railiance-infra/ansible/roles/custodian_agent/tasks/main.yml

---
# custodian_agent role — injects the Custodian automation SSH identity
#
# What it does:
#   - Ensures the target user (custodian_agent_user) exists
#   - Adds custodian_agent_pubkey to that user's authorized_keys
#   - Restricts the key: no X11, no port-forward, no pty for non-interactive use
#
# Variables (set in group_vars/all.yaml or pass via --extra-vars):
#   custodian_agent_user:   user account the key is added to (default: tegwick)
#   custodian_agent_pubkey: the public key string (required, set in all.yaml)
#
# The private key lives on the workstation at ~/.ssh/id_custodian_agent.
# It is NEVER committed to any repository.

- name: Ensure target user exists
  tags: [custodian_agent]
  ansible.builtin.user:
    name: "{{ custodian_agent_user | default('tegwick') }}"
    state: present
    shell: /bin/bash
    create_home: true

- name: Ensure .ssh directory exists for target user
  tags: [custodian_agent]
  ansible.builtin.file:
    path: "/home/{{ custodian_agent_user | default('tegwick') }}/.ssh"
    state: directory
    owner: "{{ custodian_agent_user | default('tegwick') }}"
    group: "{{ custodian_agent_user | default('tegwick') }}"
    mode: '0700'

- name: Add custodian agent public key to authorized_keys
  tags: [custodian_agent]
  ansible.posix.authorized_key:
    user: "{{ custodian_agent_user | default('tegwick') }}"
    key: "{{ custodian_agent_pubkey }}"
    key_options: "no-X11-forwarding,no-agent-forwarding"
    comment: "custodian-agent@{{ inventory_hostname }}"
    state: present
  when: custodian_agent_pubkey is defined and custodian_agent_pubkey | length > 0

- name: Warn if custodian_agent_pubkey is not set
  tags: [custodian_agent]
  ansible.builtin.debug:
    msg: "WARNING: custodian_agent_pubkey is not set — skipping authorized_keys injection"
  when: custodian_agent_pubkey is not defined or custodian_agent_pubkey | length == 0