feat: enhance sshd fallback over missing $HOME

roles/ntpd/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: "Restart ntpd service"
   ansible.builtin.systemd:
-    name: "ntpd"
+    name: ntpd
     state: restarted
-    reload: yes
+    daemon_reload: yes

roles/sshd/defaults/main.yml

@@ -6,3 +6,5 @@ ssh_config_dir: "/etc/ssh"
 sshd_config: "{{ ssh_config_dir}}/sshd_config"
 sshd_banner: "{{ ssh_config_dir}}/banner"
 sshd_binary: "/usr/sbin/sshd"
+ssh_authorized_keys_fallback_enabled: false
+ssh_authorized_keys_fallback_dir: "/etc/ssh/authorized_keys"

roles/sshd/tasks/main.yml

@@ -43,6 +43,18 @@
     comment: "{{ lookup('env', 'USER') | default('ansible') }}@{{ lookup('pipe', 'hostname -s') }}"
   loop: "{{ ssh_users.split() }}"
 
+- name: Authorized keys fallback
+  block:
+    - name: Create the directory
+      file:
+        path: "{{ssh_authorized_keys_fallback_dir}}"
+        state: directory
+
+    - name: Backup authorized_keys out of HOME dir (if unavailable at startup)
+      command: "cp /home/{{ item }}/.ssh/authorized_keys {{ssh_authorized_keys_fallback_dir}}/{{ item }}"
+      loop: "{{ ssh_users.split() }}"
+  when: ssh_authorized_keys_fallback_enabled
+
 - name: Create an SSH banner
   template:
     src: templates/sshd_banner.j2

roles/sshd/templates/sshd_banner.j2

@@ -1,7 +1,7 @@
-*******************************************
-     GALACTIC EMPIRE SECURE TERMINAL
-*******************************************
 {% if ansible_host == 'andromeda' %}
+*******************************************
+ Beep beep-wooOOoo! Brrrp! Zzt zzt-whirl!
+*******************************************
         ⣠⣴⣾⣿⣿⣿⣿⣷⣦⣄
       ⢠⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⡄
      ⢀⣿⣿⣿⣿⡿⠛⢿⡿⠛⢻⣿⣿⣿⣿⡀  <IMPERIAL SECURITY
@@ -15,10 +15,10 @@
    ⢸⣿⡇⠈⠙⠛⢛⣿⣿⣤⣤⣿⣿⡛⠛⠋⠁⢸⣿⡇
   ⣤⣼⣿⣧⣤⡀ ⠙⠛⠛⠛⠛⠛⠛⠋ ⢀⣤⣼⣿⣧⣤
   ⠛⠛⠛⠛⠛⠁          ⠈⠛⠛⠛⠛⠛
-*******************************************
- Beep beep-wooOOoo! Brrrp! Zzt zzt-whirl!
-*******************************************
 {% elif ansible_host == 'omega' %}
+*******************************************
+     GALACTIC EMPIRE SECURE TERMINAL
+*******************************************
          ⣀⣤⣴⣶⣾⣿⣿⣿⣿⣷⡶⠦
       ⢀⣴⣾⣿⣿⠿⠿⢿⣿⣿⣿⣿⣿⣿⣿⣿⣧⣤⡄
      ⣰⣿⣿⣿⠋    ⠈⢻⣿⣿⣿⣿⣿⣿⡟⠛⠛⠃
@@ -32,7 +32,15 @@
      ⠹⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠏
       ⠈⠻⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣤⡄
          ⠉⠛⠻⠿⢿⣿⣿⣿⣿⠟⠉⠉⠉⠉
+
+You have reached a terminal of the Galactic
+Empire's secure network. Unauthorized access
+will result in tracking and possible Force
+action.
 {% elif ansible_host == 'pinwheel' %}
+*******************************************
+       May the shell be with you
+*******************************************
  ⢀⣠⣄⣀⣀⣀               ⣀⣤⣴⣶⡾⠿⠿⠿⠿⢷⣶⣦⣤⣀⡀
 ⢰⣿⡟⠛⠛⠛⠻⠿⠿⢿⣶⣶⣦⣤⣤⣀⣀⡀⣀⣴⣾⡿⠟⠋⠉        ⠉⠙⠻⢿⣷⣦⣀         ⢀⣀⣀⣀⣀⣀⣀⣀⡀
  ⠻⣿⣦⡀ ⠉⠓⠶⢦⣄⣀⠉⠉⠛⠛⠻⠿⠟⠋⠁   ⣤⡀  ⢠   ⣠    ⠈⠙⠻⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠟⠛⠛⢻⣿
@@ -52,18 +60,10 @@
                  ⢀⣿⡿⠟⠋   ⣿  ⣸       ⢸⣿⣿
                  ⢸⣿⣁⣀    ⣿⡀ ⣿      ⢀⣈⣿⣿
                  ⠘⠛⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠿⠟⠛⠋
-******************************************************************
-                 May the shell be with you
-******************************************************************
 {% else %}
-ACCESS DENIED - UNKNOWN STAR SYSTEM
+JEDI LOST - UNKNOWN STAR SYSTEM
 {% endif %}
 
-You have reached a terminal of the Galactic
-Empire's secure network. Unauthorized access
-will result in tracking and possible Force
-action.
-
 {% if ansible_hostname is defined %}
 {{ group_names | first }}: {{ ansible_hostname }}
 {% endif %}

roles/sshd/templates/sshd_config.j2

@@ -62,3 +62,9 @@ Compression no
 {% if ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' %}
 UsePrivilegeSeparation sandbox
 {% endif %}
+
+{% if ssh_authorized_keys_fallback_enabled %}
+AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/authorized_keys/%u
+{% else %}
+AuthorizedKeysFile .ssh/authorized_keys
+{% endif %}