do ssh key handling on client node to simplify finding /home/rocky

sjpb · sjpb · commit 456db6d66abc · 2025-03-04T12:21:04.000Z
diff --git a/ansible/roles/basic_users/README.md b/ansible/roles/basic_users/README.md
@@ -35,16 +35,15 @@ Role Variables
   - Any other keys may present for other purposes (i.e. not used by this role).
 - `basic_users_groups`: Optional, default empty list. A list of mappings defining information for each group. Mapping keys/values are passed through as parameters to [ansible.builtin.group](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/group_module.html) and default values are as given there.
 - `basic_users_override_sssd`: Optional bool, default false. Whether to disable `sssd` when ensuring users/groups exist with this role. Permits creating local users/groups even if they clash with users provided via sssd (e.g. from LDAP). Ignored if host is not in group `sssd` as well. Note with this option active `sssd` will be stopped and restarted each time this role is run.
-- `basic_users_homedir_host`: Optional inventory hostname specifying the host
-  on which to manipulate home directories (assuming `create_home` is true). If home directories are exported with
-  root squash, this *must* specify that server. If root squash is not used it
-  can be any node in the `basic_users` group. Default is the `control` node,
-  which assumes the default appliance NFS-exported home directory configuration.
+- `basic_users_homedir_host`: Optional inventory hostname defining the host
+  to use to create home directories. If the home directory export is root squashed,
+  this host *must* be the home directory server. Default is the `control` node,
+  for the default appliance NFS-exported home directory configuration.
+  Not relevant if `create_home` is false for all users.
 - `basic_users_homedir_host_path`: Optional path prefix for home directories on
-   the `basic_users_homedir_host`. Default is `/exports/home` which assumes the
-   default appliance NFS-exported home directory configuration. **NB**: This may
-   vary depending on whether
-   `basic_users_homedir_host` is a server or a client for the home directories.
+   the `basic_users_homedir_host`, i.e. on the "server side". Default is
+   `/exports/home`, for the default appliance NFS-exported home directory
+   configuration.
 
 Dependencies
 ------------
diff --git a/ansible/roles/basic_users/tasks/main.yml b/ansible/roles/basic_users/tasks/main.yml
@@ -31,40 +31,56 @@
       create_home: false
       generate_ssh_key: false
 
+- name: Write sudo rules
+  blockinfile:
+    path: /etc/sudoers.d/80-{{ item.name}}-user
+    block: "{{ item.sudo }}"
+    create: true
+  loop: "{{ basic_users_users }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when:
+    - item.state | default('present') == 'present'
+    - "'sudo' in item"
+
 - name: Restart sssd if required
   systemd:
     name: sssd
     state: started
   when: _stop_sssd is changed
 
-- name: Modify home directories
+# This task runs (only) on the home diretory server, if in the group, so it can
+# handle root squashed exports
+- name: Create home directories
+  # doesn't delete with state=absent, same as ansible.builtin.user
+  file:
+    state: directory
+    path: "{{ item.home | default( basic_users_homedir_host_path + '/' + item.name ) }}"
+    owner: "{{ item.name }}"
+    group: "{{ item.name }}"
+    mode: u=rwX,go=
   delegate_to: "{{ basic_users_homedir_host }}"
   run_once: true
-  block:
-    - name: Create home directories
-      # doesn't delete with state=absent, same as ansible.builtin.user
-      file:
-        state: directory
-        path: "{{ item.home | default( basic_users_homedir_host_path + '/' + item.name ) }}"
-        owner: "{{ item.name }}"
-        group: "{{ item.name }}"
-        mode: u=rwX,go=
-      loop: "{{ basic_users_users }}"
-      loop_control:
-        label: "{{ item.name }}"
-      when:
-        - item.state | default('present') == 'present'
-        - item.create_home | default(true) | bool
+  loop: "{{ basic_users_users }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when:
+    - item.state | default('present') == 'present'
+    - item.create_home | default(true) | bool
 
