feat ✨: Import unprivileged user task

This commit introduces the `unpriv-user.yml` task, enabling the creation of unprivileged user accounts. This addition expands user management capabilities, allowing for more granular control over user permissions and access within the system. The task facilitates the streamlined setup of users without requiring elevated privileges.
fix 🐛: Remove unprivileged key management
2025-12-14 06:19:41 +01:00 · 2025-12-14 06:19:09 +01:00 · 2025-12-14 06:10:42 +01:00 · 2025-12-13 10:09:04 +01:00 · 2025-12-13 08:39:05 +01:00 · 2025-12-13 08:33:38 +01:00
6 changed files with 44 additions and 36 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -4,3 +4,9 @@
 # [WARNING]: Module remote_tmp /root/.ansible/tmp did not exist and was created with a mode of 0700,
 # this may cause issues when running as another user. To avoid this, create the remote_tmp dir with the correct permissions manually"
 allow_world_readable_tmpfiles: true
 ansible_user_id: root
 interactive_user: "{{ remote_user | default('ansible') }}"
 interactive_home: "/home/{{ interactive_user}}"
 interactive_password: "{{ test_password }}"
--- a/tasks/edit-journald.yml
+++ b/tasks/edit-journald.yml
@@ -10,8 +10,8 @@
    - { regexp: "^#?ForwardToSyslog", line: ForwardToSyslog=no }
    - { regexp: "^#?SystemMaxUse", line: SystemMaxUse=100M }
  notify: Restart systemd-journald
-  vars:
+  # vars:
-    ansible_remote_tmp: /tmp # Prevent warnings for auto-created tmp dir
+  #   ansible_remote_tmp: /tmp # Prevent warnings for auto-created tmp dir
 # A succesful vacuum does impact log size, but is not considered a change
 - name: Vacuum journalctl before
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -6,8 +6,9 @@
 - name: Ensure required packages are present on systems
  ansible.builtin.import_tasks: prereq-packages.yml
- name: Make /tmp non-executable
+# not sure if needed, but I'll leave it here as a reference if needed.
-  ansible.builtin.import_tasks: tmp-nonexec.yml
+# - name: Make /tmp non-executable
 #   ansible.builtin.import_tasks: tmp-nonexec.yml
 - name: Import tasks to ensure creation of unprivileged user
  ansible.builtin.import_tasks: unpriv-user.yml
@@ -19,11 +20,12 @@
  ansible.builtin.debug:
    var: ansible_local['cpu_info']
- name: Firmware block for x86_64 systems
+# Not necessary for me
-  when: "'Dell' in ansible_board_vendor or 'LENOVO' in ansible_board_vendor"
+# - name: Firmware block for x86_64 systems
-  block:
+#   when: "'Dell' in ansible_board_vendor or 'LENOVO' in ansible_board_vendor"
-    - name: Import firmware tasks
+#   block:
-      ansible.builtin.import_tasks: additional-firmware.yml
+#     - name: Import firmware tasks
 #       ansible.builtin.import_tasks: additional-firmware.yml
 - name: Import color-shell tasks for the common-role
  ansible.builtin.import_tasks: color-shell.yml
@@ -40,5 +42,5 @@
 - name: Set the custom message of the day (motd)
  ansible.builtin.import_tasks: motd.yml
- name: Perform SSH daemon hardening
+# - name: Perform SSH daemon hardening
-  ansible.builtin.import_tasks: ssh-config.yml
+#   ansible.builtin.import_tasks: ssh-config.yml
--- a/tasks/set-hostname.yml
+++ b/tasks/set-hostname.yml
@@ -8,8 +8,8 @@
    path: /etc/hosts
    regexp: 127\.0\.1\.1
    replace: "{{ ansible_host }} {{ inventory_hostname }}"
-  vars:
+  # vars:
-    ansible_remote_tmp: /tmp # Prevent warnings for auto-created tmp dir
+  #   ansible_remote_tmp: /tmp # Prevent warnings for auto-created tmp dir
 - name: Ensure at least one full hostname entry is present
  ansible.builtin.lineinfile:
@@ -17,6 +17,6 @@
    regexp: "{{ ansible_host }}.*{{ inventory_hostname }}"
    line: "{{ ansible_host }} {{ inventory_hostname }}"
    state: present
-  vars:
+  # vars:
-    ansible_remote_tmp: /tmp # Prevent warnings for auto-created tmp dir
+  #   ansible_remote_tmp: /tmp # Prevent warnings for auto-created tmp dir
  when: "'activedirectory' not in group_names"
--- a/tasks/set-locale.yml
+++ b/tasks/set-locale.yml
@@ -2,7 +2,7 @@
 - name: Ensure the proper locales are present and generated
  community.general.locale_gen:
    name:
-      - "nl_NL.UTF-8"
+      - "it_IT.UTF-8"
      - "en_US.UTF-8"
      - "en_GB.UTF-8"
    state: present
--- a/tasks/unpriv-user.yml
+++ b/tasks/unpriv-user.yml
@@ -10,28 +10,28 @@
    skeleton: /etc/skel
    append: true
- name: Check the primary key for the unprivileged user
+# - name: Check the primary key for the unprivileged user
-  ansible.posix.authorized_key:
+#   ansible.posix.authorized_key:
-    user: "{{ interactive_user }}"
+#     user: "{{ interactive_user }}"
-    key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-1.pub') }}"
+#     key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-1.pub') }}"
-    state: present
+#     state: present
-    exclusive: false
+#     exclusive: false
-  register: setkey
+#   register: setkey
- name: Re-set the primary key as exclusive, if we found that the key was not present yet # noqa: no-handler
+# - name: Re-set the primary key as exclusive, if we found that the key was not present yet # noqa: no-handler
-  when: setkey.changed
+#   when: setkey.changed
-  ansible.posix.authorized_key:
