Cleanup. Remove the default cloud user.
This commit is contained in:
parent
23fa2c9f7d
commit
dbcc203822
|
@ -18,3 +18,8 @@ users_system_users: []
|
||||||
users_system_users_adjunct: []
|
users_system_users_adjunct: []
|
||||||
users_additional_groups: []
|
users_additional_groups: []
|
||||||
# - { group: 'foo' }
|
# - { group: 'foo' }
|
||||||
|
users_default_cloud_users:
|
||||||
|
- ubuntu
|
||||||
|
- centos
|
||||||
|
- almalinux
|
||||||
|
- rocky
|
||||||
|
|
136
tasks/main.yml
136
tasks/main.yml
|
@ -1,27 +1,47 @@
|
||||||
---
|
---
|
||||||
- block:
|
- name: Create the groups that we want to add to the users
|
||||||
|
tags: users
|
||||||
|
block:
|
||||||
- name: Create the sudoers group if needed
|
- name: Create the sudoers group if needed
|
||||||
group: name={{ users_sudoers_group }} state=present
|
ansible.builtin.group:
|
||||||
|
name: "{{ users_sudoers_group }}"
|
||||||
|
state: present
|
||||||
when: users_sudoers_create_group | bool
|
when: users_sudoers_create_group | bool
|
||||||
|
|
||||||
- name: Add a sudo additional configuration for the new sudoers group
|
- name: Add a sudo additional configuration for the new sudoers group
|
||||||
template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }}
|
ansible.builtin.template:
|
||||||
|
src: sudoers.j2
|
||||||
|
dest: "/etc/sudoers.d/{{ users_sudoers_group }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0600"
|
||||||
when: users_sudoers_create_sudo_conf | bool
|
when: users_sudoers_create_sudo_conf | bool
|
||||||
|
|
||||||
tags: users
|
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: Manage additional groups
|
- name: Manage additional groups
|
||||||
group: name={{ item.group }} state={{ item.state | default('present') }}
|
|
||||||
with_items: '{{ users_additional_groups }}'
|
|
||||||
|
|
||||||
when: users_additional_groups is defined | bool
|
when: users_additional_groups is defined | bool
|
||||||
tags: users
|
tags: users
|
||||||
|
block:
|
||||||
|
- name: Manage additional groups
|
||||||
|
ansible.builtin.group:
|
||||||
|
name: "{{ item.group }}"
|
||||||
|
state: "{{ item.state | default('present') }}"
|
||||||
|
loop: '{{ users_additional_groups }}'
|
||||||
|
|
||||||
|
- name: Remove some default users from cloud images
|
||||||
|
tags:
|
||||||
|
- users
|
||||||
|
- default_users
|
||||||
|
block:
|
||||||
|
- name: Remove the default cloud users
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: absent
|
||||||
|
loop: '{{ users_default_cloud_users }}'
|
||||||
|
|
||||||
- name: Manage the users of a system
|
- name: Manage the users of a system
|
||||||
tags: users
|
tags: users
|
||||||
block:
|
block:
|
||||||
- name: Manage the creation of deletion of users
|
- name: Manage the creation or deletion of users
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
name: "{{ item.login }}"
|
name: "{{ item.login }}"
|
||||||
group: "{{ item.group | default(omit) }}"
|
group: "{{ item.group | default(omit) }}"
|
||||||
|
@ -37,36 +57,40 @@
|
||||||
loop: '{{ users_system_users }}'
|
loop: '{{ users_system_users }}'
|
||||||
no_log: true
|
no_log: true
|
||||||
|
|
||||||
- name: ensure that the users can login with their ssh keys
|
- name: Ensure that the users can login with their ssh keys
|
||||||
authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present
|
ansible.posix.authorized_key:
|
||||||
with_items: '{{ users_system_users }}'
|
user: "{{ item.login }}"
|
||||||
|
