fix: update bot user permissions

2024-12-09 13:10:38 -03:00 · 2024-12-09 13:10:38 -03:00 · 89a7bfa789
commit 89a7bfa789
parent 7a0d18b97f
2 changed files with 56 additions and 13 deletions
--- a/playbooks/setup/alpine.yaml
+++ b/playbooks/setup/alpine.yaml
@ -4,15 +4,15 @@
 - name: Setup an alpine machine
  hosts: homelab
  user: root
+  vars_files:
+    ../../variables/secrets.yaml
  vars:
    # alpine_version: v3.19
    alpine_version: latest-stable
    robo:
-      authorized_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPiEGbVaaSJq/9hGaou3gd6m4Jzyj4AIgCL5wGTxVz1"
+      authorized_key: "{{ users.robo.ssh_keys.pub }}"
      allowed_commands:
-        - "docker ps"
-  vars_files:
-    ../../variables/secrets.yaml
+        - "docker system dial-stdio"
  tasks:
    - name: Change login message
      template:
@ -49,6 +49,15 @@
        line: 'PasswordAuthentication no'
        state: present

+    - name: Disable password authentication for SSH
+      become: true
+      notify: Restart sshd
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PubkeyAuthentication'
+        line: 'PubkeyAuthentication yes'
+        state: present
+
    - name: Allow users of the weel group to use doas command
      become: true
      ansible.builtin.lineinfile:
@ -74,14 +83,19 @@
      ansible.builtin.user:
        name: robo
        system: true
+        shell: /bin/sh
+        password: "*"
        create_home: true
-        groups: nogroup
+        groups:
+          - nogroup
+          - docker
        state: present

    - name: Add SSH public key for robo user
      ansible.posix.authorized_key:
        user: robo
        state: present
+        exclusive: true
        key: "{{ robo.authorized_key }}"
        key_options: "command=\"{{ robo.allowed_commands | join('; ') }}\""