144 lines
5.5 KiB
YAML
144 lines
5.5 KiB
YAML
---
|
|
- name: Create the groups that we want to add to the users
|
|
tags: users
|
|
block:
|
|
- name: Create the sudoers group if needed
|
|
ansible.builtin.group:
|
|
name: "{{ users_sudoers_group }}"
|
|
state: present
|
|
when: users_sudoers_create_group | bool
|
|
|
|
- name: Add a sudo additional configuration for the new sudoers group
|
|
ansible.builtin.template:
|
|
src: sudoers.j2
|
|
dest: "/etc/sudoers.d/{{ users_sudoers_group }}"
|
|
owner: root
|
|
group: root
|
|
mode: "0600"
|
|
when: users_sudoers_create_sudo_conf | bool
|
|
|
|
- name: Manage additional groups
|
|
when: users_additional_groups is defined | bool
|
|
tags: users
|
|
block:
|
|
- name: Manage additional groups
|
|
ansible.builtin.group:
|
|
name: "{{ item.group }}"
|
|
state: "{{ item.state | default('present') }}"
|
|
loop: '{{ users_additional_groups }}'
|
|
|
|
- name: Remove some default users from cloud images
|
|
tags:
|
|
- users
|
|
- default_users
|
|
block:
|
|
- name: Remove the default cloud users
|
|
ansible.builtin.user:
|
|
name: "{{ item }}"
|
|
state: absent
|
|
remove: true
|
|
loop: '{{ users_default_cloud_users }}'
|
|
|
|
- name: Manage the users of a system
|
|
tags: users
|
|
block:
|
|
- name: Manage the creation or removal of the default set of users
|
|
ansible.builtin.user:
|
|
name: "{{ item.login }}"
|
|
group: "{{ item.group | default(omit) }}"
|
|
groups: "{{ item.groups | default(omit) }}"
|
|
append: true
|
|
comment: "{{ item.name | default(item.login) }}"
|
|
home: "{% if item.home is defined %}{{ item.home }}/{{ item.login }}{% else %}/home/{{ item.login }}{% endif %}"
|
|
createhome: "{{ item.createhome | default(true) }}"
|
|
shell: "{{ item.shell | default('/bin/bash') }}"
|
|
password: "{{ item.password | default('*') }}"
|
|
update_password: "{{ item.update_password | default('on_create') }}"
|
|
state: "{{ item.state | default('present') }}"
|
|
remove: "{{ item.remove_data | default(false) }}"
|
|
force: true
|
|
loop: '{{ users_system_users }}'
|
|
no_log: "{% if item.password is defined %}true{% else %}false{% endif %}"
|
|
|
|
- name: Ensure that the users can login with their ssh keys
|
|
ansible.posix.authorized_key:
|
|
user: "{{ item.login }}"
|
|
key: "{{ item.ssh_key }}"
|
|
exclusive: true
|
|
state: present
|
|
loop: '{{ users_system_users }}'
|
|
when:
|
|
- item.ssh_key is defined
|
|
- item.state is not defined or item.state == "present"
|
|
|
|
- name: Add the admin users to the sudoers group
|
|
ansible.builtin.user:
|
|
name: "{{ item.login }}"
|
|
groups: '{% if ansible_distribution_file_variety == "Debian" %}{{ deb_users_sudoers_group }}{% elif ansible_distribution_file_variety == "RedHat" %}{{ rh_users_sudoers_group }}{% endif %}'
|
|
append: true
|
|
loop: '{{ users_system_users }}'
|
|
when:
|
|
- item.admin is defined and item.admin
|
|
- item.state is not defined or item.state == "present"
|
|
|
|
- name: Manage additional users
|
|
tags: users
|
|
block:
|
|
- name: Manage the creation of removal of additional users
|
|
ansible.builtin.user:
|
|
name: "{{ item.login }}"
|
|
group: "{{ item.group | default(omit) }}"
|
|
groups: "{{ item.groups | default(omit) }}"
|
|
append: true
|
|
comment: "{{ item.name | default(item.login) }}"
|
|
home: "{% if item.home is defined %}{{ item.home }}/{{ item.login }}{% else %}/home/{{ item.login }}{% endif %}"
|
|
createhome: "{{ item.createhome | default(true) }}"
|
|
shell: "{{ item.shell | default('/bin/bash') }}"
|
|
password: "{{ item.password | default('*') }}"
|
|
update_password: "{{ item.update_password | default('on_create') }}"
|
|
state: "{{ item.state | default('present') }}"
|
|
remove: "{{ item.remove_data | default(false) }}"
|
|
force: true
|
|
loop: '{{ users_system_users_adjunct }}'
|
|
no_log: "{% if item.password is defined %}true{% else %}false{% endif %}"
|
|
|
|
- name: Ensure that the additional users can login with their ssh keys
|
|
ansible.posix.authorized_key:
|
|
user: "{{ item.login }}"
|
|
key: "{{ item.ssh_key }}"
|
|
exclusive: true
|
|
state: present
|
|
loop: '{{ users_system_users_adjunct }}'
|
|
when:
|
|
- item.ssh_key is defined
|
|
- item.state is not defined or item.state == "present"
|
|
|
|
- name: Add the additional admin users to the sudoers group
|
|
ansible.builtin.user:
|
|
name: "{{ item.login }}"
|
|
groups: '{% if ansible_distribution_file_variety == "Debian" %}{{ deb_users_sudoers_group }}{% elif ansible_distribution_file_variety == "RedHat" %}{{ rh_users_sudoers_group }}{% endif %}'
|
|
append: true
|
|
loop: '{{ users_system_users_adjunct }}'
|
|
when:
|
|
- item.admin is defined and item.admin
|
|
- item.state is not defined or item.state == "present"
|
|
|
|
- name: Configure passwordless sudo
|
|
tags: ['users', 'sudo_wheel']
|
|
block:
|
|
- name: Permit sudo without password on Deb based systems
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/sudoers
|
|
state: present
|
|
regexp: '^%{{ deb_users_sudoers_group }}\s'
|
|
line: '%{{ deb_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
|
|
when: ansible_distribution_file_variety == "Debian"
|
|
|
|
- name: Change the sudo configuration to permit sudo without password on RH/CentOS systems
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/sudoers
|
|
state: present
|
|
regexp: '^%{{ rh_users_sudoers_group }}\s'
|
|
line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
|
|
when: ansible_distribution_file_variety == "RedHat"
|