forked from ISTI-ansible-roles/ansible-roles
108 lines
4.5 KiB
YAML
108 lines
4.5 KiB
YAML
---
|
|
- block:
|
|
- name: Create the sudoers group if needed
|
|
group: name={{ users_sudoers_group }} state=present
|
|
when: users_sudoers_create_group
|
|
|
|
- name: Add a sudo additional configuration for the new sudoers group
|
|
template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }}
|
|
when: users_sudoers_create_sudo_conf
|
|
|
|
tags: users
|
|
|
|
- block:
|
|
- name: Manage additional groups
|
|
group: name={{ item.group }} state={{ item.state | default('present') }}
|
|
with_items: '{{ users_additional_groups }}'
|
|
|
|
when: users_additional_groups is defined
|
|
tags: users
|
|
|
|
- block:
|
|
- name: Create users
|
|
user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }}
|
|
with_items: '{{ users_system_users | default([]) }}'
|
|
|
|
- name: ensure that the users can login with their ssh keys
|
|
authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present
|
|
with_items: '{{ users_system_users | default([]) }}'
|
|
when: item.ssh_key is defined
|
|
|
|
- name: Add the admin users to the sudoers group on debian based systems
|
|
user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes
|
|
with_items: '{{ users_system_users | default([]) }}'
|
|
when:
|
|
- item.admin
|
|
- ansible_distribution_file_variety == "Debian"
|
|
|
|
- name: Add the admin users to the sudoers group on rh/centos systems
|
|
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
|
|
with_items: '{{ users_system_users }}'
|
|
when:
|
|
- item.admin
|
|
- ansible_distribution_file_variety == "RedHat"
|
|
|
|
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access
|
|
authorized_key: user=root key="{{ item.ssh_key }}" state=present
|
|
with_items: '{{ users_system_users }}'
|
|
when:
|
|
- item.ssh_key is defined
|
|
- ( item.log_as_root is defined ) and ( item.log_as_root )
|
|
|
|
when: users_system_users is defined
|
|
tags: users
|
|
|
|
- block:
|
|
- name: Create additional users
|
|
user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }}
|
|
with_items: '{{ users_system_users_adjunct }}'
|
|
|
|
- name: ensure that the additional users can login with their ssh keys
|
|
authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present
|
|
with_items: '{{ users_system_users_adjunct }}'
|
|
when: item.ssh_key is defined
|
|
|
|
- name: Add the additional admin users to the sudoers group on debian based systems
|
|
user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes
|
|
with_items: '{{ users_system_users_adjunct }}'
|
|
when:
|
|
- item.admin
|
|
- ansible_distribution_file_variety == "Debian"
|
|
|
|
- name: Add the additional admin users to the sudoers group on rh/centos systems
|
|
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
|
|
with_items: '{{ users_system_users_adjunct }}'
|
|
when:
|
|
- item.admin
|
|
- ansible_distribution_file_variety == "RedHat"
|
|
|
|
- name: ensure that the additional users can login with their ssh keys as root if we want ensure direct access
|
|
authorized_key: user=root key="{{ item.ssh_key }}" state=present
|
|
with_items: '{{ users_system_users_adjunct }}'
|
|
when:
|
|
- item.ssh_key is defined
|
|
- ( item.log_as_root is defined ) and ( item.log_as_root )
|
|
|
|
when: users_system_users_adjunct is defined
|
|
tags: users
|
|
|
|
- block:
|
|
- name: Permit sudo without password on Deb based systems
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
state: present
|
|
regexp: '^%{{ deb_users_sudoers_group }}\s'
|
|
line: '%{{ deb_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
|
|
when: ansible_distribution_file_variety == "Debian"
|
|
|
|
- name: Change the sudo configuration to permit sudo without password on RH/CentOS systems
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
state: present
|
|
regexp: '^%{{ rh_users_sudoers_group }}\s'
|
|
line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
|
|
when: ansible_distribution_file_variety == "RedHat"
|
|
|
|
tags: [ 'users', 'sudo_wheel' ]
|
|
|