root_ssh: Support giving root access to only some hosts

group_vars/all/root_access.yml

@@ -13,13 +13,13 @@ sudo_users:
 
 # deploy tag 'root_ssh' when this changes
 root_ssh_keys:
-  - foutrelis.pub
-  - freswa.pub
-  - grazzolini.pub
-  - heftig.pub
-  - jelle.pub
-  - svenstaro.pub
-  - anthraxx.pub
+  - key: foutrelis.pub
+  - key: freswa.pub
+  - key: grazzolini.pub
+  - key: heftig.pub
+  - key: jelle.pub
+  - key: svenstaro.pub
+  - key: anthraxx.pub
 
 # run playbook 'playbooks/tasks/reencrypt-vault-key.yml' when this changes
 # before running it, make sure to gpg --lsign-key all of the below keys

roles/root_ssh/templates/authorized_keys.j2

@@ -1,4 +1,6 @@
 #jinja2: lstrip_blocks: True
-{% for user in root_ssh_keys | sort -%}
-	{{ lookup('file', '../pubkeys/' + user) }}
+{% for user in root_ssh_keys | sort(attribute="key") -%}
+	{% if not user.hosts or inventory_hostname in user.hosts -%}
+		{{ lookup('file', '../pubkeys/' + user.key ) }}
+	{% endif %}
 {% endfor %}