resist-vpn-infra/roles/ssh_users/defaults/main.yml

---
# SSH Users Role - Default Variables

# Admin users to create
# Each user will get:
# - User account created
# - Added to sudo group
# - SSH key pair generated (if generate_keys: true)
# - Authorized SSH keys configured
# - Shell set to /bin/bash

admin_users: []
# Example:
# admin_users:
#   - username: alice
#     comment: "Alice Admin"
#     groups: ["sudo", "adm"]
#     generate_keys: true  # Generate SSH key pair on control node
#     authorized_keys: []  # List of public keys to add
#     shell: /bin/bash
#     state: present
#
#   - username: bob
#     comment: "Bob Admin"
#     groups: ["sudo"]
#     generate_keys: false
#     authorized_keys:
#       - "ssh-ed25519 AAAAC3... bob@laptop"
#     shell: /bin/bash
#     state: present

# SSH key generation settings
ssh_key_type: "ed25519"
ssh_key_bits: 4096  # Only used for RSA
ssh_key_comment: "{{ ansible_user }}@{{ inventory_hostname }}"

# Directory to store generated SSH keys on control node
ssh_keys_local_dir: "{{ playbook_dir }}/../ssh-keys"

# Sudo configuration
sudo_nopasswd: true  # Allow sudo without password (for automation)
sudo_timeout: 15  # Sudo timeout in minutes

# Root account restrictions
disable_root_login: true  # Disable root SSH login
lock_root_account: false  # Lock root account (prevents su/sudo to root)

# Password policies (CIS compliance)
password_max_days: 365
password_min_days: 1
password_warn_age: 7
password_inactive_days: 30

# Default umask
default_umask: "027"  # More restrictive than default 022