81 lines
2.6 KiB
YAML
81 lines
2.6 KiB
YAML
# command: ansible-playbook -i config/<target manifest>.ini common/create-ansible-user.yml --ask-become-pass
|
|
# Note: this playbook requires an interactive mode or passed secret for privilege escalation
|
|
---
|
|
- name: Create ansible user and configure passwordless sudo
|
|
hosts: all
|
|
become: true
|
|
become_method: sudo
|
|
vars:
|
|
ansible_user: khwezi
|
|
tasks:
|
|
- name: Ensure 'ansible' user exists
|
|
ansible.builtin.user:
|
|
name: ansible
|
|
groups: sudo
|
|
append: yes
|
|
shell: /bin/bash
|
|
state: present
|
|
- name: Check if passwordless sudo is already configured for 'ansible'
|
|
ansible.builtin.shell: |
|
|
grep -Fxq "ansible ALL=(ALL) NOPASSWD: ALL" /etc/sudoers.d/ansible
|
|
register: sudoers_check
|
|
ignore_errors: true
|
|
changed_when: false
|
|
- name: Allow 'ansible' user passwordless sudo
|
|
ansible.builtin.copy:
|
|
dest: /etc/sudoers.d/ansible
|
|
content: "ansible ALL=(ALL) NOPASSWD: ALL\n"
|
|
owner: root
|
|
group: root
|
|
mode: '0440'
|
|
when: sudoers_check.rc != 0
|
|
- name: Ensure /home/ansible/.ssh directory exists
|
|
ansible.builtin.file:
|
|
path: /home/ansible/.ssh
|
|
state: directory
|
|
owner: ansible
|
|
group: ansible
|
|
mode: '0700'
|
|
- name: Copy id_ed25519 private key to ansible user
|
|
ansible.builtin.copy:
|
|
src: ~/.ssh/id_ed25519
|
|
dest: /home/ansible/.ssh/id_ed25519
|
|
owner: ansible
|
|
group: ansible
|
|
mode: '0600'
|
|
- name: Copy id_ed25519 public key to ansible user
|
|
ansible.builtin.copy:
|
|
src: ~/.ssh/id_ed25519.pub
|
|
dest: /home/ansible/.ssh/id_ed25519.pub
|
|
owner: ansible
|
|
group: ansible
|
|
mode: '0644'
|
|
- name: Ensure authorized_keys exists
|
|
ansible.builtin.file:
|
|
path: /home/ansible/.ssh/authorized_keys
|
|
state: touch
|
|
owner: ansible
|
|
group: ansible
|
|
mode: '0600'
|
|
- name: Read public key content
|
|
ansible.builtin.slurp:
|
|
src: /home/ansible/.ssh/id_ed25519.pub
|
|
register: pubkey_content
|
|
- name: Ensure public key is present in authorized_keys
|
|
ansible.builtin.lineinfile:
|
|
path: /home/ansible/.ssh/authorized_keys
|
|
line: "{{ pubkey_content['content'] | b64decode | trim }}"
|
|
owner: ansible
|
|
group: ansible
|
|
mode: '0600'
|
|
create: yes
|
|
state: present
|
|
|
|
- name: Allow 'ansible' user to write to /etc/systemd/resolved.conf
|
|
ansible.builtin.file:
|
|
path: /etc/systemd/resolved.conf
|
|
owner: ansible
|
|
group: ansible
|
|
mode: '0664'
|
|
state: file
|
|
become: true |