better manage authorized_keys file, don't overwrite the file

playbook/roles/vm-bootstrap/files/file_cmp

+#!/usr/bin/python
+
+import os
+import sys
+
+if __name__ == "__main__":
+
+  if len(sys.argv) < 4:
+    print "Use: %s FILE1 FILE2 DEST_FILE" % sys.argv[0]
+    exit(1)
+
+  file1 = sys.argv[1]
+  file2 = sys.argv[2]
+  dest = sys.argv[3]
+  lines = lines_cmp = []
+  notfound = []
+
+  with open(file1, 'r') as ff:
+    lines = ff.readlines()
+  with open(file2, 'r') as ff2:
+    lines_cmp = ff2.read()
+
+  for line in lines:
+    if not line in lines_cmp:
+      notfound.append(line)
+
+  with open(dest, 'w') as f:
+    f.write('\n'.join(notfound))

playbook/roles/vm-bootstrap/tasks/ssh.yml

@@ -6,19 +6,43 @@
     file: path=/home/netadmin/.ssh state=directory mode=700 owner=netadmin group=netadmin
 
   - name: Download ssh authorized keys
-    get_url: url=http://10.0.2.100/authorized_keys dest=/root/.ssh/authorized_keys.download mode=755 force=yes
+    get_url: url=http://10.0.2.100/authorized_keys dest=/etc/opt/authorized_keys mode=644 force=yes
     ignore_errors: True
 
-  - name: stat /root/.ssh/authorized_keys.download
-    stat: path=/root/.ssh/authorized_keys.download
+  - name: stat /etc/opt/authorized_keys
+    stat: path=/etc/opt/authorized_keys
     register: authorized_keys
 
-  - name: replace /root/.ssh/authorized_keys
-    copy: src=/root/.ssh/authorized_keys.download dest=/root/.ssh/authorized_keys mode=644 force=yes
+  - name: stat /etc/opt/authorized_keys.old
+    stat: path=/etc/opt/authorized_keys.old
+    register: authorized_keys_old
+
+  - name: get removed keys
+    script: file_cmp /etc/opt/authorized_keys.old /etc/opt/authorized_keys /etc/opt/authorized_keys_deleted
+    when: authorized_keys.stat.exists == True and authorized_keys_old.stat.exists == True
+
+  - name: stat /etc/opt/authorized_keys_deleted
+    stat: path=/etc/opt/authorized_keys_deleted
+    register: authorized_keys_deleted
+
+  - name: Remove deleted authorized_keys
+    authorized_key: user=netadmin key="{{ lookup('file', '/etc/opt/authorized_keys_deleted') }}" state=absent
+    when: authorized_keys_deleted.stat.exists == True
+
+  - name: Remove deleted authorized_keys for root
+    authorized_key: user=root key="{{ lookup('file', '/etc/opt/authorized_keys_deleted') }}" state=absent
+    when: authorized_keys_deleted.stat.exists == True
+
+  - name: save these authorized_keys
+    copy: src=/etc/opt/authorized_keys dest=/etc/opt/authorized_keys.old mode=644 force=yes
+    when: authorized_keys.stat.exists == True
+
+  - name: Add netadmin authorized keys
+    authorized_key: user=netadmin key="{{ lookup('file', '/etc/opt/authorized_keys') }}"
     when: authorized_keys.stat.exists == True
 
-  - name: replace /home/netadmin/.ssh/authorized_keys
-    copy: src=/root/.ssh/authorized_keys.download dest=/home/netadmin/.ssh/authorized_keys mode=644 owner=netadmin group=netadmin
+  - name: Add root authorized keys
+    authorized_key: user=root key="{{ lookup('file', '/etc/opt/authorized_keys') }}"
     when: authorized_keys.stat.exists == True
 
   - name: update /etc/ssh/sshd_config
@@ -31,4 +55,4 @@
     lineinfile: dest=/etc/ssh/sshd_config line="PermitRootLogin no"
     notify: 
       - restart ssh
-      - restart sshd
\ No newline at end of file
+      - restart sshd