omni-ansible/playbooks/configure-mgmt.yml

---
- name: Configure server management services
  hosts: servers
  tasks:
    - import_tasks: tasks/sshd/secure.yml

    - name: Enable cockpit
      when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
      become: true
      systemd:
        name: cockpit.socket
        enabled: true
        state: started

- name: Configure virtualization management services
  hosts: virtualization
  tasks:
    - name: Create docker group
      become: true
      group:
        name: docker
        state: present

- name: Configure local accounts
  hosts: all
  vars_files:
    - vars/accounts.yml
    - vars/secrets/passwords.yml
    - vars/sshkeys.yml
  tasks:
    - name: Create omni group
      become: true
      group:
        name: "{{ omni_group.name }}"
        gid: "{{ omni_group.gid }}"
        state: present

    - name: Determine existing omni users
      changed_when: false
      shell:
        cmd: 'grep omni /etc/group | cut --delimiter : --fields 4 | tr "," "\n"'
      register: _existing_omni_users

    - name: Delete removed user accounts
      become: true
      when: item not in (omni_users | items2dict(key_name='name', value_name='uid'))
      user:
        name: "{{ item }}"
        state: absent
      loop: "{{ _existing_omni_users.stdout_lines }}"

    - name: Delete removed user groups
      become: true
      when: item not in (omni_users | items2dict(key_name='name', value_name='uid'))
      group:
        name: "{{ item }}"
        state: absent
      loop: "{{ _existing_omni_users.stdout_lines }}"

    - name: Delete removed user home directories
      become: true
      when: item not in (omni_users | items2dict(key_name='name', value_name='uid'))
      file:
        path: "/home/{{ item }}"
        state: absent
      loop: "{{ _existing_omni_users.stdout_lines }}"

    - name: Create account groups
      become: true
      group:
        name: "{{ item.name }}"
        gid: "{{ item.uid }}"
        state: present
      loop: "{{ omni_users }}"
      loop_control:
        label: "{{ item.uid }},{{ item.name }}"

    - name: Create accounts
      become: true
      user:
        name: "{{ item.name }}"
        state: present
        uid: "{{ item.uid }}"
        group: "{{ item.name }}"
        groups: >-
          {{
            [omni_group.name] +
            (['wheel' if ansible_os_family | lower == 'redhat' else 'sudo'] if item.admin | default(false) else []) +
            (['docker' if 'virtualization' in group_names else omni_group.name] if item.admin | default(false) else [])
          }}
        # The 'else omni_group.name' above is just some non-breaking value to cover the
        # false condition, it doesn't have special meaning
        comment: "{{ item.fullname | default('') }}"
        shell: "{{ '/bin/bash' if 'mgmt' in item.targets else '/bin/false' }}"
        system: "{{ item.svc | default(false) }}"
        generate_ssh_key: false
        password: "{{ omni_users_secrets[item.name] | default(none) }}"
      loop: "{{ omni_users }}"
      loop_control:
        label: "{{ item.uid }},{{ item.name }}"

    - name: Disable sudo password for ansible
      become: true
      lineinfile:
        create: true
        path: /etc/sudoers.d/30-ansible
        line: "ansible ALL=(ALL) NOPASSWD:ALL"
        mode: 0644

    - name: Ensure proper ownership of user home directories
      become: true
      file:
        path: /home/{{ item.name }}
        state: directory
        group: "{{ item.name }}"
        owner: "{{ item.name }}"
        mode: 0700
      loop: "{{ omni_users }}"
      loop_control:
        label: "{{ item.uid }},{{ item.name }}"

    - name: Enforce root password
      become: true
      user:
        name: root
        password: "{{ omni_users_secrets.root }}"
        state: present

    - name: Create SSH directory
      become: true
      file:
        path: /home/{{ item.name }}/.ssh
        owner: "{{ item.name }}"
        group: "{{ item.name }}"
        state: directory
        mode: 0755
      loop: "{{ omni_users }}"
      loop_control:
        label: "{{ item.uid }},{{ item.name }}"

    - name: Update authorized keys
      become: true
      when: "'mgmt' in item.targets"
      authorized_key:
        user: "{{ item.name }}"
        key: "{{ omni_ssh_keys[item.name] | join('\n') }}"
        state: present
        exclusive: true
      loop: "{{ omni_users }}"
      loop_control:
        label: "{{ item.uid }},{{ item.name }}"

