Cleanup. Remove the default cloud user.

This commit is contained in:
Andrea Dell'Amico 2023-09-21 13:30:05 +02:00
parent 23fa2c9f7d
commit dbcc203822
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
2 changed files with 89 additions and 56 deletions

View File

@ -18,3 +18,8 @@ users_system_users: []
users_system_users_adjunct: [] users_system_users_adjunct: []
users_additional_groups: [] users_additional_groups: []
# - { group: 'foo' } # - { group: 'foo' }
users_default_cloud_users:
- ubuntu
- centos
- almalinux
- rocky

View File

@ -1,27 +1,47 @@
--- ---
- block: - name: Create the groups that we want to add to the users
tags: users
block:
- name: Create the sudoers group if needed - name: Create the sudoers group if needed
group: name={{ users_sudoers_group }} state=present ansible.builtin.group:
name: "{{ users_sudoers_group }}"
state: present
when: users_sudoers_create_group | bool when: users_sudoers_create_group | bool
- name: Add a sudo additional configuration for the new sudoers group - name: Add a sudo additional configuration for the new sudoers group
template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }} ansible.builtin.template:
src: sudoers.j2
dest: "/etc/sudoers.d/{{ users_sudoers_group }}"
owner: root
group: root
mode: "0600"
when: users_sudoers_create_sudo_conf | bool when: users_sudoers_create_sudo_conf | bool
tags: users
- block:
- name: Manage additional groups - name: Manage additional groups
group: name={{ item.group }} state={{ item.state | default('present') }}
with_items: '{{ users_additional_groups }}'
when: users_additional_groups is defined | bool when: users_additional_groups is defined | bool
tags: users tags: users
block:
- name: Manage additional groups
ansible.builtin.group:
name: "{{ item.group }}"
state: "{{ item.state | default('present') }}"
loop: '{{ users_additional_groups }}'
- name: Remove some default users from cloud images
tags:
- users
- default_users
block:
- name: Remove the default cloud users
ansible.builtin.user:
name: "{{ item }}"
state: absent
loop: '{{ users_default_cloud_users }}'
- name: Manage the users of a system - name: Manage the users of a system
tags: users tags: users
block: block:
- name: Manage the creation of deletion of users - name: Manage the creation or deletion of users
ansible.builtin.user: ansible.builtin.user:
name: "{{ item.login }}" name: "{{ item.login }}"
group: "{{ item.group | default(omit) }}" group: "{{ item.group | default(omit) }}"
@ -37,36 +57,40 @@
loop: '{{ users_system_users }}' loop: '{{ users_system_users }}'
no_log: true no_log: true
- name: ensure that the users can login with their ssh keys - name: Ensure that the users can login with their ssh keys
authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present ansible.posix.authorized_key:
with_items: '{{ users_system_users }}' user: "{{ item.login }}"
key: "{{ item.ssh_key }}"
state: present
loop: '{{ users_system_users }}'
when: item.ssh_key is defined when: item.ssh_key is defined
- name: Add the admin users to the sudoers group on debian based systems - name: Add the admin users to the sudoers group
user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes ansible.builtin.user:
with_items: '{{ users_system_users }}' name: "{{ item.login }}"
groups: '{% if ansible_distribution_file_variety == "Debian" %}{{ deb_users_sudoers_group }}{% elif ansible_distribution_file_variety == "RedHat" %}{{ rh_users_sudoers_group }}{% endif %}'
append: true
loop: '{{ users_system_users }}'
when: when:
- item.admin - item.admin
- ansible_distribution_file_variety == "Debian"
- name: Add the admin users to the sudoers group on rh/centos systems - name: Ensure that the users can login with their ssh keys as root when needed
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes ansible.posix.authorized_key:
with_items: '{{ users_system_users }}' user: root
when: key: "{{ item.ssh_key }}"
- item.admin state: present
- ansible_distribution_file_variety == "RedHat" loop: '{{ users_system_users }}'
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access
authorized_key: user=root key="{{ item.ssh_key }}" state=present
with_items: '{{ users_system_users }}'
when: when:
- item.ssh_key is defined - item.ssh_key is defined
- item.log_as_root is defined - item.log_as_root is defined
