ansible/users-ssh.yml

# users-ssh-nopasswd.yml
- name: Ensure users, SSH keys, and passwordless sudo
  hosts: all
  become: true
  become_user: root
  become_method: sudo

  vars:
    users:
      - name: automation
        shell: /bin/bash
        # optional extra groups besides sudo/wheel
        groups: []
        sudo_nopasswd: true
        keys:
          - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEx+ltCKNIEM7F4PzGLv22cIu7N0Fpn5gxwV02xq0GS9 automation@im.cz"

      - name: hellsos
        shell: /bin/bash
        groups: []
        sudo_nopasswd: true
        keys:
          - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhfQt1VNQo8EbIog4yjU5VEF3mTyMEC7o1Qe95X4JwG jan@rabcan.cz"

      - name: jim
        shell: /bin/bash
        groups: []
        sudo_nopasswd: true
        keys:
          - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFS4fsqMjMMu/Bi/884bw7yJBqvWusDRESvanH6Owco jakub@jimbuntu"

  tasks:
    - name: Pick sudo group per distro
      ansible.builtin.set_fact:
        sudo_group: "{{ 'wheel' if ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse'] else 'sudo' }}"

    - name: Ensure user exists (creates home)
      ansible.builtin.user:
        name: "{{ item.name }}"
        shell: "{{ item.shell | default('/bin/bash') }}"
        groups: >-
          {{ (
                (item.groups | default([]))
                + ([sudo_group] if item.sudo_nopasswd | default(false) else [])
              ) | unique | join(',') if
              ((item.groups | default([])) | length > 0) or (item.sudo_nopasswd | default(false))
              else omit }}
        append: true
        create_home: true
        state: present
      loop: "{{ users }}"

    - name: Install authorized SSH keys
      ansible.builtin.authorized_key:
        user: "{{ item.0.name }}"
        key: "{{ item.1 }}"
        state: present
        manage_dir: true
      loop: "{{ users | subelements('keys', skip_missing=True) }}"

    - name: Grant passwordless sudo via sudoers.d
      ansible.builtin.copy:
        dest: "/etc/sudoers.d/{{ item.name }}"
        owner: root
        group: root
        mode: '0440'
        content: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
        validate: 'visudo -cf %s'
      when: item.sudo_nopasswd | default(false)
      loop: "{{ users }}"