From 5b6a295e70a998f311ba9e025f5d159755b13977 Mon Sep 17 00:00:00 2001
From: Scott Walkinshaw <scott.walkinshaw@gmail.com>
Date: Wed, 29 Dec 2021 16:03:30 -0500
Subject: [PATCH] Add support for public keys for deploys

Adding a deploy specific SSH public key to a Trellis server is a common
task to enable CI/CD deploys (such as GitHub Actions).

This creates a standard folder (`public_keys`) for them. Any public SSH
keys in that folder (ending in `.pub`) will be automatically added to
the `web_user` as an authorized key.
---
 CHANGELOG.md                | 1 +
 lib/trellis/utils/output.py | 2 +-
 public_keys/.gitkeep        | 0
 roles/users/tasks/main.yml  | 8 +++++++-
 4 files changed, 9 insertions(+), 2 deletions(-)
 create mode 100644 public_keys/.gitkeep

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e7b441ed0c..322b31fe5b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,5 @@
 ### HEAD
+* Improve support for adding public SSH keys ([#1344](https://github.com/roots/trellis/pull/1344))
 * Fix #1319 - Improve how ssh_args are loaded ([#1337](https://github.com/roots/trellis/pull/1337))
 * Fix #1331 - Improve passlib instructions([#1336](https://github.com/roots/trellis/pull/1336))
 
diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py
index ca4eb22728..33dbc4b55a 100644
--- a/lib/trellis/utils/output.py
+++ b/lib/trellis/utils/output.py
@@ -55,7 +55,7 @@ def replace_item_with_key(obj, result):
     )
 
     if should_replace:
-        if 'key' in result._result[item]:
+        if type(result._result[item]) is dict and 'key' in result._result[item]:
             result._result[item] = result._result[item]['key']
         elif type(result._result[item]) is dict:
             subitem = '_ansible_item_label' if '_ansible_item_label' in result._result[item] else 'item'
diff --git a/public_keys/.gitkeep b/public_keys/.gitkeep
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
index acfcd74838..09b84830df 100644
--- a/roles/users/tasks/main.yml
+++ b/roles/users/tasks/main.yml
@@ -49,7 +49,7 @@
     validate: "/usr/sbin/visudo -cf %s"
   when: web_sudoers[0] is defined
 
-- name: Add SSH keys
+- name: Add user SSH keys
   authorized_key:
     user: "{{ item.0.name }}"
     key: "{{ item.1 }}"
@@ -57,6 +57,12 @@
     - "{{ users | default([]) }}"
     - keys
 
+- name: Add deploy SSH keys
+  authorized_key:
+    user: "{{ web_user }}"
+    key: "{{ lookup('file', item) }}"
+  with_fileglob: 'public_keys/*.pub'
+
 - name: Check whether Ansible can connect as admin_user
   command: ansible {{ inventory_hostname }} -m ping -u {{ admin_user }} {{ cli_options | default('') }}
   delegate_to: localhost