diff options
Diffstat (limited to 'ansible')
-rw-r--r-- | ansible/group_vars/all/users.yml | 4 | ||||
-rw-r--r-- | ansible/host_vars/mw/users.yml | 5 | ||||
-rw-r--r-- | ansible/roles/lusers/defaults/main.yml | 1 | ||||
-rw-r--r-- | ansible/roles/lusers/tasks/main.yml | 45 | ||||
-rw-r--r-- | ansible/roles/superusers/tasks/adjust-group.yml | 21 | ||||
-rw-r--r-- | ansible/roles/superusers/tasks/main.yml | 41 |
6 files changed, 93 insertions, 24 deletions
diff --git a/ansible/group_vars/all/users.yml b/ansible/group_vars/all/users.yml index b81a274..23304ba 100644 --- a/ansible/group_vars/all/users.yml +++ b/ansible/group_vars/all/users.yml @@ -4,7 +4,3 @@ users: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPX+sVfRvl0+KxsDlbIutyB/Es3exTwNfDVHwi9orwz3 trygvis@birgitte ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAzB6JB/hZ87M6ozsd7lgKxgOacEOZZRxa4ucs11lqq trygvis@conflatorio ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+I9Xa11yaOzGCBkJQEYExYL7gSWYwdOGgT2KBMnKur trygvis@arius - -superusers: - - username: trygvis - state: present diff --git a/ansible/host_vars/mw/users.yml b/ansible/host_vars/mw/users.yml new file mode 100644 index 0000000..d0d4852 --- /dev/null +++ b/ansible/host_vars/mw/users.yml @@ -0,0 +1,5 @@ +lusers: + - trygvis + +superusers: + - trygvis diff --git a/ansible/roles/lusers/defaults/main.yml b/ansible/roles/lusers/defaults/main.yml new file mode 100644 index 0000000..61602c5 --- /dev/null +++ b/ansible/roles/lusers/defaults/main.yml @@ -0,0 +1 @@ +lusers_authorized_keys_exclusive: no diff --git a/ansible/roles/lusers/tasks/main.yml b/ansible/roles/lusers/tasks/main.yml new file mode 100644 index 0000000..cb10845 --- /dev/null +++ b/ansible/roles/lusers/tasks/main.yml @@ -0,0 +1,45 @@ +--- +- become: yes + tags: lusers + vars: + usernames: "{{ users|dict2items|map(attribute='key')|list }}" + block: + - name: adduser + with_items: "{{ lusers }}" + user: + name: "{{ item }}" + shell: /bin/bash + + - name: getent passwd + getent: + database: passwd + + - name: disable user + with_items: "{{ usernames }}" + when: (item not in lusers) and (item in getent_passwd) + user: + name: "{{ item }}" + shell: /usr/sbin/nologin + + - name: mkdir ~/.ssh + when: lusers_authorized_keys_exclusive + with_items: "{{ lusers }}" + file: + path: "~{{ item }}/.ssh" + state: directory + owner: "{{ item }}" + mode: 0700 + + - name: authorized_keys, exclusively managed by Ansible + copy: + dest: "/home/{{ item }}/.ssh/authorized_keys" + content: "{{ users[item].authorized_keys }}" + when: lusers_authorized_keys_exclusive + with_items: "{{ lusers }}" + + - name: authorized_keys, shared management with Ansible + authorized_key: + user: "{{ item }}" + key: "{{ users[item].authorized_keys }}" + with_items: "{{ lusers }}" + when: not lusers_authorized_keys_exclusive diff --git a/ansible/roles/superusers/tasks/adjust-group.yml b/ansible/roles/superusers/tasks/adjust-group.yml new file mode 100644 index 0000000..32666ad --- /dev/null +++ b/ansible/roles/superusers/tasks/adjust-group.yml @@ -0,0 +1,21 @@ +- vars: + members: "{{ getent_group[group][2].split(',') if group in getent_group else [] }}" + to_add: "{{ usernames | intersect(superusers) | difference(members) }}" + to_remove: "{{ members | difference(superusers) }}" + tags: superusers + block: + - debug: var=group + - debug: var=to_add + - debug: var=to_remove + + - name: gpasswd --add + with_items: "{{ to_add }}" + when: (item|length) > 0 + become: yes + shell: "gpasswd --add {{ item }} {{ group }}" + + - name: gpasswd --delete + with_items: "{{ to_remove }}" + when: (item|length) > 0 + become: yes + shell: "gpasswd --delete {{ item }} {{ group }}" diff --git a/ansible/roles/superusers/tasks/main.yml b/ansible/roles/superusers/tasks/main.yml index 3a1e974..70623a0 100644 --- a/ansible/roles/superusers/tasks/main.yml +++ b/ansible/roles/superusers/tasks/main.yml @@ -1,26 +1,27 @@ --- -- name: superuser accounts - tags: superusers - become: yes - user: - name: "{{ item.username }}" - groups: sudo,systemd-journal - shell: /bin/bash - append: yes - with_items: - - "{{ superusers }}" +- tags: superusers + block: + - name: getent passwd + getent: + database: passwd -- name: superuser authorized_keys - tags: superusers - become: yes - authorized_key: - user: "{{ item.username }}" - state: "{{ item.state }}" - key: "{{ users[item.username].authorized_keys }}" - with_items: - - "{{ superusers }}" + - name: getent group + getent: + database: group + +# NOTE: Accounts are added by the luser module. +- tags: superusers + vars: + usernames: "{{ users|dict2items|map(attribute='key')|list }}" + unix_groups: + - sudo + - systemd-journal + with_items: "{{ unix_groups }}" + loop_control: + loop_var: group + include_tasks: adjust-group.yml -- name: Allow 'sudo' group to have passwordless sudo +- name: "Allow 'sudo' group to have passwordless sudo" tags: superusers become: yes lineinfile: |