ben
/
infra
1
1
Fork 2
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
infra/roles/common-users/tasks/users.yml

361 lines
8.7 KiB
YAML
Raw Permalink Blame History

---
- name: set groups
block:
- set_fact:
human_users: "{{ default_users + extra_users }}"
- name: list human users
debug:
var: human_users
- name: sanity checks
fail:
msg: "{{ item }} is missing"
loop_control:
label: "{{ item }}"
with_items: ["{{ myusername }}"]
when: item not in human_users
tags:
- systemusers
- humanusers
- human
- users
- sshkeys
- name: add .ssh dir to /etc/skel
file:
state: directory
path: /etc/skel/.ssh
mode: 0700
owner: root
group: root
tags:
- skel
- name: set root shell to bash
user:
name: root
shell: /bin/bash
tags:
- rootbash
- name: set authorized_keys for root
template:
src: "private/sshkeys/root.authorized_keys"
dest: "~/.ssh/authorized_keys"
owner: root
group: root
mode: 0600
tags:
- sshkeys
- name: remove stupid default users
user:
name: "{{ item }}"
state: absent
force: true
with_items:
- pi
- ec2user
- ubuntu
- opc
- doe
- ted
tags:
- defaultusers
- remove-users
- name: remove lingering /home dirs for stupid default users
file:
state: absent
path: "/home/{{ item }}"
with_items:
- pi
- ec2user
- ubuntu
- opc
- doe
- ted
tags:
- defaultusers
- remove-users
- name: create user groups
group:
name: "{{ userlist[item]['username'] }}"
gid: "{{ userlist[item]['gid'] | default(userlist[item]['uid']) }}"
with_items: "{{ human_users }}"
tags: human
- name: create common groups without GID
group:
name: "{{ item.name }}"
# The numeric identifiers of new system groups are chosen in the SYS_GID_MIN-SYS_GID_MAX range
system: true
state: "{{ item.state|default('present') }}"
with_items: |
{{ grouplist.values() | rejectattr("gid", "defined") }}
loop_control:
label: "{{ item.name }}"
tags:
- groups
- common-groups
- name: create common groups with GID
group:
name: "{{ item.name }}"
gid: "{{ item.gid }}"
system: true
state: "{{ item.state|default('present') }}"
with_items: |
{{ grouplist.values() | selectattr("gid", "defined") }}
loop_control:
label: "{{ item.name }} gid={{ item.gid }}"
tags:
- groups
- common-groups
- name: set up system users
tags:
- systemusers
block:
- name: sanity checks for {{ ansible_username }}
fail:
msg: "{{ ansible_username }} is missing"
when: ansible_username not in systemuserlist.keys() | list
- name: create system user groups
group:
name: "{{ item.username }}"
gid: "{{ item.gid | default(item.uid) }}"
with_items: "{{ systemuserlist.values() | rejectattr('enabled', 'false') }}"
loop_control:
label: "{{ item.username }}"
- name: system users
user:
system: "{{ item.system_account | default(true) }}"
name: "{{ item.username }}"
group: "{{ item.gid }}"
groups: "{{ item.groups | default([]) }}"
append: true
shell: "{{ item.shell | default('/dev/null') }}"
uid: "{{ item.uid }}"
home: "{{ item.home | default('/var/lib/' + item.username) }}"
create_home: "{{ 'home' in item | default(False) }}"
move_home: true
force: false
loop_control:
label: "{{ item.username }}"
with_items: "{{ systemuserlist.values() | rejectattr('enabled', 'false') }}"
- name: set authorized_keys for system users with pubkeys
template:
src: "private/sshkeys/{{ item.username }}.authorized_keys"
dest: "~/.ssh/authorized_keys"
owner: "{{ item.username }}"
group: "{{ item.username }}"
mode: 0600
become: true
become_user: "{{ item.username }}"
ignore_errors: "{{ ansible_check_mode }}"
loop_control:
label: "{{ item.username }}"
with_items: "{{ systemuserlist.values() | selectattr('sshkey', 'true') }}"
tags:
- sshkeys
- authorized_keys
- name: remove disabled system users
user:
state: absent
name: "{{ item.username }}"
uid: "{{ item.uid }}"
loop_control:
label: "{{ item.username }}"
with_items: "{{ systemuserlist.values() | selectattr('enabled', 'false') }}"
tags:
- remove-users
