Ansible/user-provision/tasks/main.yml

61 lines
1.6 KiB
YAML
Raw Permalink Normal View History

- block:
- include_vars: "{{ playbook_dir ~ '/vault/user_provisioning' }}"
# Atmen : slave, servant
- name: Add provisioning user "atmen" for ansible
ansible.builtin.user:
name: atmen
comment: Ansible provisioner
groups: sudo
append: yes
shell: /bin/bash
password: "{{ vault_atmen_password | password_hash('sha512') }}"
- name: Set authorized key for atmen
ansible.posix.authorized_key:
user: atmen
state: present
key: "{{ lookup('file', atmen_ssh_key_host_path) }}"
- name: Add maintainer user
ansible.builtin.user:
name: "{{ vault_maintainer_user }}"
comment: Maintainer user
groups: sudo
append: yes
shell: /bin/bash
password: "{{ vault_maintainer_password | password_hash('sha512') }}"
- name: Set authorized key for maintainer user
ansible.posix.authorized_key:
user: "{{ vault_maintainer_user }}"
state: present
key: "{{ lookup('file', maintainer_ssh_key_host_path) }}"
- name: Disable root login
ansible.builtin.user:
name: root
password: '*'
- name: Disable SSH login for creator
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
line: DenyUsers creator
state: present
- name: Disable password login
lineinfile:
dest: "/etc/ssh/sshd_config"
regexp: '^(#\s*)?PasswordAuthentication '
line: "PasswordAuthentication no"
notify: restart sshd
- name: Change SSH port
lineinfile:
dest: "/etc/ssh/sshd_config"
regexp: "^Port "
line: "Port {{ sshd_port }}"
notify: restart sshd
changed_when: true
become: yes