- item.log_as_root - item.log_as_root
- name: ensure that the users can not login with their ssh keys as root - name: Ensure that the users can not login with their ssh keys as root
authorized_key: user=root key="{{ item.ssh_key }}" state=absent ansible.posix.authorized_key:
with_items: '{{ users_system_users }}' user: root
key: "{{ item.ssh_key }}"
state: absent
loop: '{{ users_system_users }}'
when: when:
- item.ssh_key is defined - item.ssh_key is defined
- item.log_as_root is defined - item.log_as_root is defined
@ -91,44 +115,50 @@
loop: '{{ users_system_users_adjunct }}' loop: '{{ users_system_users_adjunct }}'
no_log: true no_log: true
- name: ensure that the additional users can login with their ssh keys - name: Ensure that the additional users can login with their ssh keys
authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present ansible.posix.authorized_key:
with_items: '{{ users_system_users_adjunct }}' user: "{{ item.login }}"
key: "{{ item.ssh_key }}"
state: present
loop: '{{ users_system_users_adjunct }}'
when: item.ssh_key is defined when: item.ssh_key is defined
- name: Add the additional admin users to the sudoers group on debian based systems - name: Add the additional admin users to the sudoers group
user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes ansible.builtin.user:
with_items: '{{ users_system_users_adjunct }}' name: "{{ item.login }}"
groups: '{% if ansible_distribution_file_variety == "Debian" %}{{ deb_users_sudoers_group }}{% elif ansible_distribution_file_variety == "RedHat" %}{{ rh_users_sudoers_group }}{% endif %}'
append: true
loop: '{{ users_system_users_adjunct }}'
when: when:
- item.admin - item.admin
- ansible_distribution_file_variety == "Debian"
- name: Add the additional admin users to the sudoers group on rh/centos systems
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
with_items: '{{ users_system_users_adjunct }}'
when:
- item.admin
- ansible_distribution_file_variety == "RedHat"
- name: Ensure that the additional users can login with their ssh keys as root if we want ensure direct access - name: Ensure that the additional users can login with their ssh keys as root if we want ensure direct access
authorized_key: user=root key="{{ item.ssh_key }}" state=present ansible.posix.authorized_key:
with_items: '{{ users_system_users_adjunct }}' user: root
key: "{{ item.ssh_key }}"
state: present
loop: '{{ users_system_users_adjunct }}'
when: when:
- item.ssh_key is defined - item.ssh_key is defined
- item.log_as_root is defined - item.log_as_root is defined
- item.log_as_root - item.log_as_root
- name: ensure that the additional users cannot login with their ssh keys as root - name: Ensure that the additional users cannot login with their ssh keys as root
authorized_key: user=root key="{{ item.ssh_key }}" state=absent ansible.posix.authorized_key:
with_items: '{{ users_system_users_adjunct }}' user: root
key: "{{ item.ssh_key }}"
state: absent
loop: '{{ users_system_users_adjunct }}'
when: when:
- item.ssh_key is defined - item.ssh_key is defined
- item.log_as_root is defined - item.log_as_root is defined
- not item.log_as_root - not item.log_as_root
- block: - name: Configure passwordless sudo
tags: ['users', 'sudo_wheel']
block:
- name: Permit sudo without password on Deb based systems - name: Permit sudo without password on Deb based systems
lineinfile: ansible.builtin.lineinfile:
path: /etc/sudoers path: /etc/sudoers
state: present state: present
regexp: '^%{{ deb_users_sudoers_group }}\s' regexp: '^%{{ deb_users_sudoers_group }}\s'
@ -136,11 +166,9 @@
when: ansible_distribution_file_variety == "Debian" when: ansible_distribution_file_variety == "Debian"
- name: Change the sudo configuration to permit sudo without password on RH/CentOS systems - name: Change the sudo configuration to permit sudo without password on RH/CentOS systems
lineinfile: ansible.builtin.lineinfile:
path: /etc/sudoers path: /etc/sudoers
state: present state: present
regexp: '^%{{ rh_users_sudoers_group }}\s' regexp: '^%{{ rh_users_sudoers_group }}\s'
line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL' line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
when: ansible_distribution_file_variety == "RedHat" when: ansible_distribution_file_variety == "RedHat"
tags: [ 'users', 'sudo_wheel' ]