File tree Expand file tree Collapse file tree 6 files changed +144
-5
lines changed Expand file tree Collapse file tree 6 files changed +144
-5
lines changed Original file line number Diff line number Diff line change @@ -6,11 +6,12 @@ This Ansible collection provides a set of roles designed for configuring Kubuntu
66
77### Roles
88
9- | Role | Description | Dependencies |
10- | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------- |
11- | [ xebis.ansible.apt] ( roles/apt/README.md ) | Deb package updates and upgrades using the apt package manager. Can optionally clean up unused packages and reboot the system if required. | ` xebis.ansible.system ` |
12- | ` xebis.ansible.openssh_server ` | Installs OpenSSH server installation and provides ` Restart ssh ` handler. | ` xebis.ansible.apt ` |
13- | [ xebis.ansible.system] ( roles/system/README.md ) | System-related tasks such as reboot handler or reboot when required handler. | |
9+ | Role | Description | Dependencies |
10+ | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------ |
11+ | [ xebis.ansible.apt] ( roles/apt/README.md ) | Deb package updates and upgrades using the apt package manager. Can optionally clean up unused packages and reboot the system if required. | ` xebis.ansible.system ` |
12+ | ` xebis.ansible.openssh_server ` | Installs OpenSSH server installation and provides ` Restart ssh ` handler. | ` xebis.ansible.apt ` |
13+ | [ xebis.ansible.system] ( roles/system/README.md ) | System-related tasks such as reboot handler or reboot when required handler. | |
14+ | [ ` xebis.ansible.users ` ] ( roles/users/README.md ) | Ansible role for managing system users. | ` xebis.ansible.openssh_server ` |
1415
1516## Contributing
1617
Original file line number Diff line number Diff line change 1+ # Xebis.Ansible.Users
2+
3+ Ansible role for managing system users.
4+
5+ ## Tasks
6+
7+ - Create users and user groups
8+ - Grant admin (sudo) access
9+ - Manage SSH keys
10+ - Fine tune SSH authentication settings
11+
12+ ``` yaml
13+ ---
14+ - hosts : all
15+ roles :
16+ - role : xebis.ansible.users
17+ vars :
18+ passwordless_sudo : true
19+ ssh_password_login : false
20+ users :
21+ - user : example
22+ admin : true
23+ ssh_keys_urls :
24+ - https://github.com/example.keys
25+ ` ` `
26+
27+ ## Variables
28+
29+ - ` ssh_password_login` [boolean]
30+ - Enables or disables password-based SSH authentication.
31+ - Default `true`
32+ - ` passwordless_sudo` [boolean]
33+ - Grants sudo privileges without a password when set to true.
34+ - Default `false`
35+ - ` users` [list]
36+ - List of users to be created. See structure below.
37+ - Default `[]`.
38+ - The structure :
39+ - ` user` [string]
40+ - Username.
41+ - Required parameter.
42+ - ` admin` [boolean]
43+ - Adds user to the `sudo` group.
44+ - Default `false`
45+ - ` ssh_keys` [list]
46+ - List of SSH public keys for the user.
47+ - Default `[]`
48+ - ` ssh_keys_urls` [list]
49+ - URLs pointing to SSH public keys (e.g., GitHub keys).
50+ - Default `[]`
51+
52+ # # Handlers
53+
54+ - ` Disable password SSH login`
55+ - When `ssh_password_login` is set to `false` disables password SSH login, only SSH keys are allowed.
Original file line number Diff line number Diff line change 1+ ---
2+ - name : Disable password SSH login
3+ become : true
4+ ansible.builtin.lineinfile :
5+ dest : /etc/ssh/sshd_config
6+ regexp : ^(#\s*)?PasswordAuthentication
7+ line : PasswordAuthentication no
8+ when : ssh_password_login | default(true)
9+ listen : Disable password SSH login
10+ notify : Restart ssh
Original file line number Diff line number Diff line change 1+ ---
2+ dependencies :
3+ - role : xebis.ansible.openssh_server # Uses "Restart ssh" handler
Original file line number Diff line number Diff line change 1+ ---
2+ - name : Add user groups
3+ become : true
4+ ansible.builtin.group :
5+ name : " {{ item.user }}"
6+ state : present
7+ loop : " {{ users }}"
8+
9+ - name : Add sudo group as passwordless sudoer
10+ become : true
11+ ansible.builtin.lineinfile :
12+ dest : /etc/sudoers.d/xebis-ansible-users
13+ create : true
14+ regexp : ^%sudo
15+ line : " %sudo ALL=(ALL) NOPASSWD: ALL"
16+ state : present
17+ validate : visudo -cf %s
18+ when : passwordless_sudo | default(false)
19+
20+ - name : Add admins
21+ become : true
22+ ansible.builtin.user :
23+ name : " {{ item.user }}"
24+ group : " {{ item.user }}"
25+ groups :
26+ - sudo
27+ - users
28+ shell : /bin/bash
29+ state : present
30+ loop : " {{ users }}"
31+ when : item.admin
32+
33+ - name : Add users
34+ become : true
35+ ansible.builtin.user :
36+ name : " {{ item.user }}"
37+ group : " {{ item.user }}"
38+ groups :
39+ - users
40+ shell : /bin/bash
41+ state : present
42+ loop : " {{ users }}"
43+ when : not item.admin
44+
45+ - name : Add SSH authorized key lists
46+ become : true
47+ ansible.posix.authorized_key :
48+ user : " {{ item.0.user }}"
49+ key : " {{ lookup('url', item.1, split_lines=False) }}"
50+ state : present
51+ loop : " {{ users | subelements('ssh_keys_urls', skip_missing=true) }}"
52+ notify : Disable password SSH login
53+
54+ - name : Add SSH authorized keys
55+ become : true
56+ ansible.posix.authorized_key :
57+ user : " {{ item.0.user }}"
58+ key : " {{ item.1 }}"
59+ state : present
60+ loop : " {{ users | subelements('ssh_keys', skip_missing=true) }}"
61+ notify : Disable password SSH login
Original file line number Diff line number Diff line change 99 purge : true
1010 upgrade : " full"
1111 - role : xebis.ansible.openssh_server
12+ - role : xebis.ansible.users
13+ vars :
14+ passwordless_sudo : true
15+ ssh_password_login : false
16+ users :
17+ - user : mb
18+ admin : true
19+ ssh_keys_urls :
20+ - https://github.com/bruzina.keys
You can’t perform that action at this time.
0 commit comments