allow password generation in base setup

2025-04-26 13:20:30 -04:00 · 2025-04-26 13:20:30 -04:00 · 089ce9b396
commit 089ce9b396
parent 4b481577ad
3 changed files with 59 additions and 9 deletions
--- a/playbooks/setup_base_system.yml
+++ b/playbooks/setup_base_system.yml
@ -3,3 +3,18 @@
  become: yes
  roles:
    - base_setup
 - hosts: localhost
  connection: local
  gather_facts: false
  tasks:
    - name: Display all generated passwords
      debug:
        msg: |
          Generated Passwords:
          {% for host in groups['all'] %}
          {% if hostvars[host]['generated_password'] is defined %}
          Host: {{ host }}
          Password: {{ hostvars[host]['generated_password'] }}
          {% endif %}
          {% endfor %}
--- a/roles/base_setup/defaults/main.yml
+++ b/roles/base_setup/defaults/main.yml
@ -1,5 +1,7 @@
 ---
 # defaults file for roles/base_setup
 base_username: user
-base_ssh_key: ""
+base_ssh_keyfile: /home/user/.ssh/id_rsa.pub
 base_timezone: "UTC"
 generate_user_password: no
--- a/roles/base_setup/tasks/main.yml
+++ b/roles/base_setup/tasks/main.yml
@ -24,17 +24,50 @@
      - gnupg
    state: present
- name: Create user
+- name: Create user with or without password
-  user:
+  block:
-    name: "{{ base_username }}"
+    - name: Generate random password
-    groups: sudo
+      command: openssl rand -base64 32
-    shell: /bin/bash
+      register: random_password
-    create_home: true
+      changed_when: false
      when: generate_user_password | bool
    - name: Set password fact
      set_fact:
        generated_password: "{{ random_password.stdout }}"
      when: generate_user_password | bool
    - name: Create user with password
      user:
        name: "{{ base_username }}"
        password: "{{ random_password.stdout | password_hash('sha512') }}"
        groups: sudo
        shell: /bin/bash
      when: generate_user_password | bool
    - name: Create user without password
      user:
        name: "{{ base_username }}"
        groups: sudo
        shell: /bin/bash
      when: not generate_user_password | bool
    - name: Display generated password
      debug:
        msg: "Generated password for {{ base_username }} on {{ inventory_hostname }}: {{ random_password.stdout }}"
      when: generate_user_password | bool
  always:
    - name: Ensure user is in sudo group
      user:
        name: "{{ base_username }}"
        groups: sudo
        append: yes
 - name: Set up authorized key for user
  authorized_key:
    user: "{{ base_username }}"
-    key: "{{ base_user_key }}"
+    key: "{{ lookup('file', base_ssh_keyfile) }}"
 - name: Set timezone
  timezone: