refactorized ssh user creation

roles/bastionhost/tasks/users.yml

@@ -1,7 +1,16 @@
 # Configure users for the bastion host
-- name: Manage bastion user accounts by including user-specific task files
-  include_tasks: "users/{{ item }}.yml"
+- name: users | rene | Ensure admin user is absent from bastion
+  include_tasks: users/rene.yml
+
+- name: users | Create and configure bastion users
+  include_tasks: users/_create_user_with_ssh.yml
   loop:
-    - rene
-    - lowpriv
-    - sshjumpuser
+    - name: lowpriv
+      comment: "Restricted user for interactive shell"
+      shell: /usr/bin/rbash
+
+    - name: sshjumpuser
+      comment: "SSH Jump User - no tty - no password"
+      shell: /bin/false
+  loop_control:
+    loop_var: user_item

roles/bastionhost/tasks/users/_create_user_with_ssh.yml

@@ -0,0 +1,33 @@
+---
+- name: "users | {{ user_item.name }} | add user to system"
+  user:
+    name: "{{ user_item.name }}"
+    comment: "{{ user_item.comment }}"
+    shell: "{{ user_item.shell }}"
+    state: present
+    create_home: true
+    generate_ssh_key: false
+    password_lock: true
+
+- name: "users | {{ user_item.name }} | getent user home directory"
+  getent:
+    database: passwd
+    key: "{{ user_item.name }}"
+    split: ":"
+  register: getent_passwd_user
+  changed_when: false
+
+- name: "users | {{ user_item.name }} | set home directory fact"
+  set_fact:
+    user_home: "{{ getent_passwd_user.ansible_facts.getent_passwd[user_item.name][4] }}"
+    user: "{{ user_item.name }}"
+
+- name: "users | {{ user_item.name }} | import ssh configuration tasks from base role"
+  include_role:
+    name: base
+    tasks_from: users/setup_ssh/install_public_keys.yml
+
+- name: "users | {{ user_item.name }} | import known_hosts task from base role"
+  include_role:
+    name: base
+    tasks_from: users/setup_ssh/install_known_hosts.yml