4.5 KiB
Provision management user
This repository is only a mirror. Development and testing is done on a private gitlab server.
This role configures the management user on debian-based distributions.
Requirements
None.
Role Variables
Available variables are listed below, along with default values. A sample file for the default values is available in default/provision_management_user.yml.sample in case you need it for any group_vars or host_vars configuration.
provision_management_user_name: ansible # by default, set to ansible
This variable sets the name to configure for the service account.
provision_management_user_group: ansible # by default, set to ansible
This variable sets the primary group to configure for the service account.
provision_management_user_password: "*" # by default, set to *
This variable sets the password of the account, by default, it is set to "*", which means password authentication is disabled.
provision_management_user_is_system: true # by default, set to true
This variable describe whether the account should be a system user or not. Default (and recommended) is true.
provision_management_user_home: /opt/{{ provision_management_user_name }} # by default, set to /opt/{{ provision_management_user_name }}
This variable sets the home for the service account. By default the home of the account is set in /opt/.
provision_management_user_shell: /bin/bash # by default, set to /bin/bash
This variable sets the shell to be used by the account. Defaults to bash.
provision_management_user_sudoer: false # by default, set to false
This variable defines if the user should be root. For security reasons, this defaults to false, but should probably be true in a real world scenario.
provision_management_user_add_ssh_key: false # by default, set to false
This variable defines if ssh_keys should be added to the authroized_keys file for the user. Defaults to false because there is no "default" ssh_key. This should be set to true and a key passed to the role.
provision_management_user_ssh_key: # by default, not set
This variable contains the ssh public key to use by ansible to log in the service account. Defaults to None, but should be set by the operator, and preferably obfuscated (see examples).
provision_management_user_ssh_key_options: "" # by default, set to ""
This variable sets the potential ssh options to add in the authorized_keys file. Default to no options.
provision_management_user_ssh_key_exclusive: true # by default, set to true
This variable defines if the ssh public key passed above should be the only key to log into this account. For security reasons, it is recommended that this gets set to true.
Dependencies
None.
Example Playbook
# calling the role inside a playbook with either the default or group_vars/host_vars
- hosts: servers
roles:
- ednxzu.provision_management_user
# calling the role inside a playbook with just-in-time provisioning of the ssh public key, and vault storage
- hosts: servers
tasks:
- name: "Dynamic ssh keys generation"
delegate_to: localhost
block:
- name: "Generate a keypair for {{ ansible_hostname }}"
community.crypto.openssh_keypair:
path: "/tmp/id_ed25519_{{ ansible_hostname }}"
type: ed25519
owner: root
group: root
delegate_to: localhost
register: _keypair
- name: "Write the private and public key to vault"
community.hashi_vault.vault_write:
url: https://vault.domain.tld
path: "ansible/hosts/{{ inventory_hostname }}"
data:
private_key: "{{ lookup('ansible.builtin.file', '/tmp/id_ed25519_' ~ ansible_hostname ) }}\n"
public_key: "{{ _keypair.public_key }}"
delegate_to: localhost
- name: "Remove private_key files"
ansible.builtin.file:
path: "/tmp/id_ed25519_{{ ansible_hostname }}"
state: absent
delegate_to: localhost
- name: "Provision ansible user"
ansible.builtin.include_role:
name: ednxzu.provision_management_user
vars:
provision_management_user_add_ssh_key: true
provision_management_user_ssh_key: "{{ _keypair.public_key }}"
License
MIT / BSD
Author Information
This role was created by Bertrand Lanson in 2023.