ISTI-ansible-roles
/
ansible-role-users
4
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add the tasks for both Deb and EL distributions.

This commit is contained in:
Andrea Dell'Amico 2020-05-28 16:32:48 +02:00
parent cad0a10405
commit 0a9c233ca4
5 changed files with 165 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
README.md
View File

@ -1,31 +1,22 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
A role that creates users.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
The list of users. It's a dictionary
``` yaml
users_system_users:
- { login: 'foo', name: "Foo Bar", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ foo_ssh_key }}', shell: '/bin/bash', admin: False, log_as_root: False }
```
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
None
License
-------
@ -35,4 +26,4 @@ EUPL-1.2
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>

20
defaults/main.yml
View File

@ -1,2 +1,20 @@
---
# defaults file for ansible-role-template
#
# This role adds users to a system
# The users can access if their ssh key is provided
# Users can have sudo privileges if the 'admin' property is 'true'
# admin users can also directly log as root when 'user_admin_can_log_as_root' is set to 'true'
deb_users_sudoers_group: sudo
rh_users_sudoers_group: wheel
users_sudoers_group: '{{ deb_users_sudoers_group }}'
users_sudoers_create_group: False
users_sudoers_create_sudo_conf: False
users_home_dir: /home
users_default_password: '*'
users_update_password: 'on_create'
users_system_users: []
# - { login: 'foo', name: "Foo Bar", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ foo_ssh_key }}', shell: '/bin/bash', admin: False, log_as_root: False }
users_system_users_adjunct: []
users_additional_groups: []
# - { group: 'foo' }

62
meta/main.yml
View File

@ -1,61 +1,25 @@
galaxy_info:
author: your name
description: your description
author: Andrea Dell'Amico
description: Systems Architect
company: ISTI-CNR
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: EUPL-1.2
license: EUPL 1.2+
min_ansible_version: 2.8
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
platforms:
- name: Ubuntu
versions:
- bionic
- name: EL
versions:
- 7
- 8
galaxy_tags:
- users

124
tasks/main.yml
View File

@ -1,2 +1,124 @@
---
# tasks file for ansible-role-template
- block:
- name: Create the sudoers group if needed
group: name={{ users_sudoers_group }} state=present
when: users_sudoers_create_group | bool
- name: Add a sudo additional configuration for the new sudoers group
template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }}
when: users_sudoers_create_sudo_conf | bool
tags: users
- block:
- name: Manage additional groups
group: name={{ item.group }} state={{ item.state | default('present') }}
with_items: '{{ users_additional_groups }}'
when: users_additional_groups is defined | bool
tags: users
- block:
- name: Create users
user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }}
with_items: '{{ users_system_users }}'
- name: ensure that the users can login with their ssh keys
authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present
with_items: '{{ users_system_users }}'
when: item.ssh_key is defined
- name: Add the admin users to the sudoers group on debian based systems
user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes
with_items: '{{ users_system_users }}'
when:
- item.admin
- ansible_distribution_file_variety == "Debian"
- name: Add the admin users to the sudoers group on rh/centos systems
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
with_items: '{{ users_system_users }}'
when:
- item.admin
- ansible_distribution_file_variety == "RedHat"
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access
authorized_key: user=root key="{{ item.ssh_key }}" state=present
with_items: '{{ users_system_users }}'
when:
- item.ssh_key is defined
- item.log_as_root is defined
- item.log_as_root
- name: ensure that the users can not login with their ssh keys as root
authorized_key: user=root key="{{ item.ssh_key }}" state=absent
with_items: '{{ users_system_users }}'
when:
- item.ssh_key is defined
- item.log_as_root is defined
- not item.log_as_root
when: users_system_users is defined
tags: users
- block:
- name: Create additional users
user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }}
with_items: '{{ users_system_users_adjunct }}'
- name: ensure that the additional users can login with their ssh keys
authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present
with_items: '{{ users_system_users_adjunct }}'
when: item.ssh_key is defined
- name: Add the additional admin users to the sudoers group on debian based systems
user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes
with_items: '{{ users_system_users_adjunct }}'
when:
- item.admin
- ansible_distribution_file_variety == "Debian"
- name: Add the additional admin users to the sudoers group on rh/centos systems
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
with_items: '{{ users_system_users_adjunct }}'
when:
- item.admin
- ansible_distribution_file_variety == "RedHat"
- name: ensure that the additional users can login with their ssh keys as root if we want ensure direct access
authorized_key: user=root key="{{ item.ssh_key }}" state=present
with_items: '{{ users_system_users_adjunct }}'
when:
- item.ssh_key is defined
- item.log_as_root is defined
- item.log_as_root
- name: ensure that the additional users cannot login with their ssh keys as root
authorized_key: user=root key="{{ item.ssh_key }}" state=absent
with_items: '{{ users_system_users_adjunct }}'
when:
- item.ssh_key is defined
- item.log_as_root is defined
- not item.log_as_root
when: users_system_users_adjunct is defined
tags: users
- block:
- name: Permit sudo without password on Deb based systems
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%{{ deb_users_sudoers_group }}\s'
line: '%{{ deb_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
when: ansible_distribution_file_variety == "Debian"
- name: Change the sudo configuration to permit sudo without password on RH/CentOS systems
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%{{ rh_users_sudoers_group }}\s'
line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
when: ansible_distribution_file_variety == "RedHat"
tags: [ 'users', 'sudo_wheel' ]

1
templates/sudoers.j2 Normal file
View File

@ -0,0 +1 @@
%{{ users_sudoers_group }} ALL=(ALL) ALL