aboutsummaryrefslogtreecommitdiff
path: root/ansible
diff options
context:
space:
mode:
Diffstat (limited to 'ansible')
-rw-r--r--ansible/group_vars/all/users.yml4
-rw-r--r--ansible/host_vars/mw/users.yml5
-rw-r--r--ansible/roles/lusers/defaults/main.yml1
-rw-r--r--ansible/roles/lusers/tasks/main.yml45
-rw-r--r--ansible/roles/superusers/tasks/adjust-group.yml21
-rw-r--r--ansible/roles/superusers/tasks/main.yml41
6 files changed, 93 insertions, 24 deletions
diff --git a/ansible/group_vars/all/users.yml b/ansible/group_vars/all/users.yml
index b81a274..23304ba 100644
--- a/ansible/group_vars/all/users.yml
+++ b/ansible/group_vars/all/users.yml
@@ -4,7 +4,3 @@ users:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPX+sVfRvl0+KxsDlbIutyB/Es3exTwNfDVHwi9orwz3 trygvis@birgitte
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAzB6JB/hZ87M6ozsd7lgKxgOacEOZZRxa4ucs11lqq trygvis@conflatorio
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+I9Xa11yaOzGCBkJQEYExYL7gSWYwdOGgT2KBMnKur trygvis@arius
-
-superusers:
- - username: trygvis
- state: present
diff --git a/ansible/host_vars/mw/users.yml b/ansible/host_vars/mw/users.yml
new file mode 100644
index 0000000..d0d4852
--- /dev/null
+++ b/ansible/host_vars/mw/users.yml
@@ -0,0 +1,5 @@
+lusers:
+ - trygvis
+
+superusers:
+ - trygvis
diff --git a/ansible/roles/lusers/defaults/main.yml b/ansible/roles/lusers/defaults/main.yml
new file mode 100644
index 0000000..61602c5
--- /dev/null
+++ b/ansible/roles/lusers/defaults/main.yml
@@ -0,0 +1 @@
+lusers_authorized_keys_exclusive: no
diff --git a/ansible/roles/lusers/tasks/main.yml b/ansible/roles/lusers/tasks/main.yml
new file mode 100644
index 0000000..cb10845
--- /dev/null
+++ b/ansible/roles/lusers/tasks/main.yml
@@ -0,0 +1,45 @@
+---
+- become: yes
+ tags: lusers
+ vars:
+ usernames: "{{ users|dict2items|map(attribute='key')|list }}"
+ block:
+ - name: adduser
+ with_items: "{{ lusers }}"
+ user:
+ name: "{{ item }}"
+ shell: /bin/bash
+
+ - name: getent passwd
+ getent:
+ database: passwd
+
+ - name: disable user
+ with_items: "{{ usernames }}"
+ when: (item not in lusers) and (item in getent_passwd)
+ user:
+ name: "{{ item }}"
+ shell: /usr/sbin/nologin
+
+ - name: mkdir ~/.ssh
+ when: lusers_authorized_keys_exclusive
+ with_items: "{{ lusers }}"
+ file:
+ path: "~{{ item }}/.ssh"
+ state: directory
+ owner: "{{ item }}"
+ mode: 0700
+
+ - name: authorized_keys, exclusively managed by Ansible
+ copy:
+ dest: "/home/{{ item }}/.ssh/authorized_keys"
+ content: "{{ users[item].authorized_keys }}"
+ when: lusers_authorized_keys_exclusive
+ with_items: "{{ lusers }}"
+
+ - name: authorized_keys, shared management with Ansible
+ authorized_key:
+ user: "{{ item }}"
+ key: "{{ users[item].authorized_keys }}"
+ with_items: "{{ lusers }}"
+ when: not lusers_authorized_keys_exclusive
diff --git a/ansible/roles/superusers/tasks/adjust-group.yml b/ansible/roles/superusers/tasks/adjust-group.yml
new file mode 100644
index 0000000..32666ad
--- /dev/null
+++ b/ansible/roles/superusers/tasks/adjust-group.yml
@@ -0,0 +1,21 @@
+- vars:
+ members: "{{ getent_group[group][2].split(',') if group in getent_group else [] }}"
+ to_add: "{{ usernames | intersect(superusers) | difference(members) }}"
+ to_remove: "{{ members | difference(superusers) }}"
+ tags: superusers
+ block:
+ - debug: var=group
+ - debug: var=to_add
+ - debug: var=to_remove
+
+ - name: gpasswd --add
+ with_items: "{{ to_add }}"
+ when: (item|length) > 0
+ become: yes
+ shell: "gpasswd --add {{ item }} {{ group }}"
+
+ - name: gpasswd --delete
+ with_items: "{{ to_remove }}"
+ when: (item|length) > 0
+ become: yes
+ shell: "gpasswd --delete {{ item }} {{ group }}"
diff --git a/ansible/roles/superusers/tasks/main.yml b/ansible/roles/superusers/tasks/main.yml
index 3a1e974..70623a0 100644
--- a/ansible/roles/superusers/tasks/main.yml
+++ b/ansible/roles/superusers/tasks/main.yml
@@ -1,26 +1,27 @@
---
-- name: superuser accounts
- tags: superusers
- become: yes
- user:
- name: "{{ item.username }}"
- groups: sudo,systemd-journal
- shell: /bin/bash
- append: yes
- with_items:
- - "{{ superusers }}"
+- tags: superusers
+ block:
+ - name: getent passwd
+ getent:
+ database: passwd
-- name: superuser authorized_keys
- tags: superusers
- become: yes
- authorized_key:
- user: "{{ item.username }}"
- state: "{{ item.state }}"
- key: "{{ users[item.username].authorized_keys }}"
- with_items:
- - "{{ superusers }}"
+ - name: getent group
+ getent:
+ database: group
+
+# NOTE: Accounts are added by the luser module.
+- tags: superusers
+ vars:
+ usernames: "{{ users|dict2items|map(attribute='key')|list }}"
+ unix_groups:
+ - sudo
+ - systemd-journal
+ with_items: "{{ unix_groups }}"
+ loop_control:
+ loop_var: group
+ include_tasks: adjust-group.yml
-- name: Allow 'sudo' group to have passwordless sudo
+- name: "Allow 'sudo' group to have passwordless sudo"
tags: superusers
become: yes
lineinfile: