improve role, especially wrt. passwords

2023-07-14 19:48:55 +02:00
parent 6850abfe30
commit aba0be2e7b
4 changed files with 202 additions and 10 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,11 +1,33 @@
+# SPDX-FileCopyrightText: 2023 Max Mehl <https://mehl.mx>
+#
+# SPDX-License-Identifier: Apache-2.0
+
 ---
- name: Prepare password for user {{ username }}
+# Handle cases in which password variable is undefined or empty
+- name: Disable password login for user unless empty password allowed for user {{ username }}
  when:
+    - password is not defined or
+      password|length == 0
+    - not allow_no_password
+  ansible.builtin.set_fact:
+    password_value: "*"
+
+- name: Allow login without password as it is explicitely allowed for user {{ username }}
+  when:
+    - password is not defined or
+      password|length == 0
+    - allow_no_password
+  ansible.builtin.set_fact:
+    password_value: ""
+
+- name: Hash provided password for user {{ username }}
+  when:
+    # Non-empty password has been provided
    - password is defined
-    - password != ""
-    - password != '*'
+    # None of the special cases has been handled before
+    - password_value is not defined
  block:
-    - name: Create idempotent salt for password
+    - name: Create idempotent salt for {{ username }}'s password
      set_fact:
        salt: "{{ ((username + inventory_hostname) | hash('sha512'))[:16] }}"

@@ -14,11 +36,18 @@
      register: username_shadowpw
      changed_when: false

+    - name: Set password value fact for user {{ username }}
+      ansible.builtin.set_fact:
+        password_value: "{{ username_shadowpw.stdout }}"
+
 - name: "Ensure user is configured correctly: {{ username }}"
-  user:
+  ansible.builtin.user:
    name: "{{ username }}"
-    shell: /bin/bash
-    generate_ssh_key: true
-    password: "{{ username_shadowpw.stdout | default('*') }}"
-    groups: "{{ user_groups | default('') }}"
-    append: "{{ append | default('yes') }}"
+    password: "{{ password_value }}"
+    shell: "{{ shell }}"
+    # SSH
+    generate_ssh_key: "{{ generate_ssh_key }}"
+    ssh_key_type: "{{ ssh_key_type }}"
+    # Groups
+    groups: "{{ user_groups }}"
+    append: "{{ groups_append }}"