Speed up key deployment by using the git repo

Instead of downloading each key over HTTPS from github.com, we can
simply clone the entire repo (with depth 1) and lookup each key using
the username.

On my laptop, execution time went from 2m49s to 29s.

Signed-off-by: Zack Cerza <zack@redhat.com>

diff --git a/roles/users/tasks/update_keys.yml b/roles/users/tasks/update_keys.yml
index 13e04fe8ef18bba2ad63f1a7551728498bc10d94..774e03b161af3813bfd592de48d374f252397021 100644 (file)
--- a/roles/users/tasks/update_keys.yml
+++ b/roles/users/tasks/update_keys.yml
@@ -1,9 +1,43 @@
 ---
-- name: Update authorized_keys for each user.
+- name: Merge managed_users and managed_admin users
+  set_fact:
+    pubkey_users: "{{ managed_users|list + managed_admin_users|list }}"
+
+# The following set_fact calls are apparently necessary to avoid using sudo on
+# localhost to clone the keys repo.
+- set_fact:
+    ansible_become_orig: "{{ ansible_become }}"
+
+- set_fact:
+    ansible_become: false
+
+- name: Clone the keys repo
+  local_action:
+    module: git
+    repo: "{{ keys_repo }}"
+    version: master
+    depth: 1
+    force: yes
+    dest: "{{ keys_repo_path }}"
+  when: keys_repo is defined
+  connection: local
+
+- set_fact:
+    ansible_become: "{{ ansible_become_orig }}"
+
+- name: Update authorized_keys using the keys repo
+  authorized_key:
+    user: "{{ item.name }}"
+    key: "{{ lookup('file', keys_repo_path + '/ssh/' + item.name + '.pub') }}"
+  with_items: "{{ pubkey_users }}"
+  when: item.key is undefined and keys_repo is defined
+
+- name: Update authorized_keys for each user with literal keys
   authorized_key:
     user: "{{ item.name }}"
     key: "{{ item.key }}"
-  with_items: managed_users|list + managed_admin_users|list
+  with_items: "{{ pubkey_users }}"
+  when: item.key is defined
   # Register and retry to work around transient githubusercontent.com issues
   register: ssh_key_update
   until: ssh_key_update|success