tasks/unpriv-user.yml

---
- name: Ensure that unprivileged user is present
  ansible.builtin.user:
    name: "{{ interactive_user }}"
    shell: /bin/bash
    home: "{{ interactive_home }}"
    password: "{{ interactive_password }}"
    groups: sudo
    create_home: true
    skeleton: /etc/skel
    append: true

# - name: Check the primary key for the unprivileged user
#   ansible.posix.authorized_key:
#     user: "{{ interactive_user }}"
#     key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-1.pub') }}"
#     state: present
#     exclusive: false
#   register: setkey

# - name: Re-set the primary key as exclusive, if we found that the key was not present yet # noqa: no-handler
#   when: setkey.changed
#   ansible.posix.authorized_key:
#     user: "{{ interactive_user }}"
#     key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-1.pub') }}"
#     state: present
#     exclusive: true

# - name: Set the secondary key for the unprivileged user
#   ansible.posix.authorized_key:
#     user: "{{ interactive_user }}"
#     key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-2.pub') }}"
#     state: present
#     exclusive: false

- name: Install required package to become unprivileged users
  ansible.builtin.apt:
    name: acl
    state: present
Initial commit 2024-10-26 16:23:45 +02:00			`---`
			`- name: Ensure that unprivileged user is present`
			`ansible.builtin.user:`
			`name: "{{ interactive_user }}"`
			`shell: /bin/bash`
			`home: "{{ interactive_home }}"`
			`password: "{{ interactive_password }}"`
			`groups: sudo`
			`create_home: true`
			`skeleton: /etc/skel`
			`append: true`

fix 🐛: Remove unprivileged key management This commit addresses a security concern by removing unnecessary and potentially risky tasks related to authorized key management for unprivileged users. This simplifies the system and reduces the attack surface. The changes align with best practices for user access control. 2025-12-14 06:19:09 +01:00			`# - name: Check the primary key for the unprivileged user`
			`# ansible.posix.authorized_key:`
			`# user: "{{ interactive_user }}"`
			`# key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-1.pub') }}"`
			`# state: present`
			`# exclusive: false`
			`# register: setkey`
Fix setting SSH-keys: only changed when actually adding keys 2024-11-03 16:08:41 +01:00
fix 🐛: Remove unprivileged key management This commit addresses a security concern by removing unnecessary and potentially risky tasks related to authorized key management for unprivileged users. This simplifies the system and reduces the attack surface. The changes align with best practices for user access control. 2025-12-14 06:19:09 +01:00			`# - name: Re-set the primary key as exclusive, if we found that the key was not present yet # noqa: no-handler`
			`# when: setkey.changed`
			`# ansible.posix.authorized_key:`
			`# user: "{{ interactive_user }}"`
			`# key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-1.pub') }}"`
			`# state: present`
			`# exclusive: true`
Initial commit 2024-10-26 16:23:45 +02:00
fix 🐛: Remove unprivileged key management This commit addresses a security concern by removing unnecessary and potentially risky tasks related to authorized key management for unprivileged users. This simplifies the system and reduces the attack surface. The changes align with best practices for user access control. 2025-12-14 06:19:09 +01:00			`# - name: Set the secondary key for the unprivileged user`
			`# ansible.posix.authorized_key:`
			`# user: "{{ interactive_user }}"`
			`# key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-2.pub') }}"`
			`# state: present`
			`# exclusive: false`
Initial commit 2024-10-26 16:23:45 +02:00
			`- name: Install required package to become unprivileged users`
			`ansible.builtin.apt:`
			`name: acl`
			`state: present`