Configure domain for github_ssh_keys to point at a GitLab server

It would be cool if there was a way to modify the host used in the github_ssh_keys role.

A per user config for the host would be pretty sweet. Although, I can’t really think of a use case for needing to get keys from two different git hosts depending on the user — if they’re going to deploy the site, they’re pretty much going to need an account for wherever the git repo is hosted (be it GitHub or GitLab). So, maybe some sort of global override for all users would be better.

I’m assuming it would look something like this:

…ansible/group_vars/production

github_ssh_keys:
  - username: swalkinshaw
    host: somegitlabhost.com
    authorized:
      - "{{ web_user }}"

or

github_ssh_keys_host: somegitlabhost.com
github_ssh_keys:
  - username: swalkinshaw
    authorized:
      - "{{ web_user }}"

So, the request for the keys would go out to: https://somegitlabhost.com/swalkinshaw.keys

I’m assuming I could just change the host manually inside ...ansible/roles/github-ssh-keys/tasks/main.yml, but that feels pretty dirty.

Related: I’ve had it in the back of my mind to do a PR proposing to switch github_ssh_keys to a more generic ssh_keys that can draw keys from any specified remote host or local file. I haven’t thought a ton about it yet, but I was thinking the revised ssh_keys dictionary in group_vars could look something like this:

ssh_keys:
  - "{{ web_user }}"
    remote:
      - https://github.com/myusername.keys
      - https://github.com/mypartnerusername.keys
    local:
      - /local/machine/path/to/key/for/guy/whos/key/isnt/on/github
      - /local/path/to/key/for/other/guy/whos/key/isnt/on/github
  - other_user
    remote:
      - https://someothergithost.com/other_user.keys
1 Like

That looks awesome and way more flexible!

I like how {{ web_user }} is at the top level with a list of keys under it. I think it’s a bit more obvious what’s going on than the current version.

I’m all for this :thumbsup:

@bryandowning I never knew (or thought about) that GitLab had the same feature available.

I never knew that GitHub (or GitLab) had this feature!

Here’s how I proposed it in roots/bedrock-ansible/pull/246

users:
  - name: "{{ web_user }}"
    groups:
      - "{{ web_group }}"
    keys:
      - https://github.com/username.keys
      - https://some-other-git-host.com/otherusername.keys
  - name: otheruser
    groups:
      - somegroup
      - someothergroup
    keys:
      - https://github.com/otheruser.keys
      - "{{ lookup('file', '/local/path/to/key/id_rsa.pub') }}"

Maybe bitbucket’s api lets you get keys too. I haven’t looked into it yet:
https://confluence.atlassian.com/display/BITBUCKET/ssh-keys+Resource

@bryandowning The changes have been applied in roots/bedrock-ansible/pull/247 if you want to try them out. See also the updated SSH keys wiki.

1 Like