{% if user.sshpubkeys or recipe and recipe.recipeset.job.group %}
mkdir -p /root/.ssh
cat >>/root/.ssh/authorized_keys <<"__EOF__"
{% if recipe and recipe.recipeset.job.group %}
{% for user in recipe.recipeset.job.group.users %}
{% for ssh_key in user.sshpubkeys %}
{{ ssh_key|string|replace('__EOF__', '') }}
{% endfor %}
{% endfor %}
{% else %}
{% for ssh_key in user.sshpubkeys %}
{{ ssh_key|string|replace('__EOF__', '') }}
{% endfor %}
{% endif %}
__EOF__
restorecon -R /root/.ssh
chmod go-w /root /root/.ssh /root/.ssh/authorized_keys
{% endif %}
{% if disabled_root_access is defined %}
sed -i '/^#PermitRootLogin /s/^#//' /etc/ssh/sshd_config
sed -i 's|PermitRootLogin .*|PermitRootLogin yes|' /etc/ssh/sshd_config
systemctl restart sshd
{% endif %}