--- - debug: var=ansible_play_hosts - debug: var=deploy_user - debug: var=ansible_ssh_host - debug: var=ansible_ssh_port - debug: var=ansible_ssh_private_key_file - name: group - check deployment group command: pw groupshow "{{ deploy_user }}" register: pw_cmd - name: group - create deployment group command: pw groupadd "{{ deploy_user }}" -g 999 when: pw_cmd.rc != 0 - name: user - check deployment user command: pw usershow "{{ deploy_user }}" register: pw_cmd - name: user - create deployment user command: > pw useradd "{{ deploy_user }}" -u 999 -g "{{ deploy_user }}" -m -d "/var/{{ deploy_user }}" -c "Ansible Deployment" when: pw_cmd.rc != 0 - name: SSH - authorized_keys for the deployment user authorized_key: user: "{{ deploy_user }}" state: present key: "{{ lookup('file', item+'.pub') }}" with_items: - "{{ ansible_ssh_private_key_file }}" - name: sudo - install package pkgng: name: sudo state: present - name: sudo - no password for the deployment user template: src: sudoers.d_ansible.j2 dest: /usr/local/etc/sudoers.d/ansible mode: 0440 validate: "visudo -cf %s" - name: SSH - disable password auth for the deployment user blockinfile: path: /etc/ssh/sshd_config marker: "# {mark} ANSIBLE MANAGED - ansible" block: | Match User {{ deploy_user }} PasswordAuthentication no validate: "sshd -t -f %s" notify: restart-sshd - name: SSH - disable empty password login lineinfile: path: /etc/ssh/sshd_config regexp: "^#?PermitEmptyPasswords" line: "PermitEmptyPasswords no" validate: "sshd -t -f %s" notify: restart-sshd - name: SSH - disable root login lineinfile: path: /etc/ssh/sshd_config regexp: "^#?PermitRootLogin" line: "PermitRootLogin no" validate: "sshd -t -f %s" notify: restart-sshd