--- - name: Deploy SSH keys ansible.posix.authorized_key: user: ansible key: "{{ item }}" loop: "{{ keys2deploy }}" - name: Allow sudo without password for ansible ansible.builtin.lineinfile: path: /etc/sudoers.d/95-lmn-ansible line: 'ansible ALL=(root) NOPASSWD: ALL' create: true owner: root group: root mode: '0700' - name: Disable ansible user login ansible.builtin.user: name: ansible password_lock: true - name: Limit SSH access to user ansible ansible.builtin.blockinfile: dest: /etc/ssh/sshd_config.d/local.conf create: true mode: '0644' block: | PasswordAuthentication no AllowUsers ansible notify: Reload sshd - name: Deploy sudo configurations ansible.builtin.copy: dest: /etc/sudoers.d/90-lmn-security owner: root group: root mode: '0700' content: | {% for user, programs in sudo_permissions.items() %} {{ user }} ALL=(root) NOPASSWD: {% for program in programs %}{{ program }}{% if not loop.last %}, {% endif %}{% endfor %} {% endfor %} when: sudo_permissions is defined - name: Deploy polkit configurations ansible.builtin.template: src: polkit_rules.j2 dest: /etc/polkit-1/rules.d/lmn-security.rules mode: '0644' notify: Restart polkit when: polkit_rules is defined