--- - name: Ensure users, SSH keys, and passwordless sudo hosts: all become: true vars: users: - name: automation shell: /bin/bash groups: [] sudo_nopasswd: true keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEx+ltCKNIEM7F4PzGLv22cIu7N0Fpn5gxwV02xq0GS9 automation@im.cz" - name: hellsos shell: /bin/bash groups: [] sudo_nopasswd: true keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhfQt1VNQo8EbIog4yjU5VEF3mTyMEC7o1Qe95X4JwG jan@rabcan.cz" - name: jim shell: /bin/bash groups: [] sudo_nopasswd: true keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFS4fsqMjMMu/Bi/884bw7yJBqvWusDRESvanH6Owco jakub@jimbuntu" tasks: - name: Pick sudo group per distro ansible.builtin.set_fact: sudo_group: >- {{ 'wheel' if ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse'] else 'sudo' }} - name: Ensure user exists (creates home) ansible.builtin.user: name: "{{ item.name }}" shell: "{{ item.shell | default(omit) }}" groups: >- {{ ( (item.groups | default([])) + ([sudo_group] if item.sudo_nopasswd | default(false) else []) ) | unique | join(',') if ( (item.groups | default([]) | length > 0) or item.sudo_nopasswd | default(false) ) else omit }} append: true create_home: true state: present loop: "{{ users }}" - name: Enforce authorized SSH keys ansible.builtin.authorized_key: user: "{{ item.name }}" key: "{{ item.keys | join('\n') }}" state: present manage_dir: true exclusive: true loop: "{{ users }}" when: item.keys is defined - name: Grant passwordless sudo via sudoers.d ansible.builtin.copy: dest: "/etc/sudoers.d/{{ item.name }}" owner: root group: root mode: '0440' content: | # Managed by Ansible {{ item.name }} ALL=(ALL) NOPASSWD:ALL validate: 'visudo -cf %s' when: item.sudo_nopasswd | default(false) loop: "{{ users }}"