From 52cbd1f6b59a446600a67e41aeae1c432831b6c1 Mon Sep 17 00:00:00 2001
From: Ricard Illa <ricard@trkkn.com>
Date: Tue, 30 Aug 2022 14:18:17 +0200
Subject: [PATCH] create dedicated ansible user

---
 hosts.yml                            |  2 +-
 roles/basic/tasks/main.yml           | 32 ++++++++++++++++++++++++++++
 roles/sshd/files/public_keys/ansible |  1 +
 roles/sshd/tasks/alpine.yml          | 10 +++++++--
 roles/sshd/tasks/main.yml            | 12 ++++++++++-
 5 files changed, 53 insertions(+), 4 deletions(-)
 create mode 100644 roles/sshd/files/public_keys/ansible

diff --git a/hosts.yml b/hosts.yml
index aa97b8a..51cf29f 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -2,6 +2,6 @@ all:
   hosts:
     snitch:
       ansible_host: snitch
-      ansible_user: rilla
+      ansible_user: ansible
       ansible_port: 22
       ansible_python_interpreter: /usr/bin/python3
diff --git a/roles/basic/tasks/main.yml b/roles/basic/tasks/main.yml
index 7ef1e9f..bf6663d 100644
--- a/roles/basic/tasks/main.yml
+++ b/roles/basic/tasks/main.yml
@@ -16,3 +16,35 @@
     groups:
       - rilla
       - wheel
+
+- name: create group 'ansible'
+  group:
+    name: ansible
+    gid: 501
+
+- name: create user 'ansible'
+  user:
+    name: ansible
+    uid: 501
+    group: ansible
+    home: /var/lib/ansible
+    password: "*"  # disabled password but can be accessed with SSH
+    groups:
+      - ansible
+      - wheel
+
+- name: make sure ansible owns its home
+  file:
+    state: directory
+    path: /var/lib/ansible
+    owner: ansible
+    group: ansible
+    mode: '2755'
+
+- name: commit ansible's home to lbu
+  lbu:
+    include:
+      - /var/lib/ansible
+    exclude:
+      - /var/lib/ansible/.ansible
+  when: ansible_distribution == "Alpine"
diff --git a/roles/sshd/files/public_keys/ansible b/roles/sshd/files/public_keys/ansible
new file mode 100644
index 0000000..422c610
--- /dev/null
+++ b/roles/sshd/files/public_keys/ansible
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCpMZP3Oa6Ky6rEGoo9dEWqDk3d1iX5Cjgug5TBxvmS0NV82wx8t3w9Lbt2LOLuEHY5HjRxdIwCslt3YSy73qYCVCGCRVADRPsg6Hfhxf9xeAs5PAQ0Y0Ig90XcTWh9wm43ahOFX6Pr2DBkSO88fUbbhVr99jyMppOOo1MzJLzreU90hJ+0f8pMWVjc/X6M3ukivseeT26sACq+RLPAB+xCOakQC6ILP5ICZuu+uqGyXr8dziz+XPnwbXTO76vwxvA+svFB/lC+EkAb0TGc7pW7yhXCKBFtKCuQyJ14OGzqm0x1YkLaS/ZBK3MFBAp1rH9JsyT5uxzUO81LJSUcfFnNzerrLSZulF1RxVw0ElvafEnZIOu8qQYzREOmR2azw3LAcefvocaBHmc1fB5ppLD6vY+8hqYgBMt6qLiaB8fhwh/Yt2EOwvflMiu9h6J9hwAuQnGEo46N04rFHZR1mat/VUwyiMlJRdFWcV2hH4Ngy2d9Jx1rXmo2I2V5EpGSTjU= ansible user
diff --git a/roles/sshd/tasks/alpine.yml b/roles/sshd/tasks/alpine.yml
index 109ec75..9568518 100644
--- a/roles/sshd/tasks/alpine.yml
+++ b/roles/sshd/tasks/alpine.yml
@@ -1,8 +1,14 @@
-- name: commit ssh public keys with lbu
+- name: commit rilla's authorized ssh keys
   lbu:
     include:
       - /home/rilla/.ssh/authorized_keys
-  when: ssh_keys.changed
+  when: rilla_keys.changed
+
+- name: commit ansible's authorized ssh keys
+  lbu:
+    include:
+      - /var/lib/ansible/.ssh/authorized_keys
+  when: ansible_keys.changed
 
 - name: install openssh
   apk:
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index b8db550..075ca81 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -5,7 +5,17 @@
     path: /home/rilla/.ssh/authorized_keys
   with_file:
     - public_keys/yubikey
-  register: ssh_keys
+  register: rilla_keys
+
+- name: set ansible's authorized keys
+  authorized_key:
+    user: ansible
+    key: '{{ item }}'
+    path: /var/lib/ansible/.ssh/authorized_keys
+  with_file:
+    - public_keys/yubikey
+    - public_keys/ansible
+  register: ansible_keys
 
 - name: set sshd config
   template: