init

tasks/main.yml

@@ -0,0 +1,18 @@
+---
+- name: Ensure mandatory variables are configured
+  assert:
+    that: "{{ item }} is defined"
+    fail_msg: "You must define the '{{ item }}' variable"
+  with_items:
+    - members
+
+- name: Include resource variables
+  include_vars: "{{ members }}"
+  tags:
+    # Note(d1): we already load in converge.yml so skip here
+    - molecule-notest
+
+# Note(d1): Done in this way because https://stackoverflow.com/a/39041069
+- name: Include user addition tasks
+  include: users.yml user={{ item }}
+  with_items: "{{ members }}"

tasks/users.yml

@@ -0,0 +1,60 @@
+---
+- name: "Create new user account"
+  block:
+    - name: Show which user account is being handled
+      debug:
+        msg: "Attempting to create account for {{ user.username }}..."
+
+    - name: Check if the user accounts already exists
+      getent:
+        database: passwd
+        key: "{{ user.username }}"
+      register: user_exists
+      ignore_errors: true
+
+    - name: Prepare password store entry
+      become: false
+      delegate_to: localhost
+      command: "pass init -p users/{{ user.username }}/sudo/ {{ item.email }}"
+      when: user_exists is failed
+      tags:
+        - molecule-notest
+
+    - name: Create a new user account with a new password
+      user:
+        name: "{{ user.username }}"
+        uid: "{{ user.uid }}"
+        shell: /bin/bash
+        password: "{{ lookup('passwordstore', 'users/{{ user.username }}/sudo/{{ inventory_hostname }} create=true length={{ pass_length }}') | password_hash('sha512') }}"
+        groups: "{{ user_groups }}"
+        append: true
+        update_password: always
+      when: user_exists is failed
+      tags:
+        - molecule-notest
+
+    - name: Make sure the user's .ssh directory exists
+      file:
+        path: "/home/{{ user.username }}/.ssh"
+        state: directory
+        owner: "{{ user.username }}"
+        group: "{{ user.username }}"
+        mode: "0700"
+
+    - name: Add new member's SSH key to authorized_keys file
+      blockinfile:
+        path: "/home/{{ user.username }}/.ssh/authorized_keys"
+        block: "{{ user.ssh_key }}"
+        state: present
+        create: true
+        mode: "0600"
+        owner: "{{ user.username }}"
+        group: "{{ user.username }}"
+
+    - name: "Add username to the SSH AllowUsers configuration"
+      replace:
+        backup: true
+        dest: /etc/ssh/sshd_config
+        regexp: '^(AllowUsers(?!.*\b{{ user.username }}\b).*)$'
+        replace: '\1 {{ user.username }}'
+      notify: Restart SSH