modularized component for creating administrative users with SSH access

2026-05-27 13:09:19 -04:00
parent f01f1b5431
commit 6eaeeb0322
1 changed files with 90 additions and 0 deletions
--- a/roles/init-server/tasks/ssh-users.yml
+++ b/roles/init-server/tasks/ssh-users.yml
@@ -0,0 +1,90 @@
+#SPDX-License-Identifier: MIT-0
+---
+# tasks file for roles/init-vps
+# - name: Checking whether administrative or root login used
+#   when: ansible_facts["user_id"] not in (admins | map(attribute="username") | list) or ansible_facts["user_id"] != "root"
+#   ansible.builtin.fail:
+#     msg: Must use administrative or root user for subsequent tasks
+- name: Starting user and group creation for SSH access
+  block:
+    - name: Creating group remote for managing SSH access
+      become: true
+      ansible.builtin.group:
+        name: remote
+        system: true
+        state: present
+      register: remote_group
+      tags:
+        - lan
+    - name: Creating an administrative user
+      become: true
+      ansible.builtin.user:
+        name: "{{ item.username }}"
+        comment: administrator
+        group: "{{ item.username }}"
+        groups:
+          - "{{ remote_group.name }}"
+          - sudo # @NOTE used by Debian
+        append: true
+        generate_ssh_key: true
+        create_home: true
+        password: "{{ item.password }}"
+        shell: "/bin/bash"
+      loop: "{{ admins }}"
+      register: admin_users
+      tags:
+        - lan
+    - name: Finding SSH public keys for an administrative user
+      delegate_facts: true
+      delegate_to: localhost
+      when: item.username in (admin_users.results | map(attribute="name") | list)
+      ansible.builtin.find:
+        paths: "{{ cnode_homedir | default('/home/' ~ ansible_user ~ '/.ssh') }}" # @TODO define 'cnode_homedir' in playbook
+        patterns: "{{ ['^'] | product(item.keys) | map('join') | list }}"
+        file_type: file
+        use_regex: true
+      loop: "{{ admins }}"
+      register: admin_ssh_keypairs
+    - name: Authorizing SSH public key for an administrative user
+      become: true
+      ansible.posix.authorized_key:
+        user: "{{ admin_users.results[idx] }}"
+        key: "{{ admin_ssh_keypairs.results[idx].files | selectattr('path', 'search', '\\.pub$') | map(attribute='path') | map('lookup', 'file') | list | map('join','\n') }}"
+        state: present
+      loop: "{{ admin_users.results }}"
+      loop_control:
+        index_var: idx
+      register: ssh_authorizations
+      tags:
+        - lan
+    - name: Allowing sole SSH access to users in group remote
+      when: ansible_facts["system"] == "Linux"
+      become: true
+      ansible.builtin.template:
+        src: sshd_config.d/allowance.conf.j2 # @TODO create corresponding role template file
+        dest: /etc/ssh/sshd_config.d/allowance.conf
+        owner: root
+        group: root
+        mode: "644"
+        force: true
+        backup: true
+        validate: "sshd -t %s"
+      register: ssh_gatekept
+      tags:
+        - lan
+- name: Setting approved SSH authentication procedures
+  when: harden and ansible_facts["system"] == "Linux"
+  become: true
+  ansible.builtin.copy:
+    src: sshd_config.d/auth.conf
+    dest: /etc/ssh/sshd_config.d/auth.conf
+    owner: root
+    group: root
+    mode: "644"
+    force: true
+    backup: true
+    validate: "sshd -t %s"
+  register: ssh_authenticator
+  tags:
+    - lan
+    - ssh_secure_auth