jakub/ansible
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update users-ssh.yml

Browse Source
This commit is contained in:
jakub
2026-02-20 14:10:11 +00:00
parent 11a48e4ccb
commit b1a849824f
1 changed files with 26 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
users-ssh.yml
View File

@@ -1,15 +1,12 @@
# users-ssh-nopasswd.yml ---
- name: Ensure users, SSH keys, and passwordless sudo - name: Ensure users, SSH keys, and passwordless sudo
hosts: all hosts: all
become: true become: true
become_user: root
become_method: sudo
vars: vars:
users: users:
- name: automation - name: automation
shell: /bin/bash shell: /bin/bash
# optional extra groups besides sudo/wheel
groups: [] groups: []
sudo_nopasswd: true sudo_nopasswd: true
keys: keys:
@@ -30,33 +27,43 @@
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFS4fsqMjMMu/Bi/884bw7yJBqvWusDRESvanH6Owco jakub@jimbuntu" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFS4fsqMjMMu/Bi/884bw7yJBqvWusDRESvanH6Owco jakub@jimbuntu"
tasks: tasks:
- name: Pick sudo group per distro - name: Pick sudo group per distro
ansible.builtin.set_fact: ansible.builtin.set_fact:
sudo_group: "{{ 'wheel' if ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse'] else 'sudo' }}" sudo_group: >-
{{ 'wheel'
if ansible_facts.os_family in
['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
else 'sudo' }}
- name: Ensure user exists (creates home) - name: Ensure user exists (creates home)
ansible.builtin.user: ansible.builtin.user:
name: "{{ item.name }}" name: "{{ item.name }}"
shell: "{{ item.shell | default('/bin/bash') }}" shell: "{{ item.shell | default(omit) }}"
groups: >- groups: >-
{{ ( {{ (
(item.groups | default([])) (item.groups | default([]))
+ ([sudo_group] if item.sudo_nopasswd | default(false) else []) + ([sudo_group] if item.sudo_nopasswd | default(false) else [])
) | unique | join(',') if ) | unique | join(',')
((item.groups | default([])) | length > 0) or (item.sudo_nopasswd | default(false)) if (
else omit }} (item.groups | default([]) | length > 0)
or item.sudo_nopasswd | default(false)
)
else omit }}
append: true append: true
create_home: true create_home: true
state: present state: present
loop: "{{ users }}" loop: "{{ users }}"
- name: Install authorized SSH keys - name: Enforce authorized SSH keys
ansible.builtin.authorized_key: ansible.builtin.authorized_key:
user: "{{ item.0.name }}" user: "{{ item.name }}"
key: "{{ item.1 }}" key: "{{ item.keys | join('\n') }}"
state: present state: present
manage_dir: true manage_dir: true
loop: "{{ users | subelements('keys', skip_missing=True) }}" exclusive: true
loop: "{{ users }}"
when: item.keys is defined
- name: Grant passwordless sudo via sudoers.d - name: Grant passwordless sudo via sudoers.d
ansible.builtin.copy: ansible.builtin.copy:
@@ -64,7 +71,9 @@
owner: root owner: root
group: root group: root
mode: '0440' mode: '0440'
content: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL" content: |
# Managed by Ansible
{{ item.name }} ALL=(ALL) NOPASSWD:ALL
validate: 'visudo -cf %s' validate: 'visudo -cf %s'
when: item.sudo_nopasswd | default(false) when: item.sudo_nopasswd | default(false)
loop: "{{ users }}" loop: "{{ users }}"