Ansible User Account Provisioning

Whenever I stand up a new Linux machine, I always find myself doing the same four things:

  1.  Creating my main user account
  2.  Creating an ansible user account
  3.  Configuring sudoers
  4.  Copying over SSH Public Keys.

Definitely, not something that evokes fun. I have tried various automation tools, but ansible has found a very special place in my toolkit.

For readers not familiar with ansible, it is a very powerful agent-less automation tool for all the things. There is a great primer here. This blog post is not a deep dive or an intro to ansible tutorial, I am only demonstrating how I initially provision the systems in my HomeLab (On-Prem) and in the Cloud.

Step 1:

Create a Virtual Machine (VM) or Provision a Virtual Private Server (VPS) with remote SSH access.

Step 2:

Add our host(s) to the inventory file on my control node.

[fakelabs]
basil.fakelabs.io
bacon.fakelabs.io
node6.fakelabs.io

[cloud]
web.fakelabs.org
waf.fakelabs.org
dev.fakelabs.org

[new_system]
elmo.fakelabs.org

Step 3:

Now we just run our playbook and it will provision the new host(s) with our ansible user account and any associated configuration requirements.

user@box(ansible):$ ansible-playbook user-prov-playbook.yml

There are some caveats to the above. If you have remote ssh access enabled for root then just pass the following parameters:

--extra-vars 'ansible_user=root' -k

If however you are using an admin user with sudo privileges, in the case where you have existing systems then add the following parameters:

--extra-vars 'ansible_user=admin_user_name' -k -K

The -k option tells ansible to prompt for a password. If you are using public keys then omit that option.
The -K option is for privilege escalation (sudo) which you will only need for a non root user.

The contents of the playbook are below:

# user-prov-playbook.yml
---
- hosts: 
    - new_system
  become: yes
  tasks: 

    - name: create user group
      group: 
        name: "{{ username }}"
        state: present

    - name: create user "{{ username }}"
      user:
        name: "{{ username }}"
        comment: Automation
        group: "{{ username }}"
        state: present
        groups: 
          - "{{ userGroup }}"
          - "{{ sudoGroup }}"
            
    - name: set authorized key
      authorized_key:
        user: "{{ username }}"
        key: "{{ lookup('file', './ssh/ansible.id_rsa.pub') }}"
        comment: 'ansible automation'
        state: present

    - name: deploy sudoers.d file
      template:
        src: sudoers.j2
        dest: /etc/sudoers.d/{{ username }}
        validate: 'visudo -cf %s'
        mode: 0440

  vars:
    username: naruto
    sudoer: "{{ username }}"
    userGroup: "{{ username }}"
    sudoGroup: "{{ 'sudo' if ansible_distribution == 'Ubuntu' else 'wheel' }}"

That is all there is to it. Thanks for reading.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: