ISTI-ansible-roles
/
ansible-role-users
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Enforce the ssh keys.

This commit is contained in:
Andrea Dell'Amico 2023-09-21 13:49:33 +02:00
parent dbcc203822
commit e919807bd7
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
1 changed files with 4 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
tasks/main.yml
View File

@ -54,6 +54,7 @@
password: "{{ item.password | default('*') }}" password: "{{ item.password | default('*') }}"
update_password: "{{ item.update_password | default('on_create') }}" update_password: "{{ item.update_password | default('on_create') }}"
state: "{{ item.state | default('present') }}" state: "{{ item.state | default('present') }}"
force: true
loop: '{{ users_system_users }}' loop: '{{ users_system_users }}'
no_log: true no_log: true
@ -61,6 +62,7 @@
ansible.posix.authorized_key: ansible.posix.authorized_key:
user: "{{ item.login }}" user: "{{ item.login }}"
key: "{{ item.ssh_key }}" key: "{{ item.ssh_key }}"
exclusive: true
state: present state: present
loop: '{{ users_system_users }}' loop: '{{ users_system_users }}'
when: item.ssh_key is defined when: item.ssh_key is defined
@ -74,28 +76,6 @@
when: when:
- item.admin - item.admin
- name: Ensure that the users can login with their ssh keys as root when needed
ansible.posix.authorized_key:
user: root
key: "{{ item.ssh_key }}"
state: present
loop: '{{ users_system_users }}'
when:
- item.ssh_key is defined
- item.log_as_root is defined
- item.log_as_root
- name: Ensure that the users can not login with their ssh keys as root
ansible.posix.authorized_key:
user: root
key: "{{ item.ssh_key }}"
state: absent
loop: '{{ users_system_users }}'
when:
- item.ssh_key is defined
- item.log_as_root is defined
- not item.log_as_root
- name: Manage additional users - name: Manage additional users
tags: users tags: users
block: block:
@ -112,6 +92,7 @@
password: "{{ item.password | default('*') }}" password: "{{ item.password | default('*') }}"
update_password: "{{ item.update_password | default('on_create') }}" update_password: "{{ item.update_password | default('on_create') }}"
state: "{{ item.state | default('present') }}" state: "{{ item.state | default('present') }}"
force: true
loop: '{{ users_system_users_adjunct }}' loop: '{{ users_system_users_adjunct }}'
no_log: true no_log: true
@ -119,6 +100,7 @@
ansible.posix.authorized_key: ansible.posix.authorized_key:
user: "{{ item.login }}" user: "{{ item.login }}"
key: "{{ item.ssh_key }}" key: "{{ item.ssh_key }}"
exclusive: true
state: present state: present
loop: '{{ users_system_users_adjunct }}' loop: '{{ users_system_users_adjunct }}'
when: item.ssh_key is defined when: item.ssh_key is defined
@ -132,28 +114,6 @@
when: when:
- item.admin - item.admin
- name: Ensure that the additional users can login with their ssh keys as root if we want ensure direct access
ansible.posix.authorized_key:
user: root
key: "{{ item.ssh_key }}"
state: present
loop: '{{ users_system_users_adjunct }}'
when:
- item.ssh_key is defined
- item.log_as_root is defined
- item.log_as_root
- name: Ensure that the additional users cannot login with their ssh keys as root
ansible.posix.authorized_key:
user: root
key: "{{ item.ssh_key }}"
state: absent
loop: '{{ users_system_users_adjunct }}'
when:
- item.ssh_key is defined
- item.log_as_root is defined
- not item.log_as_root
- name: Configure passwordless sudo - name: Configure passwordless sudo
tags: ['users', 'sudo_wheel'] tags: ['users', 'sudo_wheel']
block: block: