diff --git a/README.md b/README.md index 29fc328..84a383f 100644 --- a/README.md +++ b/README.md @@ -14,24 +14,25 @@ If the "base_core_hostname" variable is defined, it is recommended to set the an ### Core Variables -| Variable | Default | Choices | Comments | -| -------------------------------------------- | ------------- | ----------- | -------------------------------------------------------------------------- | -| base_core_cert_common_name | nodename | | Common name for created self-signed cert | -| base_core_firewall_configure | True | True, False | Allows the firewall to be configured | -| base_core_hostname | "" | | Defines the computer hostname | -| base_core_install_updates | True | True, False | Install all available updates for the distro at runtime | -| base_core_management_user | ansible_user | | Defines the account that ansible will use for management in the future | -| base_core_management_user_disable_password | False | True, False | When enabled the password for the management user account will be disabled | -| base_core_motd_banner | "" | | Banner to be added to MOTD if desired | -| base_core_motd_configure | True | True, False | Allows the MOTD to be configured | -| base_core_root_ca_basename | "" | | Basename of the cert for local system reference | -| base_core_root_ca_convert | False | True, False | Converts the defined certificate from DER to PEM type | -| base_core_root_ca_url | "" | | URL of a Root CA to install | -| base_core_ssh_permit_password_authentication | False | True, False | Permits the use of passwords for ssh | -| base_core_ssh_permit_root_login | False | True, False | Permits the use of root logins for ssh | -| base_core_ssh_public_keys_user | "" | | Added the public keys to an additional user if defined | -| base_core_timezone | America/Boise | | Defines the timezone to apply to the client | -| base_core_web_management | False | True, False | Enables installation of the Cockpit web management package(s) | +| Variable | Default | Choices | Comments | +| -------------------------------------------- | ------------- | ----------- | ------------------------------------------------------------------------------- | +| base_core_cert_common_name | nodename | | Common name for created self-signed cert | +| base_core_firewall_configure | True | True, False | Allows the firewall to be configured | +| base_core_hostname | "" | | Defines the computer hostname | +| base_core_install_updates | True | True, False | Install all available updates for the distro at runtime | +| base_core_management_user | ansible_user | | Defines the account that ansible will use for management in the future | +| base_core_management_user_disable_password | False | True, False | When enabled the password for the management user account will be disabled | +| base_core_motd_banner | "" | | Banner to be added to MOTD if desired | +| base_core_motd_configure | True | True, False | Allows the MOTD to be configured | +| base_core_root_ca_basename | "" | | Basename of the cert for local system reference | +| base_core_root_ca_convert | False | True, False | Converts the defined certificate from DER to PEM type | +| base_core_root_ca_url | "" | | URL of a Root CA to install | +| base_core_secondary_user | "" | | Defines a secondary account that ansible configure for management in the future | +| base_core_secondary_user_disable_password | False | True, False | When enabled the password for the secondary user account will be disabled | +| base_core_ssh_permit_password_authentication | False | True, False | Permits the use of passwords for ssh | +| base_core_ssh_permit_root_login | False | True, False | Permits the use of root logins for ssh | +| base_core_timezone | America/Boise | | Defines the timezone to apply to the client | +| base_core_web_management | False | True, False | Enables installation of the Cockpit web management package(s) | ## Example diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml index 2343b60..def77a3 100644 --- a/roles/base/defaults/main.yml +++ b/roles/base/defaults/main.yml @@ -8,12 +8,18 @@ # General # ======= -# User that should have the authorized keys added +# User that should be configured for future management base_core_management_user: "{{ ansible_user }}" +# Secondary user that may be configured for future management +base_core_secondary_user: "" + # If enabled, the password for the management user account will be disabled base_core_management_user_disable_password: false +# If enabled, the password for the secondary user account will be disabled +base_core_secondary_user_disable_password: false + # Install all available updates at runtime base_core_install_updates: true @@ -53,9 +59,6 @@ base_core_root_ca_url: "" # SSH # === -# Added the public keys to an additional user if defined -base_core_ssh_public_keys_user: "" - # Allow ssh root login base_core_ssh_permit_root_login: false diff --git a/roles/base/tasks/core.yml b/roles/base/tasks/core.yml index 7db56d7..efc599a 100644 --- a/roles/base/tasks/core.yml +++ b/roles/base/tasks/core.yml @@ -83,3 +83,9 @@ name: "{{ base_core_management_user }}" password_lock: yes when: base_core_management_user_disable_password == true + +- name: Disable password for secondary management account + user: + name: "{{ base_core_secondary_user }}" + password_lock: yes + when: base_core_secondary_user != "" and base_core_secondary_user_disable_password == true diff --git a/roles/base/tasks/core_ssh.yml b/roles/base/tasks/core_ssh.yml index 9231709..497f8b6 100644 --- a/roles/base/tasks/core_ssh.yml +++ b/roles/base/tasks/core_ssh.yml @@ -30,12 +30,12 @@ - name: Setup authorized keys for secondary user authorized_key: - user: "{{ base_core_ssh_public_keys_user }}" + user: "{{ base_core_secondary_user }}" state: present key: '{{ lookup("file", item) }}' with_fileglob: - "public_keys/*" - when: base_core_ssh_public_keys_user != "" + when: base_core_secondary_user != "" tags: - authorized_key