PHiAX/Raspberry-Pi-IaC
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Copy ansible user's authorized_keys for new users

Browse source 
This allows logging in directly via SSH to the newly added users.
I also removed the XDG_RUNTIME_DIR variable in ~/.zshrc because
this variable is already correctly loaded when loggin in directly via
SSH.
This commit is contained in:
Thomas Kleinendorst 2024-04-17 16:00:58 +02:00
parent 5d32ed57b4
commit 16c78c0d00
2 changed files with 29 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

1
playbook.yml
View file

@ -20,7 +20,6 @@
- role: pi-hole - role: pi-hole
vars: vars:
# devsec.hardening.ssh_hardening vars: # devsec.hardening.ssh_hardening vars:
ssh_allow_users: 'thomas'
ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN. ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN.
ssh_client_password_login: false # Default, but duplicated here for documentation purpose. ssh_client_password_login: false # Default, but duplicated here for documentation purpose.
tasks: tasks:

28
roles/user/tasks/main.yml
View file

@ -1,7 +1,10 @@
--- ---
# The ZSH installation instructions are sourced from this blog: # The ZSH installation instructions are sourced from this blog:
# https://harshithashok.com/tools/oh-my-zsh-with-starship/ # https://harshithashok.com/tools/oh-my-zsh-with-starship/
- name: Create a new user - name: Create the user
when: user_username is not undefined # Skip when no user is provided, we'll asume we're targetting the Ansible user.
block:
- name: Create a new user
become: true become: true
ansible.builtin.user: ansible.builtin.user:
append: true append: true
@ -10,7 +13,24 @@
name: "{{ user_username }}" name: "{{ user_username }}"
# Salt is necessary, see: https://stackoverflow.com/questions/56869949/ansible-user-module-always-shows-changed # Salt is necessary, see: https://stackoverflow.com/questions/56869949/ansible-user-module-always-shows-changed
password: "{{ user_password | password_hash('sha512', password_salt) }}" password: "{{ user_password | password_hash('sha512', password_salt) }}"
when: user_username is not undefined # Skip when no user is provided, we'll asume we're targetting the Ansible user. - name: Ensure .ssh directory exists in user home
become: true
become_user: "{{ user_username }}"
ansible.builtin.file:
path: "/home/{{ user_username }}/.ssh"
state: directory
mode: "0700"
# We're assuming that the ansible user has its authorized keys setup before running the playbook and that all created users using this
# rule want the same machines to be able to access them.
- name: Copy over authorized keys from the main ansible user
become: true
ansible.builtin.copy:
remote_src: true
src: "/home/{{ ansible_facts['user_id'] }}/.ssh/authorized_keys"
dest: "/home/{{ user_username }}/.ssh/"
owner: "{{ user_username }}"
group: "{{ user_username }}"
mode: "0600"
- name: Set fact for defining the user which should run the next modules - name: Set fact for defining the user which should run the next modules
ansible.builtin.set_fact: ansible.builtin.set_fact:
target_user: "{{ ansible_facts['user_id'] if user_username is undefined else user_username }}" target_user: "{{ ansible_facts['user_id'] if user_username is undefined else user_username }}"
@ -88,10 +108,6 @@
# Add Snapcraft to $PATH # Add Snapcraft to $PATH
export PATH=$PATH:/snap/bin export PATH=$PATH:/snap/bin
# Set XDG_RUNTIME_DIR variable necessary for running systemctl as user
# See: https://superuser.com/questions/1561076/systemctl-user-failed-to-connect-to-bus-no-such-file-or-directory-debian-9#answers-header
export XDG_RUNTIME_DIR=/run/user/$(id -u $otherUser)
# Starship # Starship
eval "$(starship init zsh)" eval "$(starship init zsh)"
- name: Change the default shell of the current user - name: Change the default shell of the current user