From dbcc2038224bcf9a24d1b85eb247de8c5a1c916c Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 21 Sep 2023 13:30:05 +0200 Subject: [PATCH] Cleanup. Remove the default cloud user. --- defaults/main.yml | 5 ++ tasks/main.yml | 140 +++++++++++++++++++++++++++------------------- 2 files changed, 89 insertions(+), 56 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index b8cb2bc..4187fe8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -18,3 +18,8 @@ users_system_users: [] users_system_users_adjunct: [] users_additional_groups: [] # - { group: 'foo' } +users_default_cloud_users: + - ubuntu + - centos + - almalinux + - rocky diff --git a/tasks/main.yml b/tasks/main.yml index 3f474ca..6209de8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,27 +1,47 @@ --- -- block: +- name: Create the groups that we want to add to the users + tags: users + block: - name: Create the sudoers group if needed - group: name={{ users_sudoers_group }} state=present + ansible.builtin.group: + name: "{{ users_sudoers_group }}" + state: present when: users_sudoers_create_group | bool - name: Add a sudo additional configuration for the new sudoers group - template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }} + ansible.builtin.template: + src: sudoers.j2 + dest: "/etc/sudoers.d/{{ users_sudoers_group }}" + owner: root + group: root + mode: "0600" when: users_sudoers_create_sudo_conf | bool - tags: users - -- block: - - name: Manage additional groups - group: name={{ item.group }} state={{ item.state | default('present') }} - with_items: '{{ users_additional_groups }}' - +- name: Manage additional groups when: users_additional_groups is defined | bool tags: users + block: + - name: Manage additional groups + ansible.builtin.group: + name: "{{ item.group }}" + state: "{{ item.state | default('present') }}" + loop: '{{ users_additional_groups }}' + +- name: Remove some default users from cloud images + tags: + - users + - default_users + block: + - name: Remove the default cloud users + ansible.builtin.user: + name: "{{ item }}" + state: absent + loop: '{{ users_default_cloud_users }}' - name: Manage the users of a system tags: users block: - - name: Manage the creation of deletion of users + - name: Manage the creation or deletion of users ansible.builtin.user: name: "{{ item.login }}" group: "{{ item.group | default(omit) }}" @@ -37,36 +57,40 @@ loop: '{{ users_system_users }}' no_log: true - - name: ensure that the users can login with their ssh keys - authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present - with_items: '{{ users_system_users }}' + - name: Ensure that the users can login with their ssh keys + ansible.posix.authorized_key: + user: "{{ item.login }}" + key: "{{ item.ssh_key }}" + state: present + loop: '{{ users_system_users }}' when: item.ssh_key is defined - - name: Add the admin users to the sudoers group on debian based systems - user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes - with_items: '{{ users_system_users }}' + - name: Add the admin users to the sudoers group + ansible.builtin.user: + name: "{{ item.login }}" + groups: '{% if ansible_distribution_file_variety == "Debian" %}{{ deb_users_sudoers_group }}{% elif ansible_distribution_file_variety == "RedHat" %}{{ rh_users_sudoers_group }}{% endif %}' + append: true + loop: '{{ users_system_users }}' when: - item.admin - - ansible_distribution_file_variety == "Debian" - - name: Add the admin users to the sudoers group on rh/centos systems - user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes - with_items: '{{ users_system_users }}' - when: - - item.admin - - ansible_distribution_file_variety == "RedHat" - - - name: ensure that the users can login with their ssh keys as root if we want ensure direct access - authorized_key: user=root key="{{ item.ssh_key }}" state=present - with_items: '{{ users_system_users }}' + - name: Ensure that the users can login with their ssh keys as root when needed + ansible.posix.authorized_key: + user: root + key: "{{ item.ssh_key }}" + state: present + loop: '{{ users_system_users }}' when: - item.ssh_key is defined - item.log_as_root is defined - item.log_as_root - - name: ensure that the users can not login with their ssh keys as root - authorized_key: user=root key="{{ item.ssh_key }}" state=absent - with_items: '{{ users_system_users }}' + - name: Ensure that the users can not login with their ssh keys as root + ansible.posix.authorized_key: + user: root + key: "{{ item.ssh_key }}" + state: absent + loop: '{{ users_system_users }}' when: - item.ssh_key is defined - item.log_as_root is defined @@ -91,44 +115,50 @@ loop: '{{ users_system_users_adjunct }}' no_log: true - - name: ensure that the additional users can login with their ssh keys - authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present - with_items: '{{ users_system_users_adjunct }}' + - name: Ensure that the additional users can login with their ssh keys + ansible.posix.authorized_key: + user: "{{ item.login }}" + key: "{{ item.ssh_key }}" + state: present + loop: '{{ users_system_users_adjunct }}' when: item.ssh_key is defined - - name: Add the additional admin users to the sudoers group on debian based systems - user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes - with_items: '{{ users_system_users_adjunct }}' + - name: Add the additional admin users to the sudoers group + ansible.builtin.user: + name: "{{ item.login }}" + groups: '{% if ansible_distribution_file_variety == "Debian" %}{{ deb_users_sudoers_group }}{% elif ansible_distribution_file_variety == "RedHat" %}{{ rh_users_sudoers_group }}{% endif %}' + append: true + loop: '{{ users_system_users_adjunct }}' when: - item.admin - - ansible_distribution_file_variety == "Debian" - - - name: Add the additional admin users to the sudoers group on rh/centos systems - user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes - with_items: '{{ users_system_users_adjunct }}' - when: - - item.admin - - ansible_distribution_file_variety == "RedHat" - name: Ensure that the additional users can login with their ssh keys as root if we want ensure direct access - authorized_key: user=root key="{{ item.ssh_key }}" state=present - with_items: '{{ users_system_users_adjunct }}' + ansible.posix.authorized_key: + user: root + key: "{{ item.ssh_key }}" + state: present + loop: '{{ users_system_users_adjunct }}' when: - item.ssh_key is defined - item.log_as_root is defined - item.log_as_root - - name: ensure that the additional users cannot login with their ssh keys as root - authorized_key: user=root key="{{ item.ssh_key }}" state=absent - with_items: '{{ users_system_users_adjunct }}' + - name: Ensure that the additional users cannot login with their ssh keys as root + ansible.posix.authorized_key: + user: root + key: "{{ item.ssh_key }}" + state: absent + loop: '{{ users_system_users_adjunct }}' when: - item.ssh_key is defined - item.log_as_root is defined - not item.log_as_root -- block: +- name: Configure passwordless sudo + tags: ['users', 'sudo_wheel'] + block: - name: Permit sudo without password on Deb based systems - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers state: present regexp: '^%{{ deb_users_sudoers_group }}\s' @@ -136,11 +166,9 @@ when: ansible_distribution_file_variety == "Debian" - name: Change the sudo configuration to permit sudo without password on RH/CentOS systems - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers state: present regexp: '^%{{ rh_users_sudoers_group }}\s' line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL' - when: ansible_distribution_file_variety == "RedHat" - - tags: [ 'users', 'sudo_wheel' ] + when: ansible_distribution_file_variety == "RedHat"