From 6e3023205720738ca8df393ccba6a85b1ffb5b93 Mon Sep 17 00:00:00 2001
From: Marty Oehme <contact@martyoeh.me>
Date: Wed, 19 Nov 2025 14:40:00 +0100
Subject: [PATCH] ref: Install authorized keys per user

Instead of installing authorized keys globally (same for everybody), we
pass in the authorized_keys variable per user, and thus the installation
also takes place per user.

This makes much more sense and works with minimal refactoring.
---
 roles/system/defaults/main.yaml | 5 ++---
 roles/system/tasks/main.yaml    | 7 ++++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/roles/system/defaults/main.yaml b/roles/system/defaults/main.yaml
index 11712bb..7100009 100644
--- a/roles/system/defaults/main.yaml
+++ b/roles/system/defaults/main.yaml
@@ -7,11 +7,10 @@ system_users:
       - marty
       - data
       - incus-admin
+    authorized_keys:
+      - "{{ lookup('file', '~/.ssh/keys/bob.pub') }}"
   - name: data
     groups:
       - data
     create_home: false
     shell: /sbin/nologin
-
-system_authorized_keys:
-  - "{{ lookup('file', '~/.ssh/keys/bob.pub') }}"
diff --git a/roles/system/tasks/main.yaml b/roles/system/tasks/main.yaml
index d2c4f42..4ce6c5a 100644
--- a/roles/system/tasks/main.yaml
+++ b/roles/system/tasks/main.yaml
@@ -63,10 +63,11 @@
 
 - name: Add authorized SSH keys
   ansible.posix.authorized_key:
-    user: marty # FIXME: don't hardoce user
+    user: "{{ item.name }}"
     state: present
-    key: "{{ item }}"
-  loop: "{{ system_authorized_keys }}"
+    key: "{{ item.authorized_keys }}"
+  loop: "{{ system_users }}"
+  when: system_users is defined and item.authorized_keys is defined
   tags:
     - ssh
   become: true