omni-ansible/playbooks/update-users-local.yml

---
- import_playbook: dependencies.yml

- hosts: all
  name: Prompt for variables
  tasks:
    - import_tasks: tasks/users-preprocessing.yml

    - name: Create local user accounts
      tags: users_create
      become: true
      block:
        - name: Create groups
          group:
            name: "{{ item }}"
            state: present
          with_items:
            - "{{ targets }}"
            - omni

        - name: Create users
          user:
            name: "{{ item.name }}"
            comment: "{{ item.fullname | default('') }}"
            shell: /bin/bash
            groups: "{{ item.targets | intersect(targets) }} + {{ [ 'omni' ] if item.name != 'root' else [] }}"
            system: "{{ item.svc | default('no') }}"
            state: present
            generate_ssh_key: "{{ 'yes' if generate_keys|bool == true else 'no' }}"
            ssh_key_comment: "{{ item.name }}@{{ inventory_hostname }}"
            ssh_key_bits: 4096
            password: "{{ item.password }}"
          with_items:
            - "{{ local_users | difference([None]) }}"

        - name: Copy new keys
          when: generate_keys|bool == true
          fetch:
            dest: "{{ playbook_dir + '/keys/' + item.name + '/' + inventory_hostname + '.pub' if item.name != 'root' and item.name != 'ansible' else '/dev/null' }}"
            flat: yes
            fail_on_missing: no
            src: /home/{{ item.name }}/.ssh/id_rsa.pub
            validate_checksum: no
          with_items:
            - "{{ local_users | difference([None]) }}"

    - name: Delete users that have been removed
      tags: users_delete
      block:
        - name: Determine existing users
          shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"'
          changed_when: false
          register: existing_users

        - name: Coallate user names
          set_fact:
            user_names: "{{ user_names | default([]) + [item.name] }}"
          with_items: "{{ users }}"

        - name: Determine removed users
          set_fact:
            removed_users: "{{ existing_users.stdout_lines | difference(user_names) }}"

        - name: Delete removed user accounts
          become: true
          user:
            name: "{{ item }}"
            state: absent
          with_items: "{{ removed_users }}"

    - name: Grant sudo permissions
      tags: users_sudo
      block:
        - name: Add users to sudo group on Fedora/CentOS/RHEL
          when: ansible_distribution == "Fedora" or ansible_distribution == "Red Hat Enterprise Linux" or ansible_distribution == "CentOS"
          become: true
          user:
            name: "{{ item }}"
            groups: wheel
            state: present
          with_items:
            - "{{ local_admin_users | difference([None]) }}"

        - name: Disable sudo password for ansible
          become: true
          lineinfile:
            create: yes
            path: /etc/sudoers.d/30-ansible
            line: "ansible ALL=(ALL) NOPASSWD:ALL"
            mode: 0644

        - name: Disable sudo password for admin users
          become: true
          lineinfile:
            create: yes
            path: /etc/sudoers.d/40-admin
            line: "{{ item }} ALL=(ALL) NOPASSWD:ALL"
            mode: 0644
            state: "{{ 'absent' if disable_sudo_password|bool == false else 'present' }}"
          with_items:
            - "{{ local_admin_users | difference([None] )}}"

    - name: Configure GNOME
      tags: users_gnome
      when: ansible_distribution == "Fedora" and disable_gnome_user_list|bool == true
      block:
        - name: Configure GDM profile
          become: true
          blockinfile:
            path: /etc/ssh/sshd_config
            block: |
              user-db:user
              system-db:gdm
              file-db:/usr/share/gdm/greeter-dconf-defaults

        - name: Configure GDM keyfile
          become: true
          blockinfile:
            create: true
            path: /etc/dconf/db/gdm.d/00-login-screen
            block: |
              [org/gnome/login-screen]
              # Do not show the user list
              disable-user-list=true

        - name: Delete existing user database
          become: true
          file:
            path: /var/lib/gdm/.config/dconf/user
            state: absent

        - name: Restart dconf database
          become: true
          shell: dconf update

    - name: Install public keys
      tags: users_keys
      become: true
      block:
        - name: Ensure SSH directory exists
          file:
            state: directory
            path: /home/{{ item.name }}/.ssh
          with_items: "{{ local_users | difference([None]) }}"
        - name: Put keys on remote
          authorized_key:
            user: "{{ item.name }}"
            key: "{{ lookup('pipe','cat keys/' + item.name + '/*') if item.name != 'root' else '' }}"
            state: present
            exclusive: yes
          with_items: "{{ local_users | difference([None]) }}"

    - name: Ensure proper ownership of user home directories
      become: true
      file:
        group: "{{ item.name }}"
        owner: "{{ item.name }}"
        path: /home/{{ item.name }}
        recurse: yes
        state: directory
      with_items:
        - "{{ local_users | difference([None]) }}"

