39 lines
1.3 KiB
YAML
39 lines
1.3 KiB
YAML
# yaml-language-server: $schema=https://raw.githubusercontent.com/ansible/ansible-lint/refs/heads/main/src/ansiblelint/schemas/tasks.json
|
|
|
|
- name: Setup users
|
|
loop: "{{ users }}"
|
|
ansible.builtin.user:
|
|
state: present
|
|
name: "{{ item.name }}"
|
|
system: "{{ item.system }}"
|
|
shell: "{{ item.shell }}"
|
|
create_home: true
|
|
password: "{{ (item.password != '!' or item.password != '*') | ternary(item.password | password_hash('sha512'), item.password) }}"
|
|
groups: "{{ item.groups + (extra_groups | default([])) }}"
|
|
|
|
- name: Add SSH public key to users
|
|
loop: "{{ users }}"
|
|
ansible.posix.authorized_key:
|
|
user: "{{ item.name }}"
|
|
state: present
|
|
exclusive: true
|
|
key: "{{ item.ssh_keys.pub }}"
|
|
key_options: "{{ 'command=\"' + robo_allowed_commands | join('; ') + '\"' if robo_allowed_commands is defined and item.name == 'robo' else omit }}"
|
|
|
|
- name: Disable password authentication for SSH
|
|
become: true
|
|
notify: Restart sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^#?PasswordAuthentication'
|
|
line: 'PasswordAuthentication no'
|
|
state: present
|
|
|
|
- name: Allow authentication via ssh keys
|
|
become: true
|
|
notify: Restart sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^#?PubkeyAuthentication'
|
|
line: 'PubkeyAuthentication yes'
|
|
state: present
|