key: "{{ item.ssh_key }}"
|
||||||
|
state: present
|
||||||
|
loop: '{{ users_system_users }}'
|
||||||
when: item.ssh_key is defined
|
when: item.ssh_key is defined
|
||||||
|
|
||||||
- name: Add the admin users to the sudoers group on debian based systems
|
- name: Add the admin users to the sudoers group
|
||||||
user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes
|
ansible.builtin.user:
|
||||||
with_items: '{{ users_system_users }}'
|
name: "{{ item.login }}"
|
||||||
|
groups: '{% if ansible_distribution_file_variety == "Debian" %}{{ deb_users_sudoers_group }}{% elif ansible_distribution_file_variety == "RedHat" %}{{ rh_users_sudoers_group }}{% endif %}'
|
||||||
|
append: true
|
||||||
|
loop: '{{ users_system_users }}'
|
||||||
when:
|
when:
|
||||||
- item.admin
|
- item.admin
|
||||||
- ansible_distribution_file_variety == "Debian"
|
|
||||||
|
|
||||||
- name: Add the admin users to the sudoers group on rh/centos systems
|
- name: Ensure that the users can login with their ssh keys as root when needed
|
||||||
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
|
ansible.posix.authorized_key:
|
||||||
with_items: '{{ users_system_users }}'
|
user: root
|
||||||
when:
|
key: "{{ item.ssh_key }}"
|
||||||
- item.admin
|
state: present
|
||||||
- ansible_distribution_file_variety == "RedHat"
|
loop: '{{ users_system_users }}'
|
||||||
|
|
||||||
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access
|
|
||||||
authorized_key: user=root key="{{ item.ssh_key }}" state=present
|
|
||||||
with_items: '{{ users_system_users }}'
|
|
||||||
when:
|
when:
|
||||||
- item.ssh_key is defined
|
- item.ssh_key is defined
|
||||||
- item.log_as_root is defined
|
- item.log_as_root is defined
|
||||||
- item.log_as_root
|
- item.log_as_root
|
||||||
|
|
||||||
- name: ensure that the users can not login with their ssh keys as root
|
- name: Ensure that the users can not login with their ssh keys as root
|
||||||
authorized_key: user=root key="{{ item.ssh_key }}" state=absent
|
ansible.posix.authorized_key:
|
||||||
with_items: '{{ users_system_users }}'
|
user: root
|
||||||
|
key: "{{ item.ssh_key }}"
|
||||||
|
state: absent
|
||||||
|
loop: '{{ users_system_users }}'
|
||||||
when:
|
when:
|
||||||
- item.ssh_key is defined
|
- item.ssh_key is defined
|
||||||
- item.log_as_root is defined
|
- item.log_as_root is defined
|
||||||
|
@ -91,44 +115,50 @@
|
||||||
loop: '{{ users_system_users_adjunct }}'
|
loop: '{{ users_system_users_adjunct }}'
|
||||||
no_log: true
|
no_log: true
|
||||||
|
|
||||||
- name: ensure that the additional users can login with their ssh keys
|
- name: Ensure that the additional users can login with their ssh keys
|
||||||
authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present
|
ansible.posix.authorized_key:
|
||||||
with_items: '{{ users_system_users_adjunct }}'
|
user: "{{ item.login }}"
|
||||||
|
key: "{{ item.ssh_key }}"
|
||||||
|
state: present
|
||||||
|
loop: '{{ users_system_users_adjunct }}'
|
||||||
when: item.ssh_key is defined
|
when: item.ssh_key is defined
|
||||||
|
|
||||||
- name: Add the additional admin users to the sudoers group on debian based systems
|
- name: Add the additional admin users to the sudoers group
|
||||||
user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes
|
ansible.builtin.user:
|
||||||
with_items: '{{ users_system_users_adjunct }}'
|
name: "{{ item.login }}"
|
||||||
|
