added manage-ssh-keys role

playbooks/hardening/manage-ssh-keys.yaml

@@ -0,0 +1,6 @@
+- hosts: all
+  vars:
+    good_keys: "{{ lookup('env', 'good_keys') | from_json }}"
+    bad_keys: "{{ lookup('env', 'bad_keys') | from_json }}"
+  roles:
+    - role: manage_ssh_keys

roles/manage-ssh-keys/defaults/main.yml

@@ -0,0 +1,14 @@
+---
+ssh_user: "root"
+authorized_keys_file: >-
+  {{ "/root/.ssh/authorized_keys" if ssh_user == "root" else "/home/{{ ssh_user }}/.ssh/authorized_keys" }}
+
+# Liste der erwünschten (Good) Keys
+good_keys:
+  - "ssh-rsa AAAAB3... goodkey1"
+  - "ssh-rsa AAAAB3... goodkey2"
+
+# Liste der unerwünschten (Bad) Keys
+bad_keys:
+  - "ssh-rsa AAAAB3... badkey1"
+  - "ssh-rsa AAAAB3... badkey2"

roles/manage-ssh-keys/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+- name: Stelle sicher, dass das .ssh-Verzeichnis existiert
+  file:
+    path: "{{ authorized_keys_file | dirname }}"
+    state: directory
+    owner: "{{ ssh_user }}"
+    group: "{{ ssh_user }}"
+    mode: '0700'
+
+- name: Lese aktuelle authorized_keys
+  slurp:
+    src: "{{ authorized_keys_file }}"
+  register: current_keys_content
+  ignore_errors: true
+
+- name: Bereite aktuelle Keys für den Vergleich vor
+  set_fact:
+    current_keys: "{{ (current_keys_content['content'] | b64decode).splitlines() if current_keys_content['content'] is defined else [] }}"
+
+- name: Filtern von Schlüsseln, die beibehalten werden
+  set_fact:
+    retained_keys: "{{ current_keys | difference(good_keys + bad_keys) }}"
+
+- name: Erstelle finale Liste der Keys
+  set_fact:
+    final_keys: "{{ retained_keys + good_keys }}"
+
+- name: Synchronisiere authorized_keys
+  copy:
+    content: "{{ final_keys | join('\n') + '\n' }}"
+    dest: "{{ authorized_keys_file }}"
+    owner: "{{ ssh_user }}"
+    group: "{{ ssh_user }}"
+    mode: '0600'
+  when: final_keys != current_keys