- hosts: all
  name: Disable SSH password authentication
  tasks:
    - import_tasks: tasks/sshd/disable-password-auth.yml
      when: enable_ssh_password_auth|bool == false
Add initial user creation playbook 2018-11-28 02:51:33 +00:00			`---`
Finish update-users playbook 2018-12-13 04:52:32 +00:00			`- import_playbook: dependencies.yml`

Add initial user creation playbook 2018-11-28 02:51:33 +00:00			`- hosts: all`
			`name: Prompt for variables`
Update playbooks and finalize the update-users playbook 2018-12-11 05:48:37 +00:00			`tasks:`
Fix myriad bugs in playbooks Update inventory 2018-12-22 18:55:36 +00:00			`- import_tasks: tasks/users-preprocessing.yml`
Update playbooks and finalize the update-users playbook 2018-12-11 05:48:37 +00:00
Finish update-users playbook 2018-12-13 04:52:32 +00:00			`- name: Create local user accounts`
			`tags: users_create`
Add task to copy generated keys to repo 2018-12-14 03:30:40 +00:00			`become: true`
Finish update-users playbook 2018-12-13 04:52:32 +00:00			`block:`
Update playbooks and finalize the update-users playbook 2018-12-11 05:48:37 +00:00			`- name: Create groups`
			`group:`
			`name: "{{ item }}"`
			`state: present`
			`with_items:`
			`- "{{ targets }}"`
			`- omni`

			`- name: Create users`
			`user:`
			`name: "{{ item.name }}"`
			`comment: "{{ item.fullname \| default('') }}"`
			`shell: /bin/bash`
			`groups: "{{ item.targets \| intersect(targets) }} + {{ [ 'omni' ] if item.name != 'root' else [] }}"`
			`system: "{{ item.svc \| default('no') }}"`
			`state: present`
Fix issues with sudo not being disabled 2018-12-13 05:50:43 +00:00			`generate_ssh_key: "{{ 'yes' if generate_keys\|bool == true else 'no' }}"`
Finish update-users playbook 2018-12-13 04:52:32 +00:00			`ssh_key_comment: "{{ item.name }}@{{ inventory_hostname }}"`
			`ssh_key_bits: 4096`
Update playbooks and finalize the update-users playbook 2018-12-11 05:48:37 +00:00			`password: "{{ item.password }}"`
			`with_items:`
			`- "{{ local_users \| difference([None]) }}"`

Add task to copy generated keys to repo 2018-12-14 03:30:40 +00:00			`- name: Copy new keys`
			`when: generate_keys\|bool == true`
			`fetch:`
			`dest: "{{ playbook_dir + '/keys/' + item.name + '/' + inventory_hostname + '.pub' if item.name != 'root' and item.name != 'ansible' else '/dev/null' }}"`
			`flat: yes`
			`fail_on_missing: no`
			`src: /home/{{ item.name }}/.ssh/id_rsa.pub`
			`validate_checksum: no`
			`with_items:`
			`- "{{ local_users \| difference([None]) }}"`

Update playbooks and finalize the update-users playbook 2018-12-11 05:48:37 +00:00			`- name: Delete users that have been removed`
Finish update-users playbook 2018-12-13 04:52:32 +00:00			`tags: users_delete`
Update playbooks and finalize the update-users playbook 2018-12-11 05:48:37 +00:00			`block:`
			`- name: Determine existing users`
			`shell: 'grep omni /etc/group \| cut -d: -f4 \| tr "," "\n"'`
			`changed_when: false`
			`register: existing_users`

			`- name: Coallate user names`
			`set_fact:`
			`user_names: "{{ user_names \| default([]) + [item.name] }}"`
			`with_items: "{{ users }}"`

			`- name: Determine removed users`
			`set_fact:`
			`removed_users: "{{ existing_users.stdout_lines \| difference(user_names) }}"`

			`- name: Delete removed user accounts`
			`become: true`
			`user:`
			`name: "{{ item }}"`
			`state: absent`
			`with_items: "{{ removed_users }}"`

