feat(bundle): initial commit

roles/users/defaults/main.yml

@@ -0,0 +1,37 @@
+---
+# User configuration defaults
+
+# Username to create (required - must be overridden)
+# user_name: "operator"
+
+# User shell
+user_shell: /bin/bash
+
+# Home directory (defaults to /home/{{ user_name }} if not set)
+# user_home: "/home/operator"
+
+# User UID (optional - let system assign if not set)
+# user_uid: 1000
+
+# Additional groups for the user (optional)
+# user_groups:
+#   - wheel
+#   - docker
+
+# Append to existing groups instead of replacing
+user_groups_append: true
+
+# User password (optional - if not set, password login disabled)
+# user_password: "changeme"
+
+# Sudo configuration
+user_sudo_enabled: true
+user_sudo_nopasswd: true
+
+# SSH public key (exactly one of these must be defined)
+# user_pubkey: "ssh-ed25519 AAAA..."
+# user_pubkey_file: "/path/to/key.pub"
+# user_pubkey_url: "https://github.com/username.keys"
+
+# Replace all existing authorized keys with just this one
+user_pubkey_exclusive: true

roles/users/meta/main.yml

@@ -0,0 +1,25 @@
+---
+galaxy_info:
+  author: "Jack"
+  description: "Creates and configures a user with SSH key authentication and optional sudo access"
+  license: "MIT"
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - bullseye
+        - bookworm
+    - name: Ubuntu
+      versions:
+        - focal
+        - jammy
+        - noble
+    - name: EL
+      versions:
+        - "8"
+        - "9"
+
+dependencies: []

roles/users/tasks/main.yml

@@ -0,0 +1,66 @@
+---
+- name: Validate pubkey configuration
+  ansible.builtin.fail:
+    msg: "Only one of pubkey, pubkey_file, or pubkey_url can be defined"
+  when: >
+    (user_pubkey is defined and (user_pubkey_file is defined or user_pubkey_url is defined)) or
+    (user_pubkey_file is defined and user_pubkey_url is defined)
+
+- name: Validate at least one pubkey source is defined
+  ansible.builtin.fail:
+    msg: "At least one of pubkey, pubkey_file, or pubkey_url must be defined"
+  when:
+    - user_pubkey is not defined
+    - user_pubkey_file is not defined
+    - user_pubkey_url is not defined
+
+- name: Create user account
+  ansible.builtin.user:
+    name: "{{ user_name }}"
+    state: present
+    shell: "{{ user_shell }}"
+    createhome: yes
+    home: "{{ user_home | default('/home/' + user_name) }}"
+    uid: "{{ user_uid | default(omit) }}"
+    groups: "{{ user_groups | default(omit) }}"
+    append: "{{ user_groups_append | default(true) }}"
+    password: "{{ user_password | password_hash('sha512') if user_password is defined else omit }}"
+    update_password: "{{ 'always' if user_password is defined else 'on_create' }}"
+  become: yes
+
+- name: Configure sudoers for user
+  ansible.builtin.lineinfile:
+    dest: /etc/sudoers.d/{{ user_name }}
+    line: "{{ user_name }} ALL=(ALL) {{ 'NOPASSWD: ' if user_sudo_nopasswd else '' }}ALL"
+    create: yes
+    mode: "0440"
+    validate: 'visudo -cf %s'
+  become: yes
+  when: user_sudo_enabled | bool
+
+- name: Add SSH public key (direct)
+  ansible.builtin.authorized_key:
+    user: "{{ user_name }}"
+    key: "{{ user_pubkey }}"
+    state: present
+    exclusive: "{{ user_pubkey_exclusive | bool }}"
+  become: yes
+  when: user_pubkey is defined
+
+- name: Add SSH public key (from file)
+  ansible.builtin.authorized_key:
+    user: "{{ user_name }}"
+    key: "{{ lookup('file', user_pubkey_file) }}"
+    state: present
+    exclusive: "{{ user_pubkey_exclusive | bool }}"
+  become: yes
+  when: user_pubkey_file is defined
+
+- name: Add SSH public key (from URL)
+  ansible.builtin.authorized_key:
+    user: "{{ user_name }}"
+    key: "{{ lookup('url', user_pubkey_url) }}"
+    state: present
+    exclusive: "{{ user_pubkey_exclusive | bool }}"
+  become: yes
+  when: user_pubkey_url is defined