From 5ff9ca46878a306313d67f4436ac4142555a6be6 Mon Sep 17 00:00:00 2001 From: Alex Tavarez Date: Sat, 30 May 2026 06:35:39 -0400 Subject: [PATCH] removed user primary group to enable default action, implemented solution for data restructure to avoid nested looping necessity, re-ordered last SSH access tasks --- roles/init-server/tasks/ssh-users.yml | 54 ++++++++++++++------------- 1 file changed, 29 insertions(+), 25 deletions(-) diff --git a/roles/init-server/tasks/ssh-users.yml b/roles/init-server/tasks/ssh-users.yml index f2720b7..8fcb780 100644 --- a/roles/init-server/tasks/ssh-users.yml +++ b/roles/init-server/tasks/ssh-users.yml @@ -21,7 +21,7 @@ ansible.builtin.user: name: "{{ item.username }}" comment: administrator - group: "{{ item.username }}" + # group: "{{ item.username }}" groups: - "{{ remote_group.name | default('remote') }}" - sudo # @NOTE used by Debian @@ -39,39 +39,28 @@ delegate_to: localhost when: item.username in (admin_users.results | map(attribute="name") | list) ansible.builtin.find: - paths: "{{ cnode_homedir | default('/home/' ~ ansible_user ~ '/.ssh') }}" # @TODO define 'cnode_homedir' in playbook - patterns: "{{ ['^'] | product(item.keys) | map('join') | list }}" + paths: "{{ local_facts['user_dir'] }}/.ssh" # @TODO define 'cnode_homedir' in playbook + patterns: "{{ ['^'] | product(item.ssh_keys) | map('join') | list }}" file_type: file use_regex: true loop: "{{ admins }}" register: admin_ssh_keypairs + - name: Creating list wherein each SSH public key is associated with a user + ansible.builtin.set_fact: + pubkey_users: "{{ [admin_users.results[idx].name] | product(admin_ssh_keypairs.results[idx].files | selectattr('path', 'search', '\\.pub$') | map(attribute='path')) }}" + loop: "{{ admins }}" + loop_control: + index_var: idx - name: Authorizing SSH public key for an administrative user become: true ansible.posix.authorized_key: - user: "{{ admin_users.results[idx] }}" - key: "{{ admin_ssh_keypairs.results[idx].files | selectattr('path', 'search', '\\.pub$') | map(attribute='path') | map('lookup', 'file') | list | map('join','\n') }}" + user: "{{ item[0] }}" + key: "{{ lookup('file', item[1]) }}" state: present - loop: "{{ admin_users.results }}" - loop_control: - index_var: idx + loop: "{{ pubkey_users }}" register: ssh_authorizations tags: - lan - - name: Allowing sole SSH access to users in group remote - when: ansible_facts["system"] == "Linux" - become: true - ansible.builtin.template: - src: sshd_config.d/allowance.conf.j2 # @TODO create corresponding role template file - dest: /etc/ssh/sshd_config.d/allowance.conf - owner: root - group: root - mode: "644" - force: true - backup: true - validate: "sshd -t %s" - register: ssh_gatekept - tags: - - lan - name: Setting approved SSH authentication procedures when: harden and ansible_facts["system"] == "Linux" become: true @@ -83,8 +72,23 @@ mode: "644" force: true backup: true - validate: "sshd -t %s" + validate: "sshd -t -f %s" register: ssh_authenticator tags: - lan - - ssh_secure_auth \ No newline at end of file + - ssh_secure_auth +- name: Allowing sole SSH access to users in group remote + when: ansible_facts["system"] == "Linux" + become: true + ansible.builtin.template: + src: sshd_config.d/allowance.conf.j2 # @TODO create corresponding role template file + dest: /etc/ssh/sshd_config.d/allowance.conf + owner: root + group: root + mode: "644" + force: true + backup: true + validate: "sshd -t -f %s" + register: ssh_gatekept + tags: + - lan \ No newline at end of file