create dedicated ansible user

2022-08-30 14:18:17 +02:00 · 2022-08-30 14:18:17 +02:00 · 52cbd1f6b5
parent 0bda092249
commit 52cbd1f6b5
5 changed files with 53 additions and 4 deletions
--- a/hosts.yml
+++ b/hosts.yml
@ -2,6 +2,6 @@ all:
  hosts:
    snitch:
      ansible_host: snitch
-      ansible_user: rilla
+      ansible_user: ansible
      ansible_port: 22
      ansible_python_interpreter: /usr/bin/python3
--- a/roles/basic/tasks/main.yml
+++ b/roles/basic/tasks/main.yml
@ -16,3 +16,35 @@
    groups:
      - rilla
      - wheel
+
+- name: create group 'ansible'
+  group:
+    name: ansible
+    gid: 501
+
+- name: create user 'ansible'
+  user:
+    name: ansible
+    uid: 501
+    group: ansible
+    home: /var/lib/ansible
+    password: "*"  # disabled password but can be accessed with SSH
+    groups:
+      - ansible
+      - wheel
+
+- name: make sure ansible owns its home
+  file:
+    state: directory
+    path: /var/lib/ansible
+    owner: ansible
+    group: ansible
+    mode: '2755'
+
+- name: commit ansible's home to lbu
+  lbu:
+    include:
+      - /var/lib/ansible
+    exclude:
+      - /var/lib/ansible/.ansible
+  when: ansible_distribution == "Alpine"
--- a/roles/sshd/files/public_keys/ansible
+++ b/roles/sshd/files/public_keys/ansible
@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCpMZP3Oa6Ky6rEGoo9dEWqDk3d1iX5Cjgug5TBxvmS0NV82wx8t3w9Lbt2LOLuEHY5HjRxdIwCslt3YSy73qYCVCGCRVADRPsg6Hfhxf9xeAs5PAQ0Y0Ig90XcTWh9wm43ahOFX6Pr2DBkSO88fUbbhVr99jyMppOOo1MzJLzreU90hJ+0f8pMWVjc/X6M3ukivseeT26sACq+RLPAB+xCOakQC6ILP5ICZuu+uqGyXr8dziz+XPnwbXTO76vwxvA+svFB/lC+EkAb0TGc7pW7yhXCKBFtKCuQyJ14OGzqm0x1YkLaS/ZBK3MFBAp1rH9JsyT5uxzUO81LJSUcfFnNzerrLSZulF1RxVw0ElvafEnZIOu8qQYzREOmR2azw3LAcefvocaBHmc1fB5ppLD6vY+8hqYgBMt6qLiaB8fhwh/Yt2EOwvflMiu9h6J9hwAuQnGEo46N04rFHZR1mat/VUwyiMlJRdFWcV2hH4Ngy2d9Jx1rXmo2I2V5EpGSTjU= ansible user
--- a/roles/sshd/tasks/alpine.yml
+++ b/roles/sshd/tasks/alpine.yml
@ -1,8 +1,14 @@
- name: commit ssh public keys with lbu
+- name: commit rilla's authorized ssh keys
  lbu:
    include:
      - /home/rilla/.ssh/authorized_keys
-  when: ssh_keys.changed
+  when: rilla_keys.changed
+
+- name: commit ansible's authorized ssh keys
+  lbu:
+    include:
+      - /var/lib/ansible/.ssh/authorized_keys
+  when: ansible_keys.changed

 - name: install openssh
  apk:
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@ -5,7 +5,17 @@
    path: /home/rilla/.ssh/authorized_keys
  with_file:
    - public_keys/yubikey
-  register: ssh_keys
+  register: rilla_keys
+
+- name: set ansible's authorized keys
+  authorized_key:
+    user: ansible
+    key: '{{ item }}'
+    path: /var/lib/ansible/.ssh/authorized_keys
+  with_file:
+    - public_keys/yubikey
+    - public_keys/ansible
+  register: ansible_keys

 - name: set sshd config
  template:
				`@ -0,0 +1 @@`
				ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCpMZP3Oa6Ky6rEGoo9dEWqDk3d1iX5Cjgug5TBxvmS0NV82wx8t3w9Lbt2LOLuEHY5HjRxdIwCslt3YSy73qYCVCGCRVADRPsg6Hfhxf9xeAs5PAQ0Y0Ig90XcTWh9wm43ahOFX6Pr2DBkSO88fUbbhVr99jyMppOOo1MzJLzreU90hJ+0f8pMWVjc/X6M3ukivseeT26sACq+RLPAB+xCOakQC6ILP5ICZuu+uqGyXr8dziz+XPnwbXTO76vwxvA+svFB/lC+EkAb0TGc7pW7yhXCKBFtKCuQyJ14OGzqm0x1YkLaS/ZBK3MFBAp1rH9JsyT5uxzUO81LJSUcfFnNzerrLSZulF1RxVw0ElvafEnZIOu8qQYzREOmR2azw3LAcefvocaBHmc1fB5ppLD6vY+8hqYgBMt6qLiaB8fhwh/Yt2EOwvflMiu9h6J9hwAuQnGEo46N04rFHZR1mat/VUwyiMlJRdFWcV2hH4Ngy2d9Jx1rXmo2I2V5EpGSTjU= ansible user