roles/user_mgmt: for add/delete users and ssh_keys

debian.yml

@@ -3,3 +3,4 @@
   become: yes
   roles:
     - debian
+    - { role: user_mgmt, tags: [user_mgmt]}

group_vars/all.yml

@@ -0,0 +1,18 @@
+user_mgmt_default:
+  crest:
+    ssh_key:
+      present:
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGApbgicmP2yQTxf2YjGVtRo6yGTIFfDRjHg2whJsKp9 crest"
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmjzqbR1FPmfgwutxxog/UsbvXHx8uJMDAwBDOjV+XY crest@emma.ccchb.de"
+      absent: []
+  genofire:
+    ssh_key:
+      present:
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZm0TZPBzgXrY1vrLoYviNRb/oGZQDQk9vrppPK84sN55ZPlr9VvP+JYE7Qkx8teRuH9ulxqX40+dxKaiAXMUl4HU57KPLjwCb7SnBNIFTv6ZHGxPS8ZgUzKJr4Agph51oenNEO3RziEqAo3EwK67SGnjeIYQQKcjpfwd08+PYMOjv42zSYQ9umooj5LooOvbxoogZ3VpboXv6DeyA4rev1M9RgnMWaWVF2LxJjQ3jVr7xh1vZktVGKuVk/XXKD6WVAuwmGMVEouQzjtG9kepWd8FUYe+fgj5mtdqfeQP9CypxvOcb7jT20wO1Abpp5udS9iPDQHg+lafklIAeKG3qgxxhBDH3otXtnWcoeXUmDpBI8HU/8d/yrGaLHYRfy3HHiSGFq3lBgoxi83QIOl9ELeKWMJC0fWKBApm0NU0flgwfy2j7GRyXmlM7tVFyuj5RTAZNQfgD9g054di9WbtUs7sm/9r3/rQe2+3neE3Jskt4xvZK0xbc4dZSZGn4E2JDWjENqPBvQ2dU5lsjpUKTZWAnxVGPe//BErsDxNLIHWz8emG71r3Q2yud4KPdAR9CgeC8g1bwlCI6JDFZutKBzIlE3QQ4ryKJEioiUL89xi6G+nNB7W5ABsQN0ZtWvZl8TG4Wh00B+oBXzgRER5Y9SdAYcrwWxlGVxxQyElUNrw== genofire-yubikey"
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8LdgjUiL/MFmA2wM98QAbUEyY/8ixnpettC6kQxKWu genofire@emma.ccchb.de"
+      absent: []
+  fritz:
+    ssh_key:
+      present:
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEay33koXmcBcrDuCQKkCBlw/gKiPtwLswATPqIR7udl fritz@fluorine.grimpen.net"
+      absent: []

host_vars/cloud.emma.ccchb.de.yml

@@ -3,7 +3,6 @@ ipv6route: 2a01:4f8:150:926f::4
 ipv4: 10.0.0.1/31
 ipv4route: 10.0.0.0
 dns: 213.133.98.98 8.8.8.8
-default_root_ssh_publickey: "https://fireorbit.de/keys/ssh"
 nginx_acme_mail: "webmaster@ccchb.de"
 nextcloud_domain: "cloud.ccchb.de"
 php_config:
@@ -12,3 +11,11 @@ php_config:
 php_fpm_env:
 - key: 'PATH'
   value: "/usr/local/bin:/usr/bin:/bin"
+
+user_mgmt:
+  crest:
+    created: true
+    groups: sudo
+  genofire:
+    created: true
+    groups: sudo

host_vars/dn42.emma.ccchb.de.yml

@@ -5,4 +5,14 @@ ipv6route: 2a01:4f8:150:926f::6
 ipv4: 10.0.0.3/31
 ipv4route: 10.0.0.2
 dns: 213.133.98.98 8.8.8.8
-default_root_ssh_publickey: "https://fireorbit.de/keys/ssh"
+
+user_mgmt:
+  crest:
+    created: true
+    groups: sudo
+  genofire:
+    created: true
+    groups: sudo
+  fritz:
+    created: true
+    groups: sudo

roles/debian/tasks/main.yml

@@ -11,12 +11,6 @@
     checksum: sha256:ad88c76951693c2f9c38773ed2602a9fd5c74431615c4a23aaff679b295919ce
     validate_certs: false
 
-- name: ssh publickey
-  authorized_key:
-    user: root
-    state: present
-    key: "{{ default_root_ssh_publickey }}"
-
 - name: Update SSH configuration
   notify: reload sshd
   replace:

roles/user_mgmt/defaults/main.yml

@@ -0,0 +1,2 @@
+user_mgmt_default: {}
+user_mgmt: {}

roles/user_mgmt/tasks/main.yml

@@ -0,0 +1,34 @@
+---
+- name: Merge ansible variables for host 
+  set_fact: _user_mgmt="{{ user_mgmt_default | combine(user_mgmt, recursive=true) }}"
+
+- name: Add User
+  user:
+    name: "{{ item.key }}"
+    groups: "{{ item.value.groups | default([]) }}"
+    state: present
+  when: item.value.created | default
+  with_dict: "{{ _user_mgmt }}"
+
+- name: Add ssh-key to user
+  authorized_key:
+    user: "{{ item.0.key }}"  
+    key: "{{ item.1 }}"
+    state: present
+  when: _user_mgmt[item.0.key].created | default
+  loop: "{{ _user_mgmt |dict2items | subelements('value.ssh_key.present') }}"
+
+- name: Remove ssh-key to user
+  authorized_key:
+    user: "{{ item.0.key }}"  
+    key: "{{ item.1 }}"
+    state: absent
+  when: _user_mgmt[item.0.key].created | default
+  loop: "{{ _user_mgmt |dict2items | subelements('value.ssh_key.absent') }}"
+
+- name: Remove user
+  user:
+    name: "{{ item.key }}"
+    state: absent
+  when: not (item.value.created | default)
+  with_dict: "{{ _user_mgmt }}"