From 4b130f505f883a839b4f7e4d869c638eb4bd4c87 Mon Sep 17 00:00:00 2001 From: Jan Forman Date: Mon, 12 Jan 2026 14:24:29 +0100 Subject: [PATCH] add playbook --- ensure_tsadmin.yml | 53 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 ensure_tsadmin.yml diff --git a/ensure_tsadmin.yml b/ensure_tsadmin.yml new file mode 100644 index 0000000..ad37bf8 --- /dev/null +++ b/ensure_tsadmin.yml @@ -0,0 +1,53 @@ +- name: Ensure tsadmin user and SSH key + hosts: all + become: yes + vars: + ts_user: ts-admin + ts_pubkeys: + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+VHh9Q7Y/0dQgDqoHaQyf6EZjXqiBDg7FvQPrt5LSx Jan Forman" + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdDJqGN9L5zkCoQPCOmOy3Rozf4CY+w3p1nf4Ztl4VD miko@Directwire" + + tasks: + - name: Ensure user exists + ansible.builtin.user: + name: "{{ ts_user }}" + state: present + create_home: yes + shell: /bin/bash + + - name: Ensure .ssh directory exists + ansible.builtin.file: + path: "/home/{{ ts_user }}/.ssh" + state: directory + owner: "{{ ts_user }}" + group: "{{ ts_user }}" + mode: '0700' + + - name: Install public keys for the user + ansible.builtin.authorized_key: + user: "{{ ts_user }}" + key: "{{ item }}" + state: present + loop: "{{ ts_pubkeys }}" + + - name: Ensure authorized_keys permissions + ansible.builtin.file: + path: "/home/{{ ts_user }}/.ssh/authorized_keys" + owner: "{{ ts_user }}" + group: "{{ ts_user }}" + mode: '0600' + state: file + + - name: Ensure user is member of sudo group + ansible.builtin.user: + name: "{{ ts_user }}" + groups: sudo + append: yes + + - name: Allow user to sudo without password via sudoers.d + ansible.builtin.copy: + dest: "/etc/sudoers.d/{{ ts_user }}" + content: "{{ ts_user }} ALL=(ALL) NOPASSWD:ALL\n" + owner: root + group: root + mode: '0440'