From 5899fca2047974dc36377819fce75c628e68557f Mon Sep 17 00:00:00 2001 From: vincent Date: Sun, 15 Jan 2023 11:28:17 +0100 Subject: [PATCH] feat: move user creation in dedicated role --- tasks/ssh.yml | 46 ------------------------------------ tasks/usergroup.yml | 9 ------- templates/ssh/config.j2 | 52 ----------------------------------------- 3 files changed, 107 deletions(-) delete mode 100644 templates/ssh/config.j2 diff --git a/tasks/ssh.yml b/tasks/ssh.yml index a62a920..7f03484 100644 --- a/tasks/ssh.yml +++ b/tasks/ssh.yml @@ -3,46 +3,7 @@ ansible.builtin.package: name: '{{ system_ssh_package }}' state: present -- name: Ensure .ssh exist for user - become: true - ansible.builtin.file: - state: directory - path: '/home/{{ item }}/.ssh' - owner: '{{ item }}' - mode: 0700 - with_items: - - ansible -- name: Copy ssh config for user - become: true - ansible.builtin.template: - dest: '/home/{{ item }}/.ssh/config' - src: 'ssh/config.j2' - force: true - remote_src: false - mode: '600' - selevel: s0 - owner: '{{ item }}' - with_items: - - ansible -- name: Ensure root ssh directory exist - become: true - ansible.builtin.file: - state: directory - path: '/root/.ssh' - owner: 'root' - mode: 0700 - -- name: Copy ssh config for root - become: true - ansible.builtin.copy: - dest: /root/.ssh/ - src: 'ssh/config' - force: true - remote_src: false - mode: '600' - selevel: s0 - owner: 'root' - name: Ensure key directory exist become: true @@ -62,13 +23,6 @@ owner: '{{ item.user }}' with_items: '{{ privatekeytodeploy }}' -- name: Deploy SSH-Keys to remote host - ansible.posix.authorized_key: - user: '{{ item.user }}' - key: '{{ item.sshkey }}' - exclusive: false - with_items: '{{ keystodeploy }}' - become: true - name: Les connexions par mot de passe sont désactivées become: true diff --git a/tasks/usergroup.yml b/tasks/usergroup.yml index 3e16361..1505d64 100644 --- a/tasks/usergroup.yml +++ b/tasks/usergroup.yml @@ -1,13 +1,4 @@ --- -- name: Create system user - become: true - ansible.builtin.user: - name: '{{ item.name }}' - system: true - home: "{{ item.home | default('/') }}" - shell: "{{ item.shell | default('/usr/bin/nologin') }}" - with_items: '{{ system_user }}' - - name: Create system group ansible.builtin.group: name: '{{ item.name }}' diff --git a/templates/ssh/config.j2 b/templates/ssh/config.j2 deleted file mode 100644 index 2a36916..0000000 --- a/templates/ssh/config.j2 +++ /dev/null @@ -1,52 +0,0 @@ -# $OpenBSD: ssh_config,v 1.34 2019/02/04 02:39:42 dtucker Exp $ - -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for some commonly used options. For a comprehensive -# list of available options, their meanings and defaults, please see the -# ssh_config(5) man page. - - Host * - AddKeysToAgent yes - ForwardAgent yes -# ForwardX11 no -# PasswordAuthentication yes -# HostbasedAuthentication no -# GSSAPIAuthentication no -# GSSAPIDelegateCredentials no -# BatchMode no -# CheckHostIP yes -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/id_rsa -# IdentityFile ~/.ssh/id_dsa -# IdentityFile ~/.ssh/id_ecdsa -# IdentityFile ~/.ssh/id_ed25519 -# Port 22 -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com -# EscapeChar ~ -# Tunnel no -# TunnelDevice any:any -# PermitLocalCommand no -# VisualHostKey no -# ProxyCommand ssh -q -W %h:%p gateway.example.com -# RekeyLimit 1G 1h -{% for host in system_ssh_custom_host %} -Host {{ host.host }} - Hostname {{ host.host }} - User {{ host.user }} - IdentityFile {{ host.keyfile }} -{% endfor %}