Update users-ssh.yml

2025-09-11 16:54:57 +00:00
parent 7c0b9a29b1
commit 4e595b4fa7
1 changed files with 31 additions and 14 deletions
--- a/users-ssh.yml
+++ b/users-ssh.yml
@@ -1,4 +1,5 @@
- name: Ensure users exist and have SSH keys
+# users-ssh-nopasswd.yml
+- name: Ensure users, SSH keys, and passwordless sudo
  hosts: all
  become: true
  become_user: root
@@ -6,27 +7,32 @@

  vars:
    users:
-      - name: automation
+      - name: jakub
        shell: /bin/bash
-        groups: [sudo]      # optional
-        password_lock: true # optional: no local password login
+        # optional extra groups you want besides sudo/wheel
+        groups: []
+        sudo_nopasswd: true
        keys:
          - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEx+ltCKNIEM7F4PzGLv22cIu7N0Fpn5gxwV02xq0GS9 automation@im.cz"

-      # add more users like:
-      # - name: deploy
-      #   keys:
-      #     - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ... deploy@example"
-
  tasks:
-    - name: Ensure user exists (creates home if missing)
+    - name: Pick sudo group per distro
+      ansible.builtin.set_fact:
+        sudo_group: "{{ 'wheel' if ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse'] else 'sudo' }}"
+
+    - name: Ensure user exists (creates home)
      ansible.builtin.user:
        name: "{{ item.name }}"
        shell: "{{ item.shell | default('/bin/bash') }}"
-        groups: "{{ (item.groups | default([])) | join(',') if (item.groups | default([])) else omit }}"
+        groups: >-
+          {{ (
+                (item.groups | default([]))
+                + ([sudo_group] if item.sudo_nopasswd | default(false) else [])
+              ) | unique | join(',') if
+              ((item.groups | default([])) | length > 0) or (item.sudo_nopasswd | default(false))
+              else omit }}
        append: true
        create_home: true
-        password_lock: "{{ item.password_lock | default(omit) }}"
        state: present
      loop: "{{ users }}"

@@ -35,5 +41,16 @@
        user: "{{ item.0.name }}"
        key: "{{ item.1 }}"
        state: present
-        manage_dir: true   # ensures ~/.ssh exists with correct perms
-      loop: "{{ users | subelements('keys', skip_missing=True) }}"
+        manage_dir: true
+      loop: "{{ users | subelements('keys', skip_missing=True) }}"
+
+    - name: Grant passwordless sudo via sudoers.d
+      ansible.builtin.copy:
+        dest: "/etc/sudoers.d/{{ item.name }}"
+        owner: root
+        group: root
+        mode: '0440'
+        content: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
+        validate: 'visudo -cf %s'
+      when: item.sudo_nopasswd | default(false)
+      loop: "{{ users }}"