create dedicated ansible user

2022-08-30 14:18:17 +02:00 · 2022-08-30 14:18:17 +02:00 · 52cbd1f6b5
parent 0bda092249
commit 52cbd1f6b5
5 changed files with 53 additions and 4 deletions
--- a/hosts.yml
+++ b/hosts.yml
@ -2,6 +2,6 @@ all:
  hosts:
    snitch:
      ansible_host: snitch
-      ansible_user: rilla
+      ansible_user: ansible
      ansible_port: 22
      ansible_python_interpreter: /usr/bin/python3
--- a/roles/basic/tasks/main.yml
+++ b/roles/basic/tasks/main.yml
@ -16,3 +16,35 @@
    groups:
      - rilla
      - wheel
 - name: create group 'ansible'
  group:
    name: ansible
    gid: 501
 - name: create user 'ansible'
  user:
    name: ansible
    uid: 501
    group: ansible
    home: /var/lib/ansible
    password: "*"  # disabled password but can be accessed with SSH
    groups:
      - ansible
      - wheel
 - name: make sure ansible owns its home
  file:
    state: directory
    path: /var/lib/ansible
    owner: ansible
    group: ansible
    mode: '2755'
 - name: commit ansible's home to lbu
  lbu:
    include:
      - /var/lib/ansible
    exclude:
      - /var/lib/ansible/.ansible
  when: ansible_distribution == "Alpine"
--- a/roles/sshd/files/public_keys/ansible
+++ b/roles/sshd/files/public_keys/ansible
@ -0,0 +1 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCpMZP3Oa6Ky6rEGoo9dEWqDk3d1iX5Cjgug5TBxvmS0NV82wx8t3w9Lbt2LOLuEHY5HjRxdIwCslt3YSy73qYCVCGCRVADRPsg6Hfhxf9xeAs5PAQ0Y0Ig90XcTWh9wm43ahOFX6Pr2DBkSO88fUbbhVr99jyMppOOo1MzJLzreU90hJ+0f8pMWVjc/X6M3ukivseeT26sACq+RLPAB+xCOakQC6ILP5ICZuu+uqGyXr8dziz+XPnwbXTO76vwxvA+svFB/lC+EkAb0TGc7pW7yhXCKBFtKCuQyJ14OGzqm0x1YkLaS/ZBK3MFBAp1rH9JsyT5uxzUO81LJSUcfFnNzerrLSZulF1RxVw0ElvafEnZIOu8qQYzREOmR2azw3LAcefvocaBHmc1fB5ppLD6vY+8hqYgBMt6qLiaB8fhwh/Yt2EOwvflMiu9h6J9hwAuQnGEo46N04rFHZR1mat/VUwyiMlJRdFWcV2hH4Ngy2d9Jx1rXmo2I2V5EpGSTjU= ansible user
--- a/roles/sshd/tasks/alpine.yml
+++ b/roles/sshd/tasks/alpine.yml
@ -1,8 +1,14 @@
- name: commit ssh public keys with lbu
+- name: commit rilla's authorized ssh keys
  lbu:
    include:
      - /home/rilla/.ssh/authorized_keys
-  when: ssh_keys.changed
+  when: rilla_keys.changed
 - name: commit ansible's authorized ssh keys
  lbu:
    include:
      - /var/lib/ansible/.ssh/authorized_keys
  when: ansible_keys.changed
 - name: install openssh
  apk:
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@ -5,7 +5,17 @@
    path: /home/rilla/.ssh/authorized_keys
  with_file:
    - public_keys/yubikey
-  register: ssh_keys
+  register: rilla_keys
 - name: set ansible's authorized keys
  authorized_key:
    user: ansible
    key: '{{ item }}'
    path: /var/lib/ansible/.ssh/authorized_keys
  with_file:
    - public_keys/yubikey
    - public_keys/ansible
  register: ansible_keys
 - name: set sshd config
  template:
		`@ -0,0 +1 @@`
							ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCpMZP3Oa6Ky6rEGoo9dEWqDk3d1iX5Cjgug5TBxvmS0NV82wx8t3w9Lbt2LOLuEHY5HjRxdIwCslt3YSy73qYCVCGCRVADRPsg6Hfhxf9xeAs5PAQ0Y0Ig90XcTWh9wm43ahOFX6Pr2DBkSO88fUbbhVr99jyMppOOo1MzJLzreU90hJ+0f8pMWVjc/X6M3ukivseeT26sACq+RLPAB+xCOakQC6ILP5ICZuu+uqGyXr8dziz+XPnwbXTO76vwxvA+svFB/lC+EkAb0TGc7pW7yhXCKBFtKCuQyJ14OGzqm0x1YkLaS/ZBK3MFBAp1rH9JsyT5uxzUO81LJSUcfFnNzerrLSZulF1RxVw0ElvafEnZIOu8qQYzREOmR2azw3LAcefvocaBHmc1fB5ppLD6vY+8hqYgBMt6qLiaB8fhwh/Yt2EOwvflMiu9h6J9hwAuQnGEo46N04rFHZR1mat/VUwyiMlJRdFWcV2hH4Ngy2d9Jx1rXmo2I2V5EpGSTjU= ansible user