removed user primary group to enable default action, implemented solution for data restructure to avoid nested looping necessity, re-ordered last SSH access tasks

2026-05-30 06:35:39 -04:00
parent d364f82c9f
commit 5ff9ca4687
1 changed files with 29 additions and 25 deletions
--- a/roles/init-server/tasks/ssh-users.yml
+++ b/roles/init-server/tasks/ssh-users.yml
@@ -21,7 +21,7 @@
      ansible.builtin.user:
        name: "{{ item.username }}"
        comment: administrator
-        group: "{{ item.username }}"
+        # group: "{{ item.username }}"
        groups:
          - "{{ remote_group.name | default('remote') }}"
          - sudo # @NOTE used by Debian
@@ -39,39 +39,28 @@
      delegate_to: localhost
      when: item.username in (admin_users.results | map(attribute="name") | list)
      ansible.builtin.find:
-        paths: "{{ cnode_homedir | default('/home/' ~ ansible_user ~ '/.ssh') }}" # @TODO define 'cnode_homedir' in playbook
-        patterns: "{{ ['^'] | product(item.keys) | map('join') | list }}"
+        paths: "{{ local_facts['user_dir'] }}/.ssh" # @TODO define 'cnode_homedir' in playbook
+        patterns: "{{ ['^'] | product(item.ssh_keys) | map('join') | list }}"
        file_type: file
        use_regex: true
      loop: "{{ admins }}"
      register: admin_ssh_keypairs
+    - name: Creating list wherein each SSH public key is associated with a user
+      ansible.builtin.set_fact:
+        pubkey_users: "{{ [admin_users.results[idx].name] | product(admin_ssh_keypairs.results[idx].files | selectattr('path', 'search', '\\.pub$') | map(attribute='path')) }}"
+      loop: "{{ admins }}"
+      loop_control:
+        index_var: idx
    - name: Authorizing SSH public key for an administrative user
      become: true
      ansible.posix.authorized_key:
-        user: "{{ admin_users.results[idx] }}"
-        key: "{{ admin_ssh_keypairs.results[idx].files | selectattr('path', 'search', '\\.pub$') | map(attribute='path') | map('lookup', 'file') | list | map('join','\n') }}"
+        user: "{{ item[0] }}"
+        key: "{{ lookup('file', item[1]) }}"
        state: present
-      loop: "{{ admin_users.results }}"
-      loop_control:
-        index_var: idx
+      loop: "{{ pubkey_users }}"
      register: ssh_authorizations
      tags:
        - lan
-    - name: Allowing sole SSH access to users in group remote
-      when: ansible_facts["system"] == "Linux"
-      become: true
-      ansible.builtin.template:
-        src: sshd_config.d/allowance.conf.j2 # @TODO create corresponding role template file
-        dest: /etc/ssh/sshd_config.d/allowance.conf
-        owner: root
-        group: root
-        mode: "644"
-        force: true
-        backup: true
-        validate: "sshd -t %s"
-      register: ssh_gatekept
-      tags:
-        - lan
 - name: Setting approved SSH authentication procedures
  when: harden and ansible_facts["system"] == "Linux"
  become: true
@@ -83,8 +72,23 @@
    mode: "644"
    force: true
    backup: true
-    validate: "sshd -t %s"
+    validate: "sshd -t -f %s"
  register: ssh_authenticator
  tags:
    - lan
-    - ssh_secure_auth
+    - ssh_secure_auth
+- name: Allowing sole SSH access to users in group remote
+  when: ansible_facts["system"] == "Linux"
+  become: true
+  ansible.builtin.template:
+    src: sshd_config.d/allowance.conf.j2 # @TODO create corresponding role template file
+    dest: /etc/ssh/sshd_config.d/allowance.conf
+    owner: root
+    group: root
+    mode: "644"
+    force: true
+    backup: true
+    validate: "sshd -t -f %s"
+  register: ssh_gatekept
+  tags:
+    - lan