add playbook

ensure_tsadmin.yml

@@ -0,0 +1,53 @@
+- name: Ensure tsadmin user and SSH key
+  hosts: all
+  become: yes
+  vars:
+    ts_user: ts-admin
+    ts_pubkeys:
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+VHh9Q7Y/0dQgDqoHaQyf6EZjXqiBDg7FvQPrt5LSx Jan Forman"
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdDJqGN9L5zkCoQPCOmOy3Rozf4CY+w3p1nf4Ztl4VD miko@Directwire"
+
+  tasks:
+    - name: Ensure user exists
+      ansible.builtin.user:
+        name: "{{ ts_user }}"
+        state: present
+        create_home: yes
+        shell: /bin/bash
+
+    - name: Ensure .ssh directory exists
+      ansible.builtin.file:
+        path: "/home/{{ ts_user }}/.ssh"
+        state: directory
+        owner: "{{ ts_user }}"
+        group: "{{ ts_user }}"
+        mode: '0700'
+
+    - name: Install public keys for the user
+      ansible.builtin.authorized_key:
+        user: "{{ ts_user }}"
+        key: "{{ item }}"
+        state: present
+      loop: "{{ ts_pubkeys }}"
+
+    - name: Ensure authorized_keys permissions
+      ansible.builtin.file:
+        path: "/home/{{ ts_user }}/.ssh/authorized_keys"
+        owner: "{{ ts_user }}"
+        group: "{{ ts_user }}"
+        mode: '0600'
+        state: file
+
+    - name: Ensure user is member of sudo group
+      ansible.builtin.user:
+        name: "{{ ts_user }}"
+        groups: sudo
+        append: yes
+
+    - name: Allow user to sudo without password via sudoers.d
+      ansible.builtin.copy:
+        dest: "/etc/sudoers.d/{{ ts_user }}"
+        content: "{{ ts_user }} ALL=(ALL) NOPASSWD:ALL\n"
+        owner: root
+        group: root
+        mode: '0440'