summaryrefslogtreecommitdiff
path: root/library/sshvpn.py
blob: 42c1e60d68fe105ad22189f58bc5dfc22bc3788a (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

#!/usr/local/bin/python3 

from __future__ import absolute_import, division, print_function
__metaclass__ = type

from ansible.module_utils.basic import AnsibleModule
import json, shlex, os
from datetime import datetime

SSH_ROOT = "/var/reactance/sshvpn/.ssh"
AUTHORIZED_KEYS = os.path.join(SSH_ROOT, "authorized_keys")

def exec_shell(cmd, module):
    # use_unsafe_shell=True so ansible doesn't remove |
    rc, stdout, stderr= module.run_command(cmd, environ_update={'TERM': 'dumb'}, use_unsafe_shell=True)
    if rc != 0:
        module.fail_json(stderr)
    return stdout.rstrip()

def sshvpn_get_users():
    previous_users = [".".join(i.split('.')[:-1]) for i in os.listdir(SSH_ROOT) if i.endswith(".pub")]
    return previous_users

def sshvpn_update_users(update_password, module):
    previous_users = sshvpn_get_users()
    new_users_dict = {}

    # Remove users not in new group_vars
    for user in previous_users:
        if user not in update_password.keys():
            exec_shell(f"rm {SSH_ROOT}/{user} {SSH_ROOT}/{user}.pub", module)

    # Update keys for new users or regenerate keys for old users
    for user in update_password.keys():
        if user not in previous_users or update_password[user]:
            exec_shell(f"yes | ssh-keygen -q -t ed25519 -C {user} -N \'\' -f \'{SSH_ROOT}/{user}\'", module)
            with open(f"{SSH_ROOT}/{user}", "r") as privkey:
              new_users_dict[user] = {"sshvpn": privkey.read()}

    # Overwrite existing authorized_keys file
    users_pubkeys = [i for i in os.listdir(SSH_ROOT) if i.endswith(".pub")]
    with open(AUTHORIZED_KEYS, "w") as f:
        for user_pubkey in users_pubkeys:
            user_pubkey_file = os.path.join(SSH_ROOT, user_pubkey)
            with open(user_pubkey_file, "r") as pkey:
                f.write(pkey.read())

    # kill running sessions
    exec_shell(f"pkill -u sshvpn &>/dev/null", module)

    return new_users_dict

def run_module():
    module = AnsibleModule(
        argument_spec=dict(
            users = dict(type='list', required=True)
        ),
        supports_check_mode=True
    )
    users = module.params["users"]
    update_password = {}

    for user in users:
        if 'regen' in user.keys() and user['regen']:
            update_password[user['user']] = True
        else:
            update_password[user['user']] = False

    new_users_dict = sshvpn_update_users(update_password, module)
    module.exit_json(changed=True, msg=new_users_dict)

def main():
    run_module()

if __name__ == "__main__":
    main()
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-27 23:00:23 +0000