aboutsummaryrefslogtreecommitdiffstats
path: root/ansible
diff options
context:
space:
mode:
authorGravatar Johannes Christ <[email protected]>2024-04-10 21:34:40 +0200
committerGravatar jchristgit <[email protected]>2024-04-13 08:53:01 +0200
commit546fa6555d0cba300486f035ae8ca7fecc30d345 (patch)
tree5d5debc27b264a6dbed6edd9e9c24ce65ae57704 /ansible
parentCopy root bashrc from skel (diff)
Add a users role
The new `pydis-users` role allows us to manage user accounts and move away from the root user setup script, eventually locking down SSH access to the root user. Joe, Chris and me have been added as users.
Diffstat (limited to 'ansible')
-rw-r--r--ansible/.gitattributes1
-rw-r--r--ansible/playbook.yml1
-rw-r--r--ansible/roles/pydis-users/defaults/main.yml2
-rw-r--r--ansible/roles/pydis-users/tasks/main.yml27
-rw-r--r--ansible/roles/pydis-users/vars/main.ymlbin0 -> 1011 bytes
5 files changed, 31 insertions, 0 deletions
diff --git a/ansible/.gitattributes b/ansible/.gitattributes
new file mode 100644
index 0000000..923ae1a
--- /dev/null
+++ b/ansible/.gitattributes
@@ -0,0 +1 @@
+roles/pydis-users/vars/main.yml filter=git-crypt diff=git-crypt
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
index 2ada9c6..7881bf4 100644
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -2,6 +2,7 @@
hosts: all
roles:
- common
+ - pydis-users
- ufw
- prometheus-node-exporter
- wireguard
diff --git a/ansible/roles/pydis-users/defaults/main.yml b/ansible/roles/pydis-users/defaults/main.yml
new file mode 100644
index 0000000..4170b63
--- /dev/null
+++ b/ansible/roles/pydis-users/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+pydis_users__users: []
diff --git a/ansible/roles/pydis-users/tasks/main.yml b/ansible/roles/pydis-users/tasks/main.yml
new file mode 100644
index 0000000..8378af8
--- /dev/null
+++ b/ansible/roles/pydis-users/tasks/main.yml
@@ -0,0 +1,27 @@
+---
+- name: Create users
+ ansible.builtin.user:
+ name: "{{ item.key }}"
+ groups: "{{ item.value.groups | default(omit) }}"
+ password: "{{ item.value.hashed_password | default(omit) }}"
+ shell: /bin/bash
+ state: present
+ loop_control:
+ label: "{{ item.key }}"
+ loop: "{{ pydis_users__users | dict2items }}"
+ tags:
+ - role::pydis-users
+
+- name: Manage authorized keys
+ ansible.posix.authorized_key:
+ comment: Ansible managed
+ exclusive: true
+ key: "{{ item.value.ssh_key }}"
+ key_options: "{{ item.value.ssh_key_options | default(omit) }}"
+ user: "{{ item.key }}"
+ state: present
+ loop_control:
+ label: "{{ item.key }}"
+ loop: "{{ pydis_users__users | dict2items }}"
+ tags:
+ - role::pydis-users
diff --git a/ansible/roles/pydis-users/vars/main.yml b/ansible/roles/pydis-users/vars/main.yml
new file mode 100644
index 0000000..ef918e6
--- /dev/null
+++ b/ansible/roles/pydis-users/vars/main.yml
Binary files differ
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-23 14:56:27 +0000