Role that configure users and sudo permissions.
This commit is contained in:
parent
b542a58a8c
commit
efc0b242ba
|
@ -0,0 +1,24 @@
|
||||||
|
---
|
||||||
|
service_custom_installation: False
|
||||||
|
service_user: sys_admin
|
||||||
|
service_group: '{{ sys_user }}'
|
||||||
|
service_sudoers_group: adminsu
|
||||||
|
|
||||||
|
service_data_directory: /var/lib/foo
|
||||||
|
#service_other_directories:
|
||||||
|
# - /var/lib/bar
|
||||||
|
|
||||||
|
service_log_directories:
|
||||||
|
- /var/log/foo
|
||||||
|
- /var/log/foo/search
|
||||||
|
|
||||||
|
# Define the following if you want some directories readable and writable by the common group but outside the default app data dirs
|
||||||
|
#additional_data_directories:
|
||||||
|
# - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ sys_group }}', aclperms: 'rwX' }
|
||||||
|
# - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ sys_group }}', aclperms: 'rwX' }
|
||||||
|
# - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' }
|
||||||
|
|
||||||
|
# Define the following array when you want to add commands to the sudoers file
|
||||||
|
#service_sudo_commands:
|
||||||
|
# - /etc/init.d/virtuoso-opensource-7
|
||||||
|
# - /sbin/reboot
|
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
- '../../library/roles/users'
|
|
@ -0,0 +1,23 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Create the service user, if it is not used to run the tomcat instances
|
||||||
|
user: name={{ service_user }} home={{ service_data_directory }} createhome=no shell=/usr/sbin/nologin
|
||||||
|
|
||||||
|
- name: Add the additional service groups
|
||||||
|
group: name={{ item }} state=present
|
||||||
|
with_items:
|
||||||
|
- '{{ service_group }}'
|
||||||
|
- '{{ service_sudoers_group }}'
|
||||||
|
|
||||||
|
- name: Add selected users to the limited sudoers group
|
||||||
|
user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
|
||||||
|
with_items: '{{ users_system_users | default([]) }}'
|
||||||
|
when: item.limited_sudoers_user
|
||||||
|
|
||||||
|
- name: Remove selected users to the limited sudoers group
|
||||||
|
user: name={{ item.login }} groups={{ service_sudoers_group }}
|
||||||
|
with_items: '{{ users_system_users | default([]) }}'
|
||||||
|
when: not item.limited_sudoers_user
|
||||||
|
|
||||||
|
when: service_custom_installation
|
||||||
|
tags: [ 'services', 'users' ]
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Create the users additional data dirs
|
||||||
|
file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
|
||||||
|
with_items: '{{ additional_data_directories | default([]) }}'
|
||||||
|
when: item.create and not item.file
|
||||||
|
|
||||||
|
- name: Set the read/write/access permissions on the users additional data dirs
|
||||||
|
acl: name={{ item.name }} entity={{ service_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes
|
||||||
|
with_items: '{{ additional_data_directories | default([]) }}'
|
||||||
|
|
||||||
|
- name: Set the default read/write/access permissions on the users additional data dirs
|
||||||
|
acl: name={{ item.name }} entity={{ service_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
|
||||||
|
with_items: '{{ additional_data_directories | default([]) }}'
|
||||||
|
|
||||||
|
tags: [ 'users', 'users_acl' ]
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- import_tasks: common-groups.yml
|
||||||
|
- import_tasks: sudo-config.yml
|
||||||
|
- import_tasks: services-data-dirs.yml
|
||||||
|
when: service_custom_installation
|
||||||
|
- import_tasks: common-users-data-dirs.yml
|
||||||
|
when: additional_data_directories is defined
|
|
@ -0,0 +1,23 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Create the service data dirs
|
||||||
|
file: name={{ item }} state=directory owner={{ service_user }} group={{ service_group }} mode=0750
|
||||||
|
with_items: '{{ service_other_directories }}'
|
||||||
|
|
||||||
|
- name: Set the read/write permissions on the service data dirs
|
||||||
|
acl: name={{ item }} entity={{ service_group }} etype=group permissions=rwX state=present recursive=yes
|
||||||
|
with_items: '{{ service_other_directories | default([]) }}'
|
||||||
|
|
||||||
|
- name: Set the default read/write permissions on the service data dirs
|
||||||
|
acl: name={{ item }} entity={{ service_group }} etype=group permissions=rwX state=present default=yes recursive=yes
|
||||||
|
with_items: '{{ service_other_directories | default([]) }}'
|
||||||
|
|
||||||
|
- name: Set the read permissions on the service log dirs
|
||||||
|
acl: name={{ item }} entity={{ service_group }} etype=group permissions=rX state=present recursive=yes
|
||||||
|
with_items: '{{ service_log_directories }}'
|
||||||
|
|
||||||
|
- name: Set the default read permissions on the service log dirs
|
||||||
|
acl: name={{ item }} entity={{ service_group }} etype=group permissions=rX state=present default=yes recursive=yes
|
||||||
|
with_items: '{{ service_log_directories }}'
|
||||||
|
|
||||||
|
tags: [ 'service', 'users' ]
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
- name: Install the sudoers config that allows users to execute some privileged commands
|
||||||
|
template: src=service-sudoers.j2 dest=/etc/sudoers.d/service-group owner=root group=root mode=0440
|
||||||
|
when: service_sudo_commands is defined
|
||||||
|
tags: [ 'service', 'sudo', 'users' ]
|
||||||
|
|
|
@ -0,0 +1,2 @@
|
||||||
|
%{{ service_sudoers_group }} ALL=(ALL) NOPASSWD: {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %}
|
||||||
|
|
Loading…
Reference in New Issue