From 07781d08d488db1532dcfb0d002b7d51f572d86e Mon Sep 17 00:00:00 2001
From: Rene Mewissen <rene@tantooine.myfirewall.org>
Date: Wed, 1 Oct 2025 16:23:27 +0200
Subject: [PATCH] refactorized ssh user creation

---
 roles/bastionhost/tasks/users.yml             | 19 ++++++++---
 .../tasks/users/_create_user_with_ssh.yml     | 33 +++++++++++++++++++
 2 files changed, 47 insertions(+), 5 deletions(-)
 create mode 100644 roles/bastionhost/tasks/users/_create_user_with_ssh.yml

diff --git a/roles/bastionhost/tasks/users.yml b/roles/bastionhost/tasks/users.yml
index 43cea15..189ed31 100644
--- a/roles/bastionhost/tasks/users.yml
+++ b/roles/bastionhost/tasks/users.yml
@@ -1,7 +1,16 @@
 # Configure users for the bastion host
-- name: Manage bastion user accounts by including user-specific task files
-  include_tasks: "users/{{ item }}.yml"
+- name: users | rene | Ensure admin user is absent from bastion
+  include_tasks: users/rene.yml
+
+- name: users | Create and configure bastion users
+  include_tasks: users/_create_user_with_ssh.yml
   loop:
-    - rene
-    - lowpriv
-    - sshjumpuser
+    - name: lowpriv
+      comment: "Restricted user for interactive shell"
+      shell: /usr/bin/rbash
+
+    - name: sshjumpuser
+      comment: "SSH Jump User - no tty - no password"
+      shell: /bin/false
+  loop_control:
+    loop_var: user_item
diff --git a/roles/bastionhost/tasks/users/_create_user_with_ssh.yml b/roles/bastionhost/tasks/users/_create_user_with_ssh.yml
new file mode 100644
index 0000000..176dffa
--- /dev/null
+++ b/roles/bastionhost/tasks/users/_create_user_with_ssh.yml
@@ -0,0 +1,33 @@
+---
+- name: "users | {{ user_item.name }} | add user to system"
+  user:
+    name: "{{ user_item.name }}"
+    comment: "{{ user_item.comment }}"
+    shell: "{{ user_item.shell }}"
+    state: present
+    create_home: true
+    generate_ssh_key: false
+    password_lock: true
+
+- name: "users | {{ user_item.name }} | getent user home directory"
+  getent:
+    database: passwd
+    key: "{{ user_item.name }}"
+    split: ":"
+  register: getent_passwd_user
+  changed_when: false
+
+- name: "users | {{ user_item.name }} | set home directory fact"
+  set_fact:
+    user_home: "{{ getent_passwd_user.ansible_facts.getent_passwd[user_item.name][4] }}"
+    user: "{{ user_item.name }}"
+
+- name: "users | {{ user_item.name }} | import ssh configuration tasks from base role"
+  include_role:
+    name: base
+    tasks_from: users/setup_ssh/install_public_keys.yml
+
+- name: "users | {{ user_item.name }} | import known_hosts task from base role"
+  include_role:
+    name: base
+    tasks_from: users/setup_ssh/install_known_hosts.yml
\ No newline at end of file