Initial ansible onboard
This commit is contained in:
@@ -0,0 +1,35 @@
|
||||
---
|
||||
- name: Read salt from environment
|
||||
ansible.builtin.set_fact:
|
||||
user_password_salt: "{{ lookup('env', 'USER_PASSWORD_SALT') | default('') }}"
|
||||
|
||||
- name: Adding ssh users
|
||||
become: true
|
||||
ansible.builtin.user:
|
||||
name: "{{ item.username }}"
|
||||
comment: "{{ item.comment }} ( Managed by ansible )"
|
||||
password: "{{ lookup('env', 'USER_PASSWORD_' + (item.username | upper)) | password_hash('sha512', user_password_salt) }}"
|
||||
state: "{{ 'absent' if item.enabled is defined and not item.enabled else 'present' }}"
|
||||
shell: "{{ item.shell if item.shell is defined else '/bin/bash' }}"
|
||||
loop: "{{ ssh_users }}"
|
||||
|
||||
- name: "Add SSH Authorized key"
|
||||
become: true
|
||||
ansible.posix.authorized_key:
|
||||
user: "{{ item.username }}"
|
||||
key: "{{ item.pubkey }}"
|
||||
state: "{{ 'present' if item.pubkey is defined else 'absent' }}"
|
||||
when: item.pubkey is defined
|
||||
loop: "{{ ssh_users }}"
|
||||
|
||||
- name: Create sudoers.d entry if user allowed
|
||||
become: true
|
||||
ansible.builtin.copy:
|
||||
dest: "/etc/sudoers.d/{{ item.username }}"
|
||||
content: |
|
||||
{{ item.username }} ALL=(ALL) ALL
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0600"
|
||||
when: item.sudoer is defined and item.sudoer
|
||||
loop: "{{ ssh_users }}"
|
||||
Reference in New Issue
Block a user