# users-ssh-nopasswd.yml - name: Ensure users, SSH keys, and passwordless sudo hosts: all become: true become_user: root become_method: sudo vars: users: - name: automation shell: /bin/bash # optional extra groups besides sudo/wheel groups: [] sudo_nopasswd: true keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEx+ltCKNIEM7F4PzGLv22cIu7N0Fpn5gxwV02xq0GS9 automation@im.cz" - name: hellsos shell: /bin/bash groups: [] sudo_nopasswd: true keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhfQt1VNQo8EbIog4yjU5VEF3mTyMEC7o1Qe95X4JwG jan@rabcan.cz" - name: jim shell: /bin/bash groups: [] sudo_nopasswd: true keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFS4fsqMjMMu/Bi/884bw7yJBqvWusDRESvanH6Owco jakub@jimbuntu" tasks: - name: Pick sudo group per distro ansible.builtin.set_fact: sudo_group: "{{ 'wheel' if ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse'] else 'sudo' }}" - name: Ensure user exists (creates home) ansible.builtin.user: name: "{{ item.name }}" shell: "{{ item.shell | default('/bin/bash') }}" groups: >- {{ ( (item.groups | default([])) + ([sudo_group] if item.sudo_nopasswd | default(false) else []) ) | unique | join(',') if ((item.groups | default([])) | length > 0) or (item.sudo_nopasswd | default(false)) else omit }} append: true create_home: true state: present loop: "{{ users }}" - name: Install authorized SSH keys ansible.builtin.authorized_key: user: "{{ item.0.name }}" key: "{{ item.1 }}" state: present manage_dir: true loop: "{{ users | subelements('keys', skip_missing=True) }}" - name: Grant passwordless sudo via sudoers.d ansible.builtin.copy: dest: "/etc/sudoers.d/{{ item.name }}" owner: root group: root mode: '0440' content: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL" validate: 'visudo -cf %s' when: item.sudo_nopasswd | default(false) loop: "{{ users }}"