From b5b7e21c8ba3c68eab9cd244602f27c21aa5f36b Mon Sep 17 00:00:00 2001 From: Trygve Laugstøl Date: Mon, 5 Nov 2018 23:18:06 +0100 Subject: Importing Bitraf's lusers, updating superusers. --- ansible/roles/lusers/defaults/main.yml | 1 + ansible/roles/lusers/tasks/main.yml | 45 +++++++++++++++++++++++++ ansible/roles/superusers/tasks/adjust-group.yml | 21 ++++++++++++ ansible/roles/superusers/tasks/main.yml | 41 +++++++++++----------- 4 files changed, 88 insertions(+), 20 deletions(-) create mode 100644 ansible/roles/lusers/defaults/main.yml create mode 100644 ansible/roles/lusers/tasks/main.yml create mode 100644 ansible/roles/superusers/tasks/adjust-group.yml (limited to 'ansible/roles') diff --git a/ansible/roles/lusers/defaults/main.yml b/ansible/roles/lusers/defaults/main.yml new file mode 100644 index 0000000..61602c5 --- /dev/null +++ b/ansible/roles/lusers/defaults/main.yml @@ -0,0 +1 @@ +lusers_authorized_keys_exclusive: no diff --git a/ansible/roles/lusers/tasks/main.yml b/ansible/roles/lusers/tasks/main.yml new file mode 100644 index 0000000..cb10845 --- /dev/null +++ b/ansible/roles/lusers/tasks/main.yml @@ -0,0 +1,45 @@ +--- +- become: yes + tags: lusers + vars: + usernames: "{{ users|dict2items|map(attribute='key')|list }}" + block: + - name: adduser + with_items: "{{ lusers }}" + user: + name: "{{ item }}" + shell: /bin/bash + + - name: getent passwd + getent: + database: passwd + + - name: disable user + with_items: "{{ usernames }}" + when: (item not in lusers) and (item in getent_passwd) + user: + name: "{{ item }}" + shell: /usr/sbin/nologin + + - name: mkdir ~/.ssh + when: lusers_authorized_keys_exclusive + with_items: "{{ lusers }}" + file: + path: "~{{ item }}/.ssh" + state: directory + owner: "{{ item }}" + mode: 0700 + + - name: authorized_keys, exclusively managed by Ansible + copy: + dest: "/home/{{ item }}/.ssh/authorized_keys" + content: "{{ users[item].authorized_keys }}" + when: lusers_authorized_keys_exclusive + with_items: "{{ lusers }}" + + - name: authorized_keys, shared management with Ansible + authorized_key: + user: "{{ item }}" + key: "{{ users[item].authorized_keys }}" + with_items: "{{ lusers }}" + when: not lusers_authorized_keys_exclusive diff --git a/ansible/roles/superusers/tasks/adjust-group.yml b/ansible/roles/superusers/tasks/adjust-group.yml new file mode 100644 index 0000000..32666ad --- /dev/null +++ b/ansible/roles/superusers/tasks/adjust-group.yml @@ -0,0 +1,21 @@ +- vars: + members: "{{ getent_group[group][2].split(',') if group in getent_group else [] }}" + to_add: "{{ usernames | intersect(superusers) | difference(members) }}" + to_remove: "{{ members | difference(superusers) }}" + tags: superusers + block: + - debug: var=group + - debug: var=to_add + - debug: var=to_remove + + - name: gpasswd --add + with_items: "{{ to_add }}" + when: (item|length) > 0 + become: yes + shell: "gpasswd --add {{ item }} {{ group }}" + + - name: gpasswd --delete + with_items: "{{ to_remove }}" + when: (item|length) > 0 + become: yes + shell: "gpasswd --delete {{ item }} {{ group }}" diff --git a/ansible/roles/superusers/tasks/main.yml b/ansible/roles/superusers/tasks/main.yml index 3a1e974..70623a0 100644 --- a/ansible/roles/superusers/tasks/main.yml +++ b/ansible/roles/superusers/tasks/main.yml @@ -1,26 +1,27 @@ --- -- name: superuser accounts - tags: superusers - become: yes - user: - name: "{{ item.username }}" - groups: sudo,systemd-journal - shell: /bin/bash - append: yes - with_items: - - "{{ superusers }}" +- tags: superusers + block: + - name: getent passwd + getent: + database: passwd -- name: superuser authorized_keys - tags: superusers - become: yes - authorized_key: - user: "{{ item.username }}" - state: "{{ item.state }}" - key: "{{ users[item.username].authorized_keys }}" - with_items: - - "{{ superusers }}" + - name: getent group + getent: + database: group + +# NOTE: Accounts are added by the luser module. +- tags: superusers + vars: + usernames: "{{ users|dict2items|map(attribute='key')|list }}" + unix_groups: + - sudo + - systemd-journal + with_items: "{{ unix_groups }}" + loop_control: + loop_var: group + include_tasks: adjust-group.yml -- name: Allow 'sudo' group to have passwordless sudo +- name: "Allow 'sudo' group to have passwordless sudo" tags: superusers become: yes lineinfile: -- cgit v1.2.3