			`- name: Grant sudo permissions`
Finish update-users playbook 2018-12-13 04:52:32 +00:00			`tags: users_sudo`
Update playbooks and finalize the update-users playbook 2018-12-11 05:48:37 +00:00			`block:`
			`- name: Add users to sudo group on Fedora/CentOS/RHEL`
			`when: ansible_distribution == "Fedora" or ansible_distribution == "Red Hat Enterprise Linux" or ansible_distribution == "CentOS"`
			`become: true`
			`user:`
Fix issues with sudo not being disabled 2018-12-13 05:50:43 +00:00			`name: "{{ item }}"`
Update playbooks and finalize the update-users playbook 2018-12-11 05:48:37 +00:00			`groups: wheel`
			`state: present`
			`with_items:`
Fix issues with sudo not being disabled 2018-12-13 05:50:43 +00:00			`- "{{ local_admin_users \| difference([None]) }}"`
Update playbooks and finalize the update-users playbook 2018-12-11 05:48:37 +00:00
			`- name: Disable sudo password for ansible`
			`become: true`
			`lineinfile:`
			`create: yes`
Finish update-users playbook 2018-12-13 04:52:32 +00:00			`path: /etc/sudoers.d/30-ansible`
Update playbooks and finalize the update-users playbook 2018-12-11 05:48:37 +00:00			`line: "ansible ALL=(ALL) NOPASSWD:ALL"`
			`mode: 0644`

			`- name: Disable sudo password for admin users`
			`become: true`
			`lineinfile:`
			`create: yes`
Fix issues with sudo not being disabled 2018-12-13 05:50:43 +00:00			`path: /etc/sudoers.d/40-admin`
Update playbooks and finalize the update-users playbook 2018-12-11 05:48:37 +00:00			`line: "{{ item }} ALL=(ALL) NOPASSWD:ALL"`
			`mode: 0644`
Fix issues with sudo not being disabled 2018-12-13 05:50:43 +00:00			`state: "{{ 'absent' if disable_sudo_password\|bool == false else 'present' }}"`
Update playbooks and finalize the update-users playbook 2018-12-11 05:48:37 +00:00			`with_items:`
			`- "{{ local_admin_users \| difference([None] )}}"`

			`- name: Configure GNOME`
Finish update-users playbook 2018-12-13 04:52:32 +00:00			`tags: users_gnome`
Fix issues with sudo not being disabled 2018-12-13 05:50:43 +00:00			`when: ansible_distribution == "Fedora" and disable_gnome_user_list\|bool == true`
Update playbooks and finalize the update-users playbook 2018-12-11 05:48:37 +00:00			`block:`
			`- name: Configure GDM profile`
			`become: true`
			`blockinfile:`
			`path: /etc/ssh/sshd_config`
			`block: \|`
			`user-db:user`
			`system-db:gdm`
			`file-db:/usr/share/gdm/greeter-dconf-defaults`

			`- name: Configure GDM keyfile`
			`become: true`
			`blockinfile:`
Update local users to fix dir DNE error Add default option to all groups 2019-03-03 18:23:15 +00:00			`create: true`
Update playbooks and finalize the update-users playbook 2018-12-11 05:48:37 +00:00			`path: /etc/dconf/db/gdm.d/00-login-screen`
			`block: \|`
			`[org/gnome/login-screen]`
			`# Do not show the user list`
			`disable-user-list=true`

			`- name: Delete existing user database`
			`become: true`
Finish update-users playbook 2018-12-13 04:52:32 +00:00			`file:`
			`path: /var/lib/gdm/.config/dconf/user`
			`state: absent`
Update playbooks and finalize the update-users playbook 2018-12-11 05:48:37 +00:00
			`- name: Restart dconf database`
			`become: true`
			`shell: dconf update`
Finish update-users playbook 2018-12-13 04:52:32 +00:00
			`- name: Install public keys`
			`tags: users_keys`
			`become: true`
			`block:`
			`- name: Ensure SSH directory exists`
			`file:`
			`state: directory`
			`path: /home/{{ item.name }}/.ssh`
			`with_items: "{{ local_users \| difference([None]) }}"`
			`- name: Put keys on remote`
			`authorized_key:`
			`user: "{{ item.name }}"`
			`key: "{{ lookup('pipe','cat keys/' + item.name + '/*') if item.name != 'root' else '' }}"`
			`state: present`
			`exclusive: yes`
			`with_items: "{{ local_users \| difference([None]) }}"`

			`- name: Ensure proper ownership of user home directories`
			`become: true`
			`file:`
			`group: "{{ item.name }}"`
			`owner: "{{ item.name }}"`
			`path: /home/{{ item.name }}`
			`recurse: yes`
			`state: directory`
			`with_items:`
			`- "{{ local_users \| difference([None]) }}"`
Updates to segregate configs by device class Split cloud VMs out from local VMs in 'cloud' group Generalize networkd install/config Generalize sshd config Create general update playbook Add host vm-host-nextcloud 2018-12-31 03:54:33 +00:00
			`- hosts: all`
			`name: Disable SSH password authentication`
			`tasks:`
			`- import_tasks: tasks/sshd/disable-password-auth.yml`
			`when: enable_ssh_password_auth\|bool == false`