- name: remove disabled system user groups
group:
state: absent
name: "{{ item.username }}"
gid: "{{ item.gid }}"
loop_control:
label: "{{ item.username }}"
with_items: "{{ systemuserlist.values() | selectattr('enabled', 'false') }}"
tags:
- remove-users
# because 'force' to the user task doesnt seem to work
- name: remove lingering home dirs for removed system users (if set)
file:
state: absent
path: "{{ item.home }}"
with_items: "{{ systemuserlist.values() | selectattr('enabled', 'false') }}"
loop_control:
label: "{{ item.username }}"
when:
- item.force_remove_home|default(false)
tags:
- remove-users
- name: human users
user:
state: "{{ item.state | default('present') }}"
name: "{{ userlist[item]['username'] }}"
group: "{{ userlist[item]['gid'] }}"
groups: "{{ userlist[item]['groups'] | default([]) }}"
append: true
shell: "{{ userlist[item]['shell'] | default('/bin/zsh') }}"
uid: "{{ userlist[item]['uid'] }}"
#home: "{{ userlist[item]['home'] | default('/home/' + userlist[item]['username'] ) }}"
home: "/home/{{ userlist[item]['username'] }}"
create_home: true
move_home: false
force: false
with_items: "{{ human_users }}"
tags: human
- name: chmod and chown for .ssh
file:
path: "~{{ item }}/.ssh"
state: directory
owner: "{{ item }}"
group: "{{ item }}"
mode: 0700
with_items: "{{ human_users }}"
tags: human
- name: empty .zshrc if ephemeral_homes to avoid zsh-newuser-install
copy:
dest: "~{{ item }}/.zshrc"
owner: "{{ item }}"
group: "{{ item }}"
mode: 0770
content: "#!/bin/zsh"
with_items: "{{ human_users }}"
when: ephemeral_homes
#when: false
tags: human
- name: allow 'sudo' group to have passwordless sudo
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
when: is_local is not defined
- name: set authorized_keys for users with local pubkey files
template:
src: "private/sshkeys/{{ item }}.authorized_keys"
dest: "~/.ssh/authorized_keys"
owner: "{{ item }}"
group: "{{ item }}"
mode: 0600
become: true
become_user: "{{ item }}"
with_items: "{{ human_users }}"
when:
- userlist[item]['sshkey']
tags:
- sshkeys
- human
- name: set a password for {{ myusername }} and root
user:
name: "{{ item }}"
password: "{{ mypassword }}"
update_password: always
tags:
- human
- mypass
with_items:
- "{{ myusername }}"
- root
- name: make dir for ephemeral hosts on non-human-operatored hosts
file:
state: directory
path: /usr/local/homes
tags:
- human
- ephemeral_homes
when: ephemeral_homes
- name: install ephemeral homes script on non-human-operated hosts
copy:
src: ephemeralhomes.py
dest: /usr/local/bin/ephemeralhomes.py
owner: root
group: root
mode: 0700
tags:
- human
- ephemeral_homes
- ephemeral_homes-script
when: ephemeral_homes
- name: install ephemeral homes crontab on non-human-operated hosts
template:
src: ephemeralhomes-cron.j2
dest: /etc/cron.d/ephemeralhomes
owner: root
group: root
mode: 0600
tags:
- human
- ephemeral_homes
when: ephemeral_homes
- name: ensure ephemeral homes script+cron is absent on human-operated-hosts
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/cron.d/ephemeralhomes
- /usr/local/bin/ephemeralhomes.py
when: not ephemeral_homes
tags:
- human
- ephemeral_homes
- name: motd
template:
src: motd.j2
dest: /etc/motd
owner: root
group: root
mode: 0744
tags:
- motd
- human
- ephemeral_homes
- name: set up deadspace
block:
- name: create deadspace for users
file:
state: directory
path: "/deadspace/users/{{ item }}"
owner: "{{ userlist[item]['username'] }}"
group: "{{ userlist[item]['username'] }}"
mode: 0700
with_items: "{{ human_users }}"
- name: symlink deadspace
file:
src: "/deadspace/users/{{ item }}"
dest: "/home/{{ item }}/deadspace"
owner: "{{ userlist[item]['username'] }}"
group: "{{ userlist[item]['username'] }}"
state: link
with_items: "{{ human_users }}"
when: "'mainframe' in group_names"
View Git Blame Copy Permalink