From 0c7fec7ee409f4517ca91acdbfc44cb132b3e3a3 Mon Sep 17 00:00:00 2001 From: Johannes Kreutz Date: Wed, 30 Mar 2022 20:43:51 +0200 Subject: [PATCH 1/3] Do not use reserved variable "remote_user", end root usage as soon as its not required anymore --- ansible/inventory/group_vars/all.example.yml | 2 +- ansible/roles/ssh-initial/tasks/main.yml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ansible/inventory/group_vars/all.example.yml b/ansible/inventory/group_vars/all.example.yml index 2cf83f5..6f712dd 100644 --- a/ansible/inventory/group_vars/all.example.yml +++ b/ansible/inventory/group_vars/all.example.yml @@ -1,4 +1,4 @@ base_url: example.de webmaster_email: webmaster@example.de -remote_user: ansible +ansible_service_user: ansible install_ssl_certificates: true \ No newline at end of file diff --git a/ansible/roles/ssh-initial/tasks/main.yml b/ansible/roles/ssh-initial/tasks/main.yml index 6eaff87..2dba1c9 100644 --- a/ansible/roles/ssh-initial/tasks/main.yml +++ b/ansible/roles/ssh-initial/tasks/main.yml @@ -19,3 +19,8 @@ loop: "{{ lookup('dict', sshd) }}" notify: - reload sshd + +- name: Switch to '{{ ansible_service_user }}' to end root usage + connection: local + set_fact: + ansible_user: "{{ ansible_service_user }}" From 9ce99b6b823d12e3fe1005510f31244183a37cd9 Mon Sep 17 00:00:00 2001 From: Johannes Kreutz Date: Wed, 30 Mar 2022 21:51:01 +0200 Subject: [PATCH 2/3] Fix reload sshd --- ansible/roles/ssh-initial/handlers/main.yml | 2 +- ansible/roles/ssh-initial/tasks/main.yml | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ansible/roles/ssh-initial/handlers/main.yml b/ansible/roles/ssh-initial/handlers/main.yml index 8e63e9a..49d5d4a 100644 --- a/ansible/roles/ssh-initial/handlers/main.yml +++ b/ansible/roles/ssh-initial/handlers/main.yml @@ -2,5 +2,5 @@ - name: reload sshd become: true service: - name: "sshd" + name: sshd state: reloaded diff --git a/ansible/roles/ssh-initial/tasks/main.yml b/ansible/roles/ssh-initial/tasks/main.yml index 2dba1c9..1b493ac 100644 --- a/ansible/roles/ssh-initial/tasks/main.yml +++ b/ansible/roles/ssh-initial/tasks/main.yml @@ -4,7 +4,7 @@ become: true authorized_key: user: "{{ ansible_service_user }}" - key: "{{ ansible_authorized_keys|map('extract', users)|map(attribute='ssh_key')|join('\n') }}" + key: "{{ ansible_authorized_keys.get('users') | map(attribute='ssh_key') | join('\n') }}" exclusive: yes - name: Edit sshd config file @@ -24,3 +24,6 @@ connection: local set_fact: ansible_user: "{{ ansible_service_user }}" + +- name: Ensure that the reload handler will run + meta: flush_handlers \ No newline at end of file From 24b13a0dd15764de82a6dd213870225ed215cc18 Mon Sep 17 00:00:00 2001 From: Johannes Kreutz Date: Wed, 30 Mar 2022 21:52:56 +0200 Subject: [PATCH 3/3] Revert stuff not belonging to this PR --- ansible/roles/ssh-initial/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/ssh-initial/tasks/main.yml b/ansible/roles/ssh-initial/tasks/main.yml index 1b493ac..4b27923 100644 --- a/ansible/roles/ssh-initial/tasks/main.yml +++ b/ansible/roles/ssh-initial/tasks/main.yml @@ -4,7 +4,7 @@ become: true authorized_key: user: "{{ ansible_service_user }}" - key: "{{ ansible_authorized_keys.get('users') | map(attribute='ssh_key') | join('\n') }}" + key: "{{ ansible_authorized_keys|map('extract', users)|map(attribute='ssh_key')|join('\n') }}" exclusive: yes - name: Edit sshd config file