+# The following tasks deliberately run on a (single) *client* node, so that
+# home directory paths are easily constructed, becoming each user so that root
+# squash doesn't matter
+- delegate_to: "{{ groups['basic_users'] | difference([basic_users_homedir_host]) | first }}"
+  run_once: true
+  block:
     - name: Create ~/.ssh directories
       file:
         state: directory
-        path: "{{ _homedir }}/.ssh/"
+        path: ~/.ssh/
         owner: "{{ item.name }}"
         group: "{{ item.name }}"
         mode: u=rwX,go=
-      vars:
-        _homedir: "{{ item.home | default( basic_users_homedir_host_path + '/' + item.name ) }}"
       become_user: "{{ item.name }}"
       loop: "{{ basic_users_users }}"
       loop_control:
@@ -74,10 +90,9 @@
   
     - name: Generate cluster ssh key
       community.crypto.openssh_keypair:
-        path: "{{ item.ssh_key_file | default(_homedir + '/.ssh/' + _ssh_key_type )}}"
+        path: "{{ item.ssh_key_file | default('~/.ssh/' + _ssh_key_type )}}" # NB: ssh_key_file is from ansible.builtin.user
         type: "{{ _ssh_key_type }}"
       vars:
-        _homedir: "{{ item.home | default( basic_users_homedir_host_path + '/' + item.name ) }}"
         _ssh_key_type: "{{ item.ssh_key_type | default('ed25519') }}"
       become_user: "{{ item.name }}"
       loop: "{{ basic_users_users }}"
@@ -88,36 +103,13 @@
         - item.generate_ssh_key | default(true) | bool
       register: _cluster_ssh_keypair
 
-      # - debug:
-      #     var: _cluster_ssh_keypair
-      # - meta: end_here
-
-    - name: Write supplied public key as authorized for SSH access
-      ansible.posix.authorized_key:
-        user: "{{ item.name }}"
-        state: present
-        manage_dir: false
-        key: "{{ item.public_key }}"
-        path: "{{ _homedir }}/.ssh/authorized_keys"
-      vars:
-        _homedir: "{{ item.home | default( basic_users_homedir_host_path + '/' + item.name ) }}"
-      become_user: "{{ item.name }}"
-      loop: "{{ basic_users_users }}"
-      loop_control:
-        label: "{{ item.name }}"
-      when:
-        - item.state | default('present') == 'present'
-        - item.public_key is defined
-
-    - name: Write generated public key as authorized for SSH access
+    - name: Write generated cluster ssh key to authorized_keys
       ansible.posix.authorized_key:
         user: "{{ item.item.name }}"
         state: present
         manage_dir: false
         key: "{{ item.public_key }}"
-        path: "{{ _homedir }}/.ssh/authorized_keys"
-      vars:
-        _homedir: "{{ item.item.home | default( basic_users_homedir_host_path + '/' + item.item.name ) }}"
+        path: ~/.ssh/authorized_keys
       become_user: "{{ item.item.name }}"
       loop: "{{ _cluster_ssh_keypair.results }}"
       loop_control:
@@ -126,14 +118,17 @@
         - item.item.state | default('present') == 'present'
         - "'public_key' in item"
 
-- name: Write sudo rules
-  blockinfile:
-    path: /etc/sudoers.d/80-{{ item.name}}-user
-    block: "{{ item.sudo }}"
-    create: true
-  loop: "{{ basic_users_users }}"
-  loop_control:
-    label: "{{ item.name }}"
-  when:
-    - item.state | default('present') == 'present'
-    - "'sudo' in item"
+    - name: Write supplied public key to authorized_keys
+      ansible.posix.authorized_key:
+        user: "{{ item.name }}"
+        state: present
+        manage_dir: false
+        key: "{{ item.public_key }}"
+        path: ~/.ssh/authorized_keys
+      become_user: "{{ item.name }}"
+      loop: "{{ basic_users_users }}"
+      loop_control:
+        label: "{{ item.name }}"
+      when:
+        - item.state | default('present') == 'present'
+        - item.public_key is defined
