSH_KEYS=true trellis provision --tags users production, if I'm reading you right (correct me if I'm on the wrong track).

That would presumably mean that someone could set that as a Trellis CLI setting in their config file. Could be a pro or a con.

I'm not married to either way. If you'd prefer this not to be added to security.yml by default then I'll push a change up. Doing it through Trellis CLI seems like a progression from this so could be handled separately - if merged I'll open an issue to follow up.

[swalkinshaw]

Sort of, I mean the Ansible extra vars feature. So it would be used like this: trellis provision --extra-vars reset_user_ssh_keys=true production

They are just normal variables but take precedence. There's no way to set these in the CLI config; they can only be specified in the command like that.

[dalepgrant]

Gotcha, I'm glad I clarified as that's not what I thought you meant!

Understood, I'll remove the entry in security.yml for this PR and add trellis provision --extra-vars reset_user_ssh_keys=true production to the docs PR (which I haven't yet done) roots/docs#542.

[dalepgrant]

Removed from security.yml and tested with extra var, confirmed task runs:
ansible-playbook server.yml -e env=staging --extra-vars="reset_user_ssh_keys=true" --tags=users

Re-tested without extra var, confirmed task does not run:

ansible-playbook server.yml -e env=staging --tags=users

---

For any one else who sees this in future, I'm using the playbook command but the equivalent trellis cli commands for the above would be
trellis provision --tags users --extra-vars reset_user_ssh_keys=true staging
trellis provision --tags users staging

[swalkinshaw]

Thank you 🚀