changing inclusion strategy, adding template.

playbooks/roles/automated/tasks/main.yml

@@ -136,12 +136,11 @@
     owner={{ automated_user }} group={{ automated_user }}
     state=touch
     
-- name: add authorized_keys
-  lineinfile:
-    line="{{ item }}" state=present
+- name: build authorized_keys file
+  template:
+    src=home/automator/.ssh/authorized_keys.j2
     dest={{ automated_home }}/.ssh/authorized_keys mode=0600 
     owner={{ automated_user }} group={{ automated_user }}
-  with_items: automated_authorized_keys
   
 - name: create allowed command links
   file:

playbooks/roles/edxapp/defaults/main.yml

@@ -125,7 +125,10 @@ EDXAPP_SANDBOX_ENFORCE: true
 
 # Supply authorized keys used for remote management via the automated
 # role, see meta/main.yml.  Ensure you know what this does before
-# enabling.
+# enabling.  The boolean flag determines whether the role is included.
+# This is done to make it possible to disable remote access easily by
+# setting the flag to true and providing an empty array.
+EDXAPP_INCLUDE_AUTOMATOR_ROLE: true
 EDXAPP_AUTOMATOR_AUTHORIZED_KEYS: []
 
 #-------- Everything below this line is internal to the role ------------

playbooks/roles/edxapp/meta/main.yml

@@ -8,7 +8,7 @@ dependencies:
   - devpi
   - role: automated
     automated_rbash_links: "{{ edxapp_automated_rbash_links }}"
-    automated_sudoers_dest: '99-automator-edxapp'
+    automated_sudoers_dest: '99-automator-edxapp-server'
     automated_sudoers_template: 'roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2'
     automated_authorized_keys: "{{ EDXAPP_AUTOMATOR_AUTHORIZED_KEYS }}"
-    when: EDXAPP_AUTOMATOR_AUTHORIZED_KEYS|length > 0
+    when: EDXAPP_INCLUDE_AUTOMATOR_ROLE

playbooks/roles/edxapp/tasks/deploy.yml

@@ -237,7 +237,7 @@
   # root access.
 - name: give other read permissions to the virtualenv
   command: chmod -R o+r "{{ edxapp_venv_dir }}"
-  sudo_user: "{{ edxapp_user }}"
+  #sudo_user: "{{ edxapp_user }}"
   notify:
   - "restart edxapp"
   - "restart edxapp_workers"