159 lines
4.8 KiB
YAML
159 lines
4.8 KiB
YAML
---
|
|
# tasks file for users
|
|
|
|
- name: create local ssh_key_directory
|
|
ansible.builtin.file:
|
|
path: "{{ users_ssh_key_directory }}"
|
|
state: directory
|
|
mode: "0750"
|
|
when:
|
|
- user.manage_ssh_key is defined
|
|
- user.manage_ssh_key | bool
|
|
delegate_to: localhost
|
|
become: no
|
|
|
|
- name: manage users {{ user.name }}
|
|
ansible.builtin.user:
|
|
name: "{{ user.name }}"
|
|
state: "{{ user.state | default('present') }}"
|
|
comment: "{{ user.comment | default(omit) }}"
|
|
create_home: "{{ users_create_home }}"
|
|
password: "{{ user.password | default(omit) }}"
|
|
uid: "{{ user.uid | default(omit) }}"
|
|
group: "{{ user.group | default(omit) }}"
|
|
groups: "{{ user.groups | default(omit) }}"
|
|
home: "{{ user.home | default(omit) }}"
|
|
shell: "{{ user.shell | default(users_shell) }}"
|
|
update_password: "{{ user.update_password | default(omit) }}"
|
|
expires: "{{ user.expires | default(omit) }}"
|
|
system: "{{ user.system | default(omit) }}"
|
|
register: users_manage_user
|
|
|
|
- name: set sudo options for {{ user.name }}
|
|
ansible.builtin.template:
|
|
src: sudo.j2
|
|
dest: '/etc/sudoers.d/{{ user.name | replace(".", "dot") }}'
|
|
mode: "0640"
|
|
validate: /usr/sbin/visudo -cf %s
|
|
when:
|
|
- user.sudo_options is defined
|
|
loop_control:
|
|
label: "{{ user.name }}"
|
|
|
|
- name: remove sudo options for {{ user.name }}
|
|
ansible.builtin.file:
|
|
path: '/etc/sudoers.d/{{ user.name | replace(".", "dot") }}'
|
|
state: absent
|
|
when:
|
|
- user.sudo_options is not defined
|
|
loop_control:
|
|
label: "{{ user.name }}"
|
|
|
|
- name: ensure the sudoers.d directory is checked for user sudoers files (will be put after EOF if not exists)
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/sudoers
|
|
state: present
|
|
line: '#includedir /etc/sudoers.d'
|
|
|
|
- name: generate private ssh key for {{ user.name }}
|
|
ansible.builtin.command:
|
|
cmd: "{{ users_ssh_keygen_command }}"
|
|
creates: "{{ users_ssh_key_directory }}/{{ user.name }}"
|
|
when:
|
|
- user.manage_ssh_key is defined
|
|
- user.manage_ssh_key | bool
|
|
loop_control:
|
|
label: "{{ user.name }}"
|
|
delegate_to: localhost
|
|
become: no
|
|
|
|
- name: generate public ssh key for {{ user.name }}
|
|
ansible.builtin.shell:
|
|
cmd: "{{ users_ssh_keygen_pubkey_command }} > {{ users_ssh_key_directory }}/{{ user.name }}.pub"
|
|
creates: "{{ users_ssh_key_directory }}/{{ user.name }}.pub"
|
|
when:
|
|
- user.manage_ssh_key is defined
|
|
- user.manage_ssh_key | bool
|
|
loop_control:
|
|
label: "{{ user.name }}"
|
|
delegate_to: localhost
|
|
become: no
|
|
|
|
- name: convert ssh key to ppk for {{ user.name }}
|
|
ansible.builtin.shell:
|
|
cmd: >
|
|
ssh-keygen -e -f "{{ users_ssh_key_directory }}/{{ user.name }}"
|
|
-C "Generated by Ansible role robertdebock.users"
|
|
> "{{ users_ssh_key_directory }}/{{ user.name }}.ppk"
|
|
creates: "{{ users_ssh_key_directory }}/{{ user.name }}.ppk"
|
|
when:
|
|
- user.manage_ssh_key is defined
|
|
- user.manage_ssh_key | bool
|
|
delegate_to: localhost
|
|
become: no
|
|
|
|
- name: create .ssh directory for {{ user.name }}
|
|
ansible.builtin.file:
|
|
path: "/home/{{ user.name }}/.ssh"
|
|
state: directory
|
|
mode: "700"
|
|
become: yes
|
|
become_user: "{{ user.name }}"
|
|
when:
|
|
- user.manage_ssh_key is defined
|
|
- user.manage_ssh_key
|
|
|
|
- name: Deploy authorized keys for {{ user.name }}
|
|
ansible.posix.authorized_key:
|
|
user: "{{ user.name }}"
|
|
state: present
|
|
key: "{{ item }}"
|
|
loop: "{{ user.authorized_keys }}"
|
|
loop_control:
|
|
label: "{{ user.name }}"
|
|
when:
|
|
- user.authorized_keys is defined
|
|
|
|
- name: Remove unauthorized keys for {{ user.name }}
|
|
ansible.posix.authorized_key:
|
|
user: "{{ user.name }}"
|
|
state: absent
|
|
key: "{{ item }}"
|
|
loop: "{{ user.unauthorized_keys }}"
|
|
loop_control:
|
|
label: "{{ user.name }}"
|
|
when:
|
|
- user.unauthorized_keys is defined
|
|
|
|
- name: copy generated private ssh key for {{ user.name }}
|
|
ansible.builtin.copy:
|
|
src: "{{ users_ssh_key_directory }}/{{ user.name }}"
|
|
dest: "/home/{{ user.name }}/.ssh/id_rsa"
|
|
mode: "400"
|
|
owner: "{{ user.name }}"
|
|
group: "{{ user.group | default(omit) }}"
|
|
when:
|
|
- users_manage_user is defined
|
|
- user.copy_private_key is defined
|
|
- user.copy_private_key | bool
|
|
loop_control:
|
|
label: "{{ user.name }}"
|
|
|
|
- name: check users password valid time
|
|
ansible.builtin.command:
|
|
cmd: awk 'BEGIN { FS = ":" } $1 == "{{ user.name }}" { print $5 }' /etc/shadow
|
|
register: users_pw_valid
|
|
changed_when: no
|
|
check_mode: no
|
|
when:
|
|
- user.state is defined and user.state != "absent" or
|
|
user.state is not defined
|
|
|
|
- name: set users password valid time
|
|
ansible.builtin.command:
|
|
cmd: chage -M "{{ user.password_validity_days }}" "{{ user.name }}"
|
|
when:
|
|
- user.password_validity_days is defined
|
|
- users_pw_valid.stdout is defined
|
|
- users_pw_valid.stdout | int != user.password_validity_days | int
|