---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Playbook for establishing ssh keys
  hosts: localhost
  connection: local
  gather_facts: false
  become: true
  tasks:
    - name: Ensure root has a .ssh directory
      file:
        path: /root/.ssh
        state: directory
        owner: root
        group: root
        mode: 0700

    - name: Create ssh key pair for root
      user:
        name: root
        generate_ssh_key: yes
        ssh_key_bits: 2048
        ssh_key_file: /root/.ssh/id_rsa

    - name: Get root private key
      command: cat /root/.ssh/id_rsa
      register: private_key_get
      changed_when: false

    - name: Get root public key
      command: cat /root/.ssh/id_rsa.pub
      register: public_key_get
      changed_when: false

    - name: Set key facts
      set_fact:
        root_public_key: "{{ public_key_get.stdout }}"
        root_private_key: "{{ private_key_get.stdout }}"
        lxc_container_ssh_key: "{{ public_key_get.stdout }}"

    - name: Ensure root can ssh to localhost
      authorized_key:
        user: "root"
        key: "{{ root_public_key }}"


- name: Playbook for establishing user ssh keys
  hosts: localhost
  connection: local
  gather_facts: false
  become: false
  tasks:
    # Shell used because facts may not be ready yet
    - name: Get user home directory
      shell: "getent passwd '{{ ansible_user }}' | cut -d':' -f6"
      register: user_home
      changed_when: false

    - name: Set local user home fact
      set_fact:
        calling_user_home: "{{ user_home.stdout }}"

    - name: Ensure user has a .ssh directory
      file:
        path: "{{ calling_user_home }}/.ssh"
        state: directory
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: 0700
      when: ansible_user != 'root'

    - name: Ensure user has the known private key
      copy:
        content: "{{ root_private_key }}"
        dest: "{{ calling_user_home }}/.ssh/id_rsa"
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: "0600"
      when: ansible_user != 'root'

    - name: Ensure user has the known public key
      copy:
        content: "{{ root_public_key }}"
        dest: "{{ calling_user_home }}/.ssh/id_rsa.pub"
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: "0600"
      when: ansible_user != 'root'

    - name: Ensure local user can ssh to localhost
      authorized_key:
        user: "{{ ansible_user }}"
        key: "{{ root_public_key }}"
      when: ansible_user != 'root'