Update users-ssh.yml
This commit is contained in:
@@ -1,15 +1,12 @@
|
|||||||
# users-ssh-nopasswd.yml
|
---
|
||||||
- name: Ensure users, SSH keys, and passwordless sudo
|
- name: Ensure users, SSH keys, and passwordless sudo
|
||||||
hosts: all
|
hosts: all
|
||||||
become: true
|
become: true
|
||||||
become_user: root
|
|
||||||
become_method: sudo
|
|
||||||
|
|
||||||
vars:
|
vars:
|
||||||
users:
|
users:
|
||||||
- name: automation
|
- name: automation
|
||||||
shell: /bin/bash
|
shell: /bin/bash
|
||||||
# optional extra groups besides sudo/wheel
|
|
||||||
groups: []
|
groups: []
|
||||||
sudo_nopasswd: true
|
sudo_nopasswd: true
|
||||||
keys:
|
keys:
|
||||||
@@ -30,33 +27,43 @@
|
|||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFS4fsqMjMMu/Bi/884bw7yJBqvWusDRESvanH6Owco jakub@jimbuntu"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFS4fsqMjMMu/Bi/884bw7yJBqvWusDRESvanH6Owco jakub@jimbuntu"
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
|
|
||||||
- name: Pick sudo group per distro
|
- name: Pick sudo group per distro
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
sudo_group: "{{ 'wheel' if ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse'] else 'sudo' }}"
|
sudo_group: >-
|
||||||
|
{{ 'wheel'
|
||||||
|
if ansible_facts.os_family in
|
||||||
|
['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
|
||||||
|
else 'sudo' }}
|
||||||
|
|
||||||
- name: Ensure user exists (creates home)
|
- name: Ensure user exists (creates home)
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
name: "{{ item.name }}"
|
name: "{{ item.name }}"
|
||||||
shell: "{{ item.shell | default('/bin/bash') }}"
|
shell: "{{ item.shell | default(omit) }}"
|
||||||
groups: >-
|
groups: >-
|
||||||
{{ (
|
{{ (
|
||||||
(item.groups | default([]))
|
(item.groups | default([]))
|
||||||
+ ([sudo_group] if item.sudo_nopasswd | default(false) else [])
|
+ ([sudo_group] if item.sudo_nopasswd | default(false) else [])
|
||||||
) | unique | join(',') if
|
) | unique | join(',')
|
||||||
((item.groups | default([])) | length > 0) or (item.sudo_nopasswd | default(false))
|
if (
|
||||||
|
(item.groups | default([]) | length > 0)
|
||||||
|
or item.sudo_nopasswd | default(false)
|
||||||
|
)
|
||||||
else omit }}
|
else omit }}
|
||||||
append: true
|
append: true
|
||||||
create_home: true
|
create_home: true
|
||||||
state: present
|
state: present
|
||||||
loop: "{{ users }}"
|
loop: "{{ users }}"
|
||||||
|
|
||||||
- name: Install authorized SSH keys
|
- name: Enforce authorized SSH keys
|
||||||
ansible.builtin.authorized_key:
|
ansible.builtin.authorized_key:
|
||||||
user: "{{ item.0.name }}"
|
user: "{{ item.name }}"
|
||||||
key: "{{ item.1 }}"
|
key: "{{ item.keys | join('\n') }}"
|
||||||
state: present
|
state: present
|
||||||
manage_dir: true
|
manage_dir: true
|
||||||
loop: "{{ users | subelements('keys', skip_missing=True) }}"
|
exclusive: true
|
||||||
|
loop: "{{ users }}"
|
||||||
|
when: item.keys is defined
|
||||||
|
|
||||||
- name: Grant passwordless sudo via sudoers.d
|
- name: Grant passwordless sudo via sudoers.d
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
@@ -64,7 +71,9 @@
|
|||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: '0440'
|
mode: '0440'
|
||||||
content: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
|
content: |
|
||||||
|
# Managed by Ansible
|
||||||
|
{{ item.name }} ALL=(ALL) NOPASSWD:ALL
|
||||||
validate: 'visudo -cf %s'
|
validate: 'visudo -cf %s'
|
||||||
when: item.sudo_nopasswd | default(false)
|
when: item.sudo_nopasswd | default(false)
|
||||||
loop: "{{ users }}"
|
loop: "{{ users }}"
|
||||||
Reference in New Issue
Block a user