Merge pull request #11 from roles-ansible/rt

Improve login as root

README.md

@@ -20,7 +20,7 @@ And it is possible to delete users too.
 ## Using this Collection
 You can install the collection using ansible-galaxy by running:
 ```bash
-ansible-galaxy collection install l3d.users:1.1.0
+ansible-galaxy collection install l3d.users:1.1.1
 ```
 
 Remember you can to Upgrade to the latest version of the l3d.git collection using the ``--upgrade`` parameter:
@@ -45,7 +45,7 @@ You can also list a collection in ``requirements.yml``:
 ---
 collections:
   - name: l3d.users
-    version: ">=1.1.0"
+    version: ">=1.1.1"
 ```
 
  Global Variables:
@@ -68,6 +68,7 @@ The Option of these directory-variables are the following.
 | ``admin_commands`` | *string or list* | - | Commands that are allows to be run as admin, eg. 'ALL' or specific script |
 | ``admin_nopassword`` | ``false`` | - | Need no Password for sudo |
 | ``admin_ansible_login`` | ``true`` | - | if ``admin: true`` and ``l3d_users__create_ansible: true`` your ssh keys will be added to ansible user |
+| ``admin_root_login`` | ``true`` | - | if ``admin: true`` and ``l3d_users__set_root_ssh_keys: true`` your ssh keys will be added to root |
 | ``pubkeys`` | string or lookup | - | see examples |
 | ``exklusive_pubkeys`` | ``true`` | - | delete all undefined ssh keys |
 | ``password`` | password hash | - | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
@@ -83,7 +84,9 @@ There is also the ``l3d_users__ssh_login`` variable which only supports ``name``
 | ``l3d_users__create_ansible`` | ``true`` | Create User ansible |
 | ``l3d_users__ansible_user_state`` | ``present`` | Create or delete user ansible |
 | ``l3d_users__set_ansible_ssh_keys`` | ``false`` | Set SSH Keys for User ansible |
-| ``l3d_users__ansible_ssh_keys`` | | SSH public Keys. One per line or as lookup |
+| ``l3d_users__ansible_ssh_keys`` | *see [roles/user/defaults/main.yml](roles/user/defaults/main.yml)* | SSH public Keys for ansible user. One per line or as lookup |
+| ``l3d_users__set_root_ssh_keys`` | ``false`` | Set SSH Keys for root User |
+| ``l3d_users__root_ssh_keys`` | | Additional SSH Keys for root User |
 | ``l3d_users__ansible_user_password`` | | Set optional Password for Ansible User, see [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
 | ``l3d_users__ansible_user_command`` | ``ALL`` | Commans with superpower for ansible user |
 | ``l3d_users__ansible_user_nopassword`` | ``true`` | Allow superpowers without password for ansible user |

galaxy.yml

@@ -9,7 +9,7 @@ namespace: l3d
 name: users
 
 # The version of the collection. Must be compatible with semantic versioning
-version: 1.1.0
+version: 1.1.1
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md

roles/sshd/handlers/main.yml

@@ -5,4 +5,4 @@
   ansible.builtin.systemd:
     name: "{{ l3d_users__sshd_service }}"
     state: restarted
-  when: sshd__service is defined and ansible_service_mgr == 'systemd'
+  when: l3d_users__sshd__service is defined and ansible_service_mgr == 'systemd'

roles/sshd/templates/sshd_config.j2

@@ -112,11 +112,21 @@ UsePAM yes
 {% endfor %}
 
 # User Authentication
-{% if l3d_users__create_ansible | bool and l3d_users__ansible_user_state == 'present' %}
+{% if l3d_users__create_ansible | bool and l3d_users__ansible_user_state == 'present' and not l3d_users__sshd_permitrootlogin | bool %}
 AllowUsers ansible {{ _sshd_accounts | join(' ') }}
 
 # Group Authentication
 AllowGroups ansible {{ _sshd_accounts | join(' ') }}
+{% elif l3d_users__create_ansible | bool and l3d_users__ansible_user_state == 'present' and l3d_users__sshd_permitrootlogin | bool %}
+AllowUsers root ansible {{ _sshd_accounts | join(' ') }}
+
+# Group Authentication
+AllowGroups root ansible {{ _sshd_accounts | join(' ') }}