groups: '{% if ansible_distribution_file_variety == "Debian" %}{{ deb_users_sudoers_group }}{% elif ansible_distribution_file_variety == "RedHat" %}{{ rh_users_sudoers_group }}{% endif %}'
|
||||||
|
append: true
|
||||||
|
loop: '{{ users_system_users_adjunct }}'
|
||||||
when:
|
when:
|
||||||
- item.admin
|
- item.admin
|
||||||
- ansible_distribution_file_variety == "Debian"
|
|
||||||
|
|
||||||
- name: Add the additional admin users to the sudoers group on rh/centos systems
|
|
||||||
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
|
|
||||||
with_items: '{{ users_system_users_adjunct }}'
|
|
||||||
when:
|
|
||||||
- item.admin
|
|
||||||
- ansible_distribution_file_variety == "RedHat"
|
|
||||||
|
|
||||||
- name: Ensure that the additional users can login with their ssh keys as root if we want ensure direct access
|
- name: Ensure that the additional users can login with their ssh keys as root if we want ensure direct access
|
||||||
authorized_key: user=root key="{{ item.ssh_key }}" state=present
|
ansible.posix.authorized_key:
|
||||||
with_items: '{{ users_system_users_adjunct }}'
|
user: root
|
||||||
|
key: "{{ item.ssh_key }}"
|
||||||
|
state: present
|
||||||
|
loop: '{{ users_system_users_adjunct }}'
|
||||||
when:
|
when:
|
||||||
- item.ssh_key is defined
|
- item.ssh_key is defined
|
||||||
- item.log_as_root is defined
|
- item.log_as_root is defined
|
||||||
- item.log_as_root
|
- item.log_as_root
|
||||||
|
|
||||||
- name: ensure that the additional users cannot login with their ssh keys as root
|
- name: Ensure that the additional users cannot login with their ssh keys as root
|
||||||
authorized_key: user=root key="{{ item.ssh_key }}" state=absent
|
ansible.posix.authorized_key:
|
||||||
with_items: '{{ users_system_users_adjunct }}'
|
user: root
|
||||||
|
key: "{{ item.ssh_key }}"
|
||||||
|
state: absent
|
||||||
|
loop: '{{ users_system_users_adjunct }}'
|
||||||
when:
|
when:
|
||||||
- item.ssh_key is defined
|
- item.ssh_key is defined
|
||||||
- item.log_as_root is defined
|
- item.log_as_root is defined
|
||||||
- not item.log_as_root
|
- not item.log_as_root
|
||||||
|
|
||||||
- block:
|
- name: Configure passwordless sudo
|
||||||
|
tags: ['users', 'sudo_wheel']
|
||||||
|
block:
|
||||||
- name: Permit sudo without password on Deb based systems
|
- name: Permit sudo without password on Deb based systems
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/sudoers
|
path: /etc/sudoers
|
||||||
state: present
|
state: present
|
||||||
regexp: '^%{{ deb_users_sudoers_group }}\s'
|
regexp: '^%{{ deb_users_sudoers_group }}\s'
|
||||||
|
@ -136,11 +166,9 @@
|
||||||
when: ansible_distribution_file_variety == "Debian"
|
when: ansible_distribution_file_variety == "Debian"
|
||||||
|
|
||||||
- name: Change the sudo configuration to permit sudo without password on RH/CentOS systems
|
- name: Change the sudo configuration to permit sudo without password on RH/CentOS systems
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/sudoers
|
path: /etc/sudoers
|
||||||
state: present
|
state: present
|
||||||
regexp: '^%{{ rh_users_sudoers_group }}\s'
|
regexp: '^%{{ rh_users_sudoers_group }}\s'
|
||||||
line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
|
line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
|
||||||
when: ansible_distribution_file_variety == "RedHat"
|
when: ansible_distribution_file_variety == "RedHat"
|
||||||
|
|
||||||
tags: [ 'users', 'sudo_wheel' ]
|
|
||||||
|
|
Loading…
Reference in New Issue