From e1a1518cb82d72922009e75c8430400c4dd8568f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20D=C3=A9siles?=
 <1536672+cdesiles@users.noreply.github.com>
Date: Tue, 26 Aug 2025 01:02:53 +0200
Subject: [PATCH] feat: enhance sshd fallback over missing $HOME

---
 roles/ntpd/handlers/main.yml        |  4 ++--
 roles/sshd/defaults/main.yml        |  2 ++
 roles/sshd/tasks/main.yml           | 12 ++++++++++++
 roles/sshd/templates/sshd_banner.j2 | 30 ++++++++++++++---------------
 roles/sshd/templates/sshd_config.j2 |  6 ++++++
 5 files changed, 37 insertions(+), 17 deletions(-)

diff --git a/roles/ntpd/handlers/main.yml b/roles/ntpd/handlers/main.yml
index 0fc3250..5433efb 100644
--- a/roles/ntpd/handlers/main.yml
+++ b/roles/ntpd/handlers/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: "Restart ntpd service"
   ansible.builtin.systemd:
-    name: "ntpd"
+    name: ntpd
     state: restarted
-    reload: yes
+    daemon_reload: yes
diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml
index 831065b..f6327dc 100644
--- a/roles/sshd/defaults/main.yml
+++ b/roles/sshd/defaults/main.yml
@@ -6,3 +6,5 @@ ssh_config_dir: "/etc/ssh"
 sshd_config: "{{ ssh_config_dir}}/sshd_config"
 sshd_banner: "{{ ssh_config_dir}}/banner"
 sshd_binary: "/usr/sbin/sshd"
+ssh_authorized_keys_fallback_enabled: false
+ssh_authorized_keys_fallback_dir: "/etc/ssh/authorized_keys"
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index 1fd4c98..218cbd5 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -43,6 +43,18 @@
     comment: "{{ lookup('env', 'USER') | default('ansible') }}@{{ lookup('pipe', 'hostname -s') }}"
   loop: "{{ ssh_users.split() }}"
 
+- name: Authorized keys fallback
+  block:
+    - name: Create the directory
+      file:
+        path: "{{ssh_authorized_keys_fallback_dir}}"
+        state: directory
+
+    - name: Backup authorized_keys out of HOME dir (if unavailable at startup)
+      command: "cp /home/{{ item }}/.ssh/authorized_keys {{ssh_authorized_keys_fallback_dir}}/{{ item }}"
+      loop: "{{ ssh_users.split() }}"
+  when: ssh_authorized_keys_fallback_enabled
+
 - name: Create an SSH banner
   template:
     src: templates/sshd_banner.j2
diff --git a/roles/sshd/templates/sshd_banner.j2 b/roles/sshd/templates/sshd_banner.j2
index 6df452f..ac7f3f7 100644
--- a/roles/sshd/templates/sshd_banner.j2
+++ b/roles/sshd/templates/sshd_banner.j2
@@ -1,7 +1,7 @@
-*******************************************
-     GALACTIC EMPIRE SECURE TERMINAL
-*******************************************
 {% if ansible_host == 'andromeda' %}
+*******************************************
+ Beep beep-wooOOoo! Brrrp! Zzt zzt-whirl!
+*******************************************
         ⣠⣴⣾⣿⣿⣿⣿⣷⣦⣄
       ⢠⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⡄
      ⢀⣿⣿⣿⣿⡿⠛⢿⡿⠛⢻⣿⣿⣿⣿⡀  <IMPERIAL SECURITY
@@ -15,10 +15,10 @@
    ⢸⣿⡇⠈⠙⠛⢛⣿⣿⣤⣤⣿⣿⡛⠛⠋⠁⢸⣿⡇
   ⣤⣼⣿⣧⣤⡀ ⠙⠛⠛⠛⠛⠛⠛⠋ ⢀⣤⣼⣿⣧⣤
   ⠛⠛⠛⠛⠛⠁          ⠈⠛⠛⠛⠛⠛
-*******************************************
- Beep beep-wooOOoo! Brrrp! Zzt zzt-whirl!
-*******************************************
 {% elif ansible_host == 'omega' %}
+*******************************************
+     GALACTIC EMPIRE SECURE TERMINAL
+*******************************************
          ⣀⣤⣴⣶⣾⣿⣿⣿⣿⣷⡶⠦
       ⢀⣴⣾⣿⣿⠿⠿⢿⣿⣿⣿⣿⣿⣿⣿⣿⣧⣤⡄
      ⣰⣿⣿⣿⠋    ⠈⢻⣿⣿⣿⣿⣿⣿⡟⠛⠛⠃
@@ -32,7 +32,15 @@
      ⠹⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠏
       ⠈⠻⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣤⡄
          ⠉⠛⠻⠿⢿⣿⣿⣿⣿⠟⠉⠉⠉⠉
+
+You have reached a terminal of the Galactic
+Empire's secure network. Unauthorized access
+will result in tracking and possible Force
+action.
 {% elif ansible_host == 'pinwheel' %}
+*******************************************
+       May the shell be with you
+*******************************************
  ⢀⣠⣄⣀⣀⣀               ⣀⣤⣴⣶⡾⠿⠿⠿⠿⢷⣶⣦⣤⣀⡀
 ⢰⣿⡟⠛⠛⠛⠻⠿⠿⢿⣶⣶⣦⣤⣤⣀⣀⡀⣀⣴⣾⡿⠟⠋⠉        ⠉⠙⠻⢿⣷⣦⣀         ⢀⣀⣀⣀⣀⣀⣀⣀⡀
  ⠻⣿⣦⡀ ⠉⠓⠶⢦⣄⣀⠉⠉⠛⠛⠻⠿⠟⠋⠁   ⣤⡀  ⢠   ⣠    ⠈⠙⠻⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠟⠛⠛⢻⣿
@@ -52,18 +60,10 @@
                  ⢀⣿⡿⠟⠋   ⣿  ⣸       ⢸⣿⣿
                  ⢸⣿⣁⣀    ⣿⡀ ⣿      ⢀⣈⣿⣿
                  ⠘⠛⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠟⠛⠋
-******************************************************************
-                 May the shell be with you
-******************************************************************
 {% else %}
-ACCESS DENIED - UNKNOWN STAR SYSTEM
+JEDI LOST - UNKNOWN STAR SYSTEM
 {% endif %}
 
-You have reached a terminal of the Galactic
-Empire's secure network. Unauthorized access
-will result in tracking and possible Force
-action.
-
 {% if ansible_hostname is defined %}
 {{ group_names | first }}: {{ ansible_hostname }}
 {% endif %}
diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2
index bf6a845..eb1061d 100644
--- a/roles/sshd/templates/sshd_config.j2
+++ b/roles/sshd/templates/sshd_config.j2
@@ -62,3 +62,9 @@ Compression no
 {% if ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' %}
 UsePrivilegeSeparation sandbox
 {% endif %}
+
+{% if ssh_authorized_keys_fallback_enabled %}
+AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/authorized_keys/%u
+{% else %}
+AuthorizedKeysFile .ssh/authorized_keys
+{% endif %}