From 430594a13b4e5e6bcd1110b124d3941dffb989f2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arturo=20Filast=C3=B2?= <arturo@filasto.net>
Date: Tue, 9 Jul 2024 10:13:12 +0200
Subject: [PATCH] Per-user custom ssh config

---
 .../roles/ansible_controller/tasks/main.yml   | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/ansible/roles/ansible_controller/tasks/main.yml b/ansible/roles/ansible_controller/tasks/main.yml
index a42f3999..762e59a3 100644
--- a/ansible/roles/ansible_controller/tasks/main.yml
+++ b/ansible/roles/ansible_controller/tasks/main.yml
@@ -47,3 +47,29 @@
       UserKnownHostsFile ~/.ssh/known_hosts /srv/devops/ansible/known_hosts /srv/devops/ansible/known_hosts_legacy
       IdentitiesOnly yes
   with_items: "{{ non_admin_usernames | union(admin_usernames) }}"
+
+- name: Create config.d directory for each user
+  ansible.builtin.file:
+    path: "/home/{{ item }}/.ssh/config.d/"
+    state: directory
+    owner: "{{ item }}"
+    group: "{{ item }}"
+    mode: "700"
+
+- name: Create config.d custom file for each user
+  ansible.builtin.file:
+    path: "/home/{{ item }}/.ssh/config.d/custom"
+    state: file
+    owner: "{{ item }}"
+    group: "{{ item }}"
+    mode: "600"
+
+- name: Include per-user custom config
+  ansible.builtin.copy:
+    dest: "/home/{{ item }}/.ssh/config"
+    content: |
+      # Do not edit! ansible managed via ooni/devops
+      UserKnownHostsFile ~/.ssh/known_hosts /srv/devops/ansible/known_hosts /srv/devops/ansible/known_hosts_legacy
+      IdentitiesOnly yes
+      Include config.d/*
+  with_items: "{{ non_admin_usernames | union(admin_usernames) }}"