diff options
author | Trygve Laugstøl <trygvis@inamo.no> | 2018-11-05 23:18:06 +0100 |
---|---|---|
committer | Trygve Laugstøl <trygvis@inamo.no> | 2018-11-05 23:18:06 +0100 |
commit | b5b7e21c8ba3c68eab9cd244602f27c21aa5f36b (patch) | |
tree | 8c0f0d802773664e9d01ebf7ae6fb066b6f5fd93 /ansible/roles | |
parent | 85b3d2a16b5cfbb499a4ebcb88967dcdc334cf21 (diff) | |
download | infra-b5b7e21c8ba3c68eab9cd244602f27c21aa5f36b.tar.gz infra-b5b7e21c8ba3c68eab9cd244602f27c21aa5f36b.tar.bz2 infra-b5b7e21c8ba3c68eab9cd244602f27c21aa5f36b.tar.xz infra-b5b7e21c8ba3c68eab9cd244602f27c21aa5f36b.zip |
Importing Bitraf's lusers, updating superusers.
Diffstat (limited to 'ansible/roles')
-rw-r--r-- | ansible/roles/lusers/defaults/main.yml | 1 | ||||
-rw-r--r-- | ansible/roles/lusers/tasks/main.yml | 45 | ||||
-rw-r--r-- | ansible/roles/superusers/tasks/adjust-group.yml | 21 | ||||
-rw-r--r-- | ansible/roles/superusers/tasks/main.yml | 41 |
4 files changed, 88 insertions, 20 deletions
diff --git a/ansible/roles/lusers/defaults/main.yml b/ansible/roles/lusers/defaults/main.yml new file mode 100644 index 0000000..61602c5 --- /dev/null +++ b/ansible/roles/lusers/defaults/main.yml @@ -0,0 +1 @@ +lusers_authorized_keys_exclusive: no diff --git a/ansible/roles/lusers/tasks/main.yml b/ansible/roles/lusers/tasks/main.yml new file mode 100644 index 0000000..cb10845 --- /dev/null +++ b/ansible/roles/lusers/tasks/main.yml @@ -0,0 +1,45 @@ +--- +- become: yes + tags: lusers + vars: + usernames: "{{ users|dict2items|map(attribute='key')|list }}" + block: + - name: adduser + with_items: "{{ lusers }}" + user: + name: "{{ item }}" + shell: /bin/bash + + - name: getent passwd + getent: + database: passwd + + - name: disable user + with_items: "{{ usernames }}" + when: (item not in lusers) and (item in getent_passwd) + user: + name: "{{ item }}" + shell: /usr/sbin/nologin + + - name: mkdir ~/.ssh + when: lusers_authorized_keys_exclusive + with_items: "{{ lusers }}" + file: + path: "~{{ item }}/.ssh" + state: directory + owner: "{{ item }}" + mode: 0700 + + - name: authorized_keys, exclusively managed by Ansible + copy: + dest: "/home/{{ item }}/.ssh/authorized_keys" + content: "{{ users[item].authorized_keys }}" + when: lusers_authorized_keys_exclusive + with_items: "{{ lusers }}" + + - name: authorized_keys, shared management with Ansible + authorized_key: + user: "{{ item }}" + key: "{{ users[item].authorized_keys }}" + with_items: "{{ lusers }}" + when: not lusers_authorized_keys_exclusive diff --git a/ansible/roles/superusers/tasks/adjust-group.yml b/ansible/roles/superusers/tasks/adjust-group.yml new file mode 100644 index 0000000..32666ad --- /dev/null +++ b/ansible/roles/superusers/tasks/adjust-group.yml @@ -0,0 +1,21 @@ +- vars: + members: "{{ getent_group[group][2].split(',') if group in getent_group else [] }}" + to_add: "{{ usernames | intersect(superusers) | difference(members) }}" + to_remove: "{{ members | difference(superusers) }}" + tags: superusers + block: + - debug: var=group + - debug: var=to_add + - debug: var=to_remove + + - name: gpasswd --add + with_items: "{{ to_add }}" + when: (item|length) > 0 + become: yes + shell: "gpasswd --add {{ item }} {{ group }}" + + - name: gpasswd --delete + with_items: "{{ to_remove }}" + when: (item|length) > 0 + become: yes + shell: "gpasswd --delete {{ item }} {{ group }}" diff --git a/ansible/roles/superusers/tasks/main.yml b/ansible/roles/superusers/tasks/main.yml index 3a1e974..70623a0 100644 --- a/ansible/roles/superusers/tasks/main.yml +++ b/ansible/roles/superusers/tasks/main.yml @@ -1,26 +1,27 @@ --- -- name: superuser accounts - tags: superusers - become: yes - user: - name: "{{ item.username }}" - groups: sudo,systemd-journal - shell: /bin/bash - append: yes - with_items: - - "{{ superusers }}" +- tags: superusers + block: + - name: getent passwd + getent: + database: passwd -- name: superuser authorized_keys - tags: superusers - become: yes - authorized_key: - user: "{{ item.username }}" - state: "{{ item.state }}" - key: "{{ users[item.username].authorized_keys }}" - with_items: - - "{{ superusers }}" + - name: getent group + getent: + database: group + +# NOTE: Accounts are added by the luser module. +- tags: superusers + vars: + usernames: "{{ users|dict2items|map(attribute='key')|list }}" + unix_groups: + - sudo + - systemd-journal + with_items: "{{ unix_groups }}" + loop_control: + loop_var: group + include_tasks: adjust-group.yml -- name: Allow 'sudo' group to have passwordless sudo +- name: "Allow 'sudo' group to have passwordless sudo" tags: superusers become: yes lineinfile: |