Copy ansible user's authorized_keys for new users

This allows logging in directly via SSH to the newly added users. I also removed the XDG_RUNTIME_DIR variable in ~/.zshrc because this variable is already correctly loaded when loggin in directly via SSH.
2024-04-17 16:00:58 +02:00 · 2024-04-17 16:00:58 +02:00 · 16c78c0d00
commit 16c78c0d00
parent 5d32ed57b4
2 changed files with 29 additions and 14 deletions
--- a/playbook.yml
+++ b/playbook.yml
@ -20,7 +20,6 @@
    - role: pi-hole
  vars:
    # devsec.hardening.ssh_hardening vars:
-    ssh_allow_users: 'thomas'
    ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN.
    ssh_client_password_login: false # Default, but duplicated here for documentation purpose.
  tasks:
--- a/roles/user/tasks/main.yml
+++ b/roles/user/tasks/main.yml
@ -1,16 +1,36 @@
 ---
 # The ZSH installation instructions are sourced from this blog:
 # https://harshithashok.com/tools/oh-my-zsh-with-starship/
- name: Create a new user
-  become: true
-  ansible.builtin.user:
-    append: true
-    groups:
-      - users
-    name: "{{ user_username }}"
-    # Salt is necessary, see: https://stackoverflow.com/questions/56869949/ansible-user-module-always-shows-changed
-    password: "{{ user_password | password_hash('sha512', password_salt) }}"
+- name: Create the user
  when: user_username is not undefined # Skip when no user is provided, we'll asume we're targetting the Ansible user.
+  block:
+    - name: Create a new user
+      become: true
+      ansible.builtin.user:
+        append: true
+        groups:
+          - users
+        name: "{{ user_username }}"
+        # Salt is necessary, see: https://stackoverflow.com/questions/56869949/ansible-user-module-always-shows-changed
+        password: "{{ user_password | password_hash('sha512', password_salt) }}"
+    - name: Ensure .ssh directory exists in user home
+      become: true
+      become_user: "{{ user_username }}"
+      ansible.builtin.file:
+        path: "/home/{{ user_username }}/.ssh"
+        state: directory
+        mode: "0700"
+    # We're assuming that the ansible user has its authorized keys setup before running the playbook and that all created users using this
+    # rule want the same machines to be able to access them.
+    - name: Copy over authorized keys from the main ansible user
+      become: true
+      ansible.builtin.copy:
+        remote_src: true
+        src: "/home/{{ ansible_facts['user_id'] }}/.ssh/authorized_keys"
+        dest: "/home/{{ user_username }}/.ssh/"
+        owner: "{{ user_username }}"
+        group: "{{ user_username }}"
+        mode: "0600"
 - name: Set fact for defining the user which should run the next modules
  ansible.builtin.set_fact:
    target_user: "{{ ansible_facts['user_id'] if user_username is undefined else user_username }}"
@ -88,10 +108,6 @@
      # Add Snapcraft to $PATH
      export PATH=$PATH:/snap/bin

-      # Set XDG_RUNTIME_DIR variable necessary for running systemctl as user
-      # See: https://superuser.com/questions/1561076/systemctl-user-failed-to-connect-to-bus-no-such-file-or-directory-debian-9#answers-header
-      export XDG_RUNTIME_DIR=/run/user/$(id -u $otherUser)
-
      # Starship
      eval "$(starship init zsh)"
 - name: Change the default shell of the current user