+{% elif not l3d_users__create_ansible | bool and l3d_users__sshd_permitrootlogin | bool %}
+AllowUsers root {{ _sshd_accounts | join(' ') }}
+
+# Group Authentication
+AllowGroups root {{ _sshd_accounts | join(' ') }}
 {% else %}
 AllowUsers {{ _sshd_accounts | join(' ') }}
 

roles/sshd/vars/main.yml

@@ -1,5 +1,5 @@
 ---
-playbook_version_number: 6
+playbook_version_number: 7
 playbook_version_path: 'l3d.users.sshd.version'
 
 l3d_users_sshd__service_var_path:

roles/user/README.md

@@ -26,6 +26,7 @@ The Option of these directory-variables are the following.
 | ``admin_commands`` | *string or list* | - | Commands that are allows to be run as admin, eg. 'ALL' or specific script |
 | ``admin_nopassword`` | ``false`` | - | Need no Password for sudo |
 | ``admin_ansible_login`` | ``true`` | - | if ``admin: true`` and ``l3d_users__create_ansible: true`` your ssh keys will be added to ansible user |
+| ``admin_root_login`` | ``true`` | - | if ``admin: true`` and ``l3d_users__set_root_ssh_keys: true`` your ssh keys will be added to root |
 | ``pubkeys`` | string or lookup | - | see examples |
 | ``exklusive_pubkeys`` | ``true`` | - | delete all undefined ssh keys |
 | ``password`` | password hash | - | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
@@ -39,8 +40,10 @@ The Option of these directory-variables are the following.
 | ``l3d_users__create_ansible`` | ``true`` | Create User ansible |
 | ``l3d_users__ansible_user_state`` | ``present`` | Create or delete user ansible |
 | ``l3d_users__set_ansible_ssh_keys`` | ``false`` | Set SSH Keys for User ansible |
-| ``l3d_users__ansible_ssh_keys`` | | SSH public Keys. One per line or as lookup |
+| ``l3d_users__ansible_ssh_keys`` | *see [defaults/main.yml](defaults/main.yml)* | SSH public Keys for ansible user. One per line or as lookup |
 | ``l3d_users__ansible_user_password`` | | Set optional Password for Ansible User, see [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
+| ``l3d_users__set_root_ssh_keys`` | ``false`` | Set SSH Keys for root User |
+| ``l3d_users__root_ssh_keys`` |  | Additional SSH Keys for root User |
 | ``submodules_versioncheck`` | ``false`` | Optionaly enable simple versionscheck of this role |
 
  Example Playbook

roles/user/defaults/main.yml

@@ -35,6 +35,8 @@ l3d_users__ansible_user_state: 'present'
 l3d_users__set_ansible_ssh_keys: false
 l3d_users__ansible_ssh_keys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}"
 l3d_users__ansible_user_password: ''
+l3d_users__set_root_ssh_keys: false
+l3d_users__root_ssh_keys: ''
 
 # run simple versionscheck
 submodules_versioncheck: false

roles/user/tasks/main.yml

@@ -20,3 +20,8 @@
 - name: Manage SSH public keys
   ansible.builtin.include_tasks:
     file: 'pubkeys.yml'
+
+- name: Set SSH public Keys for root
+  ansible.builtin.include_tasks:
+    file: 'root_ssh.yml'
+  when: l3d_users__set_root_ssh_keys | bool

roles/user/tasks/root_ssh.yml

@@ -0,0 +1,21 @@
+---
+- name: Set dedicated SSH keys root and drop all other keys
+  become: true
+  ansible.posix.authorized_key:
+    user: 'ansible'
+    state: 'present'
+    key: "{{ l3d_users__root_ssh_keys }}"
+    exclusive: true
+
+- name: Add admin keys to user ansible
+  become: true
+  ansible.posix.authorized_key:
+    user: 'ansible'
+    state: "{{ l3d_users__ansible_user_state | ternary('present', 'absent') }}"
+    key: "{{ user.pubkeys | default() }}"
+    exclusive: false
+  loop: "{{ _l3d_users__merged_users }}"
+  when: user.admin | default(false) | bool and user.admin_root_login | default(true) | bool
+  loop_control:
+    label: "user={{ user.name }}"
+    loop_var: user

roles/user/vars/main.yml

@@ -1,3 +1,3 @@
 ---
-playbook_version_number: 12
+playbook_version_number: 13
 playbook_version_path: 'l3d.users.user.version'