admin/skato-ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 3 Releases Wiki Activity

removed user primary group to enable default action, implemented solution for data restructure to avoid nested looping necessity, re-ordered last SSH access tasks

Browse Source
This commit is contained in:
xenobyte
2026-05-30 06:35:39 -04:00
parent d364f82c9f
commit 5ff9ca4687
1 changed files with 29 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
roles/init-server/tasks/ssh-users.yml
View File

@@ -21,7 +21,7 @@
ansible.builtin.user: ansible.builtin.user:
name: "{{ item.username }}" name: "{{ item.username }}"
comment: administrator comment: administrator
group: "{{ item.username }}" # group: "{{ item.username }}"
groups: groups:
- "{{ remote_group.name | default('remote') }}" - "{{ remote_group.name | default('remote') }}"
- sudo # @NOTE used by Debian - sudo # @NOTE used by Debian
@@ -39,39 +39,28 @@
delegate_to: localhost delegate_to: localhost
when: item.username in (admin_users.results | map(attribute="name") | list) when: item.username in (admin_users.results | map(attribute="name") | list)
ansible.builtin.find: ansible.builtin.find:
paths: "{{ cnode_homedir | default('/home/' ~ ansible_user ~ '/.ssh') }}" # @TODO define 'cnode_homedir' in playbook paths: "{{ local_facts['user_dir'] }}/.ssh" # @TODO define 'cnode_homedir' in playbook
patterns: "{{ ['^'] | product(item.keys) | map('join') | list }}" patterns: "{{ ['^'] | product(item.ssh_keys) | map('join') | list }}"
file_type: file file_type: file
use_regex: true use_regex: true
loop: "{{ admins }}" loop: "{{ admins }}"
register: admin_ssh_keypairs register: admin_ssh_keypairs
- name: Creating list wherein each SSH public key is associated with a user
ansible.builtin.set_fact:
pubkey_users: "{{ [admin_users.results[idx].name] | product(admin_ssh_keypairs.results[idx].files | selectattr('path', 'search', '\\.pub$') | map(attribute='path')) }}"
loop: "{{ admins }}"
loop_control:
index_var: idx
- name: Authorizing SSH public key for an administrative user - name: Authorizing SSH public key for an administrative user
become: true become: true
ansible.posix.authorized_key: ansible.posix.authorized_key:
user: "{{ admin_users.results[idx] }}" user: "{{ item[0] }}"
key: "{{ admin_ssh_keypairs.results[idx].files | selectattr('path', 'search', '\\.pub$') | map(attribute='path') | map('lookup', 'file') | list | map('join','\n') }}" key: "{{ lookup('file', item[1]) }}"
state: present state: present
loop: "{{ admin_users.results }}" loop: "{{ pubkey_users }}"
loop_control:
index_var: idx
register: ssh_authorizations register: ssh_authorizations
tags: tags:
- lan - lan
- name: Allowing sole SSH access to users in group remote
when: ansible_facts["system"] == "Linux"
become: true
ansible.builtin.template:
src: sshd_config.d/allowance.conf.j2 # @TODO create corresponding role template file
dest: /etc/ssh/sshd_config.d/allowance.conf
owner: root
group: root
mode: "644"
force: true
backup: true
validate: "sshd -t %s"
register: ssh_gatekept
tags:
- lan
- name: Setting approved SSH authentication procedures - name: Setting approved SSH authentication procedures
when: harden and ansible_facts["system"] == "Linux" when: harden and ansible_facts["system"] == "Linux"
become: true become: true
@@ -83,8 +72,23 @@
mode: "644" mode: "644"
force: true force: true
backup: true backup: true
validate: "sshd -t %s" validate: "sshd -t -f %s"
register: ssh_authenticator register: ssh_authenticator
tags: tags:
- lan - lan
- ssh_secure_auth - ssh_secure_auth
- name: Allowing sole SSH access to users in group remote
when: ansible_facts["system"] == "Linux"
become: true
ansible.builtin.template:
src: sshd_config.d/allowance.conf.j2 # @TODO create corresponding role template file
dest: /etc/ssh/sshd_config.d/allowance.conf
owner: root
group: root
mode: "644"
force: true
backup: true
validate: "sshd -t -f %s"
register: ssh_gatekept
tags:
- lan