diff --git a/debian.yml b/debian.yml index a80ff5f..5e48cde 100644 --- a/debian.yml +++ b/debian.yml @@ -3,3 +3,4 @@ become: yes roles: - debian + - { role: user_mgmt, tags: [user_mgmt]} diff --git a/group_vars/all.yml b/group_vars/all.yml new file mode 100644 index 0000000..fd77a4b --- /dev/null +++ b/group_vars/all.yml @@ -0,0 +1,18 @@ +user_mgmt_default: + crest: + ssh_key: + present: + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGApbgicmP2yQTxf2YjGVtRo6yGTIFfDRjHg2whJsKp9 crest" + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmjzqbR1FPmfgwutxxog/UsbvXHx8uJMDAwBDOjV+XY crest@emma.ccchb.de" + absent: [] + genofire: + ssh_key: + present: + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZm0TZPBzgXrY1vrLoYviNRb/oGZQDQk9vrppPK84sN55ZPlr9VvP+JYE7Qkx8teRuH9ulxqX40+dxKaiAXMUl4HU57KPLjwCb7SnBNIFTv6ZHGxPS8ZgUzKJr4Agph51oenNEO3RziEqAo3EwK67SGnjeIYQQKcjpfwd08+PYMOjv42zSYQ9umooj5LooOvbxoogZ3VpboXv6DeyA4rev1M9RgnMWaWVF2LxJjQ3jVr7xh1vZktVGKuVk/XXKD6WVAuwmGMVEouQzjtG9kepWd8FUYe+fgj5mtdqfeQP9CypxvOcb7jT20wO1Abpp5udS9iPDQHg+lafklIAeKG3qgxxhBDH3otXtnWcoeXUmDpBI8HU/8d/yrGaLHYRfy3HHiSGFq3lBgoxi83QIOl9ELeKWMJC0fWKBApm0NU0flgwfy2j7GRyXmlM7tVFyuj5RTAZNQfgD9g054di9WbtUs7sm/9r3/rQe2+3neE3Jskt4xvZK0xbc4dZSZGn4E2JDWjENqPBvQ2dU5lsjpUKTZWAnxVGPe//BErsDxNLIHWz8emG71r3Q2yud4KPdAR9CgeC8g1bwlCI6JDFZutKBzIlE3QQ4ryKJEioiUL89xi6G+nNB7W5ABsQN0ZtWvZl8TG4Wh00B+oBXzgRER5Y9SdAYcrwWxlGVxxQyElUNrw== genofire-yubikey" + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8LdgjUiL/MFmA2wM98QAbUEyY/8ixnpettC6kQxKWu genofire@emma.ccchb.de" + absent: [] + fritz: + ssh_key: + present: + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEay33koXmcBcrDuCQKkCBlw/gKiPtwLswATPqIR7udl fritz@fluorine.grimpen.net" + absent: [] diff --git a/host_vars/cloud.emma.ccchb.de.yml b/host_vars/cloud.emma.ccchb.de.yml index 2016859..87608c5 100644 --- a/host_vars/cloud.emma.ccchb.de.yml +++ b/host_vars/cloud.emma.ccchb.de.yml @@ -3,7 +3,6 @@ ipv6route: 2a01:4f8:150:926f::4 ipv4: 10.0.0.1/31 ipv4route: 10.0.0.0 dns: 213.133.98.98 8.8.8.8 -default_root_ssh_publickey: "https://fireorbit.de/keys/ssh" nginx_acme_mail: "webmaster@ccchb.de" nextcloud_domain: "cloud.ccchb.de" php_config: @@ -12,3 +11,11 @@ php_config: php_fpm_env: - key: 'PATH' value: "/usr/local/bin:/usr/bin:/bin" + +user_mgmt: + crest: + created: true + groups: sudo + genofire: + created: true + groups: sudo diff --git a/host_vars/dn42.emma.ccchb.de.yml b/host_vars/dn42.emma.ccchb.de.yml index cd48516..062fdfb 100644 --- a/host_vars/dn42.emma.ccchb.de.yml +++ b/host_vars/dn42.emma.ccchb.de.yml @@ -5,4 +5,14 @@ ipv6route: 2a01:4f8:150:926f::6 ipv4: 10.0.0.3/31 ipv4route: 10.0.0.2 dns: 213.133.98.98 8.8.8.8 -default_root_ssh_publickey: "https://fireorbit.de/keys/ssh" + +user_mgmt: + crest: + created: true + groups: sudo + genofire: + created: true + groups: sudo + fritz: + created: true + groups: sudo diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml index 8f1119b..e79510a 100644 --- a/roles/debian/tasks/main.yml +++ b/roles/debian/tasks/main.yml @@ -11,12 +11,6 @@ checksum: sha256:ad88c76951693c2f9c38773ed2602a9fd5c74431615c4a23aaff679b295919ce validate_certs: false -- name: ssh publickey - authorized_key: - user: root - state: present - key: "{{ default_root_ssh_publickey }}" - - name: Update SSH configuration notify: reload sshd replace: diff --git a/roles/user_mgmt/defaults/main.yml b/roles/user_mgmt/defaults/main.yml new file mode 100644 index 0000000..17874ee --- /dev/null +++ b/roles/user_mgmt/defaults/main.yml @@ -0,0 +1,2 @@ +user_mgmt_default: {} +user_mgmt: {} diff --git a/roles/user_mgmt/tasks/main.yml b/roles/user_mgmt/tasks/main.yml new file mode 100644 index 0000000..00cdb15 --- /dev/null +++ b/roles/user_mgmt/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: Merge ansible variables for host + set_fact: _user_mgmt="{{ user_mgmt_default | combine(user_mgmt, recursive=true) }}" + +- name: Add User + user: + name: "{{ item.key }}" + groups: "{{ item.value.groups | default([]) }}" + state: present + when: item.value.created | default + with_dict: "{{ _user_mgmt }}" + +- name: Add ssh-key to user + authorized_key: + user: "{{ item.0.key }}" + key: "{{ item.1 }}" + state: present + when: _user_mgmt[item.0.key].created | default + loop: "{{ _user_mgmt |dict2items | subelements('value.ssh_key.present') }}" + +- name: Remove ssh-key to user + authorized_key: + user: "{{ item.0.key }}" + key: "{{ item.1 }}" + state: absent + when: _user_mgmt[item.0.key].created | default + loop: "{{ _user_mgmt |dict2items | subelements('value.ssh_key.absent') }}" + +- name: Remove user + user: + name: "{{ item.key }}" + state: absent + when: not (item.value.created | default) + with_dict: "{{ _user_mgmt }}"