diff --git a/group_vars/tcbsd_plcs/vars.yml b/group_vars/tcbsd_plcs/vars.yml index 0466a5c..e18d2ab 100644 --- a/group_vars/tcbsd_plcs/vars.yml +++ b/group_vars/tcbsd_plcs/vars.yml @@ -16,6 +16,10 @@ use_psntp: true dynamic_ams: true # tc_ams_net_id: 0.0.0.0.1.1 +# Extra user for non-admin activities +create_user: true +create_username: ecs-user + # set static IP on x000 (mac id 2) x000_set_static_ip: true x000_static_ip: 192.168.1.10 diff --git a/group_vars/tcbsd_vms/vars.yml b/group_vars/tcbsd_vms/vars.yml index fac1531..615a33a 100644 --- a/group_vars/tcbsd_vms/vars.yml +++ b/group_vars/tcbsd_vms/vars.yml @@ -16,6 +16,10 @@ use_psntp: false # Static AMS net id = set AMS net id to the value of tc_ams_net_id dynamic_ams: false +# Extra user for non-admin activities +create_user: false +# create_username: + # set static IP on x000 (mac id 2) x000_set_static_ip: false x000_static_ip: 192.168.1.10 diff --git a/host_vars/plc-tmo-tmp-vac/vars.yml b/host_vars/plc-tmo-tmp-vac/vars.yml index 2cc7220..4e02f71 100644 --- a/host_vars/plc-tmo-tmp-vac/vars.yml +++ b/host_vars/plc-tmo-tmp-vac/vars.yml @@ -19,6 +19,10 @@ ansible_host: plc-tmo-tmp-vac #dynamic_ams: true ## tc_ams_net_id: 0.0.0.0.1.1 # +## Extra user for non-admin activities +#create_user: true +#create_username: ecs-user +# ## set static IP on x000 (mac id 2) #x000_set_static_ip: true #x000_static_ip: 192.168.1.10 diff --git a/host_vars/plc-tst-bsd1/vars.yml b/host_vars/plc-tst-bsd1/vars.yml index 0a4bf35..02fe835 100644 --- a/host_vars/plc-tst-bsd1/vars.yml +++ b/host_vars/plc-tst-bsd1/vars.yml @@ -19,6 +19,10 @@ ansible_host: plc-tst-bsd1 #dynamic_ams: true ## tc_ams_net_id: 0.0.0.0.1.1 # +## Extra user for non-admin activities +#create_user: true +#create_username: ecs-user +# ## set static IP on x000 (mac id 2) #x000_set_static_ip: true #x000_static_ip: 192.168.1.10 diff --git a/host_vars/plc-tst-bsd2/vars.yml b/host_vars/plc-tst-bsd2/vars.yml index edcae94..5952ba2 100644 --- a/host_vars/plc-tst-bsd2/vars.yml +++ b/host_vars/plc-tst-bsd2/vars.yml @@ -19,6 +19,10 @@ ansible_host: plc-tst-bsd2 #dynamic_ams: true ## tc_ams_net_id: 0.0.0.0.1.1 # +## Extra user for non-admin activities +#create_user: true +#create_username: ecs-user +# ## set static IP on x000 (mac id 2) #x000_set_static_ip: true #x000_static_ip: 192.168.1.10 diff --git a/tcbsd-provision-playbook.yaml b/tcbsd-provision-playbook.yaml index 8e92b6d..b206c5c 100644 --- a/tcbsd-provision-playbook.yaml +++ b/tcbsd-provision-playbook.yaml @@ -340,3 +340,32 @@ when: static_ip_x001_set.changed or dhcp_x001_set.changed ansible.builtin.wait_for_connection: delay: 2 + + # Useful for apps that need PLC access but not Admin-level config change access + # We need to manually set the password ourselves later via "doas passwd username" + - name: Create or Remove non-admin User + ansible.builtin.user: + name: "{{ create_username }}" + state: "{{ create_user | ternary('present', 'absent') }}" + shell: /usr/local/bin/bash' + + # By default, only pubkey and keyboard interactive are enabled + # Password access is useful for apps like pmpsdb_client + - name: Configure sshd for password access + register: sshd_configure + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + line: "PasswordAuthentication yes" + insertafter: "^#PasswordAuthentication" + + - name: Reload sshd + when: sshd_configure.changed + ansible.builtin.service: + name: sshd + enabled: yes + state: reloaded + + - name: Verify ssh still works + when: sshd_configure.changed + ansible.builtin.wait_for_connection: + delay: 2