+#   ansible.posix.authorized_key:
-    user: "{{ interactive_user }}"
+#     user: "{{ interactive_user }}"
-    key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-1.pub') }}"
+#     key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-1.pub') }}"
-    state: present
+#     state: present
-    exclusive: true
+#     exclusive: true
- name: Set the secondary key for the unprivileged user
+# - name: Set the secondary key for the unprivileged user
-  ansible.posix.authorized_key:
+#   ansible.posix.authorized_key:
-    user: "{{ interactive_user }}"
+#     user: "{{ interactive_user }}"
-    key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-2.pub') }}"
+#     key: "{{ lookup('file', '../home/ssh-keys/' ~ interactive_user ~ '/' ~ interactive_user ~ '-yubi-2.pub') }}"
-    state: present
+#     state: present
-    exclusive: false
+#     exclusive: false
 - name: Install required package to become unprivileged users
  ansible.builtin.apt:
Author	SHA1	Message	Date
Jose	9c58518e77	feat ✨: Import unprivileged user task This commit introduces the `unpriv-user.yml` task, enabling the creation of unprivileged user accounts. This addition expands user management capabilities, allowing for more granular control over user permissions and access within the system. The task facilitates the streamlined setup of users without requiring elevated privileges.	2025-12-14 06:19:41 +01:00
Jose	1551565825	fix 🐛: Remove unprivileged key management This commit addresses a security concern by removing unnecessary and potentially risky tasks related to authorized key management for unprivileged users. This simplifies the system and reduces the attack surface. The changes align with best practices for user access control.	2025-12-14 06:19:09 +01:00
Jose	3dec85c5a8	chore 📦: Import color-shell and edit-journald tasks This commit integrates the color-shell and edit-journald tasks into the main YAML configuration. These tasks are now included as part of the project's workflow, streamlining the process for managing shell color customization and system journald settings. This ensures consistent and organized handling of these specific configurations.	2025-12-14 06:10:42 +01:00
Jose	1cd309c151	fix 🐛: Define user and password variables This commit updates the `main.yml` file to explicitly define essential user and password variables. This ensures the application has the necessary credentials for proper operation and enhances security by centralizing configuration. The changes improve the script's usability and setup process.	2025-12-13 10:09:04 +01:00
Jose	33f7b59251	fix 🐛: Remove ssh-config import	2025-12-13 08:39:05 +01:00
Jose	485b596c1b	fix 🐛: Remove commented-out tmp lines This commit removes commented-out lines related to `ansible_remote_tmp` within the `set-hostname` task. These lines were causing warnings during execution, and their removal resolves the issue without altering the task's functionality.	2025-12-13 08:33:38 +01:00
Jose	00eafd9e44	fix 🐛: Remove ansible_remote_tmp This commit removes the `ansible_remote_tmp` variable definition to resolve warnings related to auto-created temporary directories. This change ensures the system adheres to best practices and avoids potential issues with temporary file management during Ansible execution. The removal simplifies the configuration and improves the overall stability of the deployment process.	2025-12-13 08:32:04 +01:00
Jose	342631679a	refactor ♻️: Simplify playbook This commit refactors the playbook by removing the unnecessary conditional block and import related to Dell/Lenovo firmware. This streamlines the playbook, improving readability and reducing complexity without altering the core functionality. The changes focus on code organization and simplification.	2025-12-13 08:30:37 +01:00
Jose	30aafcbc6a	fix 🐛: Update user/password settings This commit updates the configuration file to include the correct user and password settings required for interactive mode functionality. Additionally, unused imports related to temporary task creation and user management have been removed, streamlining the codebase and improving maintainability.	2025-12-13 08:27:47 +01:00
Jose	0bd9f6bfa7	chore 📦: Remove unused task imports This commit removes the imports for 'unpriv-user.yml' and 'color-shell.yml' tasks. These tasks were identified as potentially unused and have been removed to streamline the project and reduce potential maintenance overhead. This change improves project cleanliness and reduces the risk of future conflicts.	2025-12-13 08:21:52 +01:00
Jose	326d47eb53	remove undefined: Drop tmp-nonexec import This commit removes the import of the `tmp-nonexec` tasks. The import was no longer needed and was simply a reference. This cleanup improves code readability and reduces unnecessary dependencies.	2025-12-13 08:17:42 +01:00
Jose	ba8baafa27	feat ✨: Add Italian locale This commit adds support for the Italian locale ('it_IT.UTF-8') to the locale generation task. This expands the application's localization capabilities to cater to Italian-speaking users. The update ensures proper localization for Italian content.	2025-12-13 08:15:21 +01:00