    - name: Enforce ownership of authorized keys
      become: true
      when: "'mgmt' in item.targets"
      file:
        path: /home/{{ item.name }}/.ssh/authorized_keys
        state: file
        owner: "{{ item.name }}"
        group: "{{ item.name }}"
        mode: 0400
      loop: "{{ omni_users }}"
      loop_control:
        label: "{{ item.uid }},{{ item.name }}"
Overhaul playbook organizational structure provision playbooks now establish platform-related components of the macro system configure playbooks now configure/update/establish specific subcomponents of systems deploy playbooks will eventually deploy specific applications onto the platform 2020-12-04 19:52:49 +00:00			`---`
			`- name: Configure server management services`
			`hosts: servers`
			`tasks:`
			`- import_tasks: tasks/sshd/secure.yml`

			`- name: Enable cockpit`
			`when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"`
			`become: true`
			`systemd:`
			`name: cockpit.socket`
			`enabled: true`
			`state: started`

			`- name: Configure virtualization management services`
			`hosts: virtualization`
			`tasks:`
			`- name: Create docker group`
			`become: true`
			`group:`
			`name: docker`
			`state: present`

			`- name: Configure local accounts`
			`hosts: all`
			`vars_files:`
			`- vars/accounts.yml`
			`- vars/secrets/passwords.yml`
			`- vars/sshkeys.yml`
			`tasks:`
			`- name: Create omni group`
			`become: true`
			`group:`
			`name: "{{ omni_group.name }}"`
			`gid: "{{ omni_group.gid }}"`
			`state: present`

			`- name: Determine existing omni users`
			`changed_when: false`
			`shell:`
			`cmd: 'grep omni /etc/group \| cut --delimiter : --fields 4 \| tr "," "\n"'`
			`register: _existing_omni_users`

			`- name: Delete removed user accounts`
			`become: true`
			`when: item not in (omni_users \| items2dict(key_name='name', value_name='uid'))`
			`user:`
			`name: "{{ item }}"`
			`state: absent`
			`loop: "{{ _existing_omni_users.stdout_lines }}"`

			`- name: Delete removed user groups`
			`become: true`
			`when: item not in (omni_users \| items2dict(key_name='name', value_name='uid'))`
			`group:`
			`name: "{{ item }}"`
			`state: absent`
			`loop: "{{ _existing_omni_users.stdout_lines }}"`

			`- name: Delete removed user home directories`
			`become: true`
			`when: item not in (omni_users \| items2dict(key_name='name', value_name='uid'))`
			`file:`
			`path: "/home/{{ item }}"`
			`state: absent`
			`loop: "{{ _existing_omni_users.stdout_lines }}"`

			`- name: Create account groups`
			`become: true`
			`group:`
			`name: "{{ item.name }}"`
			`gid: "{{ item.uid }}"`
			`state: present`
			`loop: "{{ omni_users }}"`
			`loop_control:`
			`label: "{{ item.uid }},{{ item.name }}"`

			`- name: Create accounts`
			`become: true`
			`user:`
			`name: "{{ item.name }}"`
			`state: present`
			`uid: "{{ item.uid }}"`
			`group: "{{ item.name }}"`
			`groups: >-`
			`{{`
			`[omni_group.name] +`
			`(['wheel' if ansible_os_family \| lower == 'redhat' else 'sudo'] if item.admin \| default(false) else []) +`
			`(['docker' if 'virtualization' in group_names else omni_group.name] if item.admin \| default(false) else [])`
			`}}`
			`# The 'else omni_group.name' above is just some non-breaking value to cover the`
			`# false condition, it doesn't have special meaning`
			`comment: "{{ item.fullname \| default('') }}"`
			`shell: "{{ '/bin/bash' if 'mgmt' in item.targets else '/bin/false' }}"`
			`system: "{{ item.svc \| default(false) }}"`
			`generate_ssh_key: false`
			`password: "{{ omni_users_secrets[item.name] \| default(none) }}"`
			`loop: "{{ omni_users }}"`
			`loop_control:`
			`label: "{{ item.uid }},{{ item.name }}"`

			`- name: Disable sudo password for ansible`
			`become: true`
			`lineinfile:`
			`create: true`
			`path: /etc/sudoers.d/30-ansible`
			`line: "ansible ALL=(ALL) NOPASSWD:ALL"`
			`mode: 0644`

			`- name: Ensure proper ownership of user home directories`
			`become: true`
			`file:`
			`path: /home/{{ item.name }}`
			`state: directory`
			`group: "{{ item.name }}"`
			`owner: "{{ item.name }}"`
			`mode: 0700`
			`loop: "{{ omni_users }}"`
			`loop_control:`
			`label: "{{ item.uid }},{{ item.name }}"`

			`- name: Enforce root password`
			`become: true`
			`user:`
			`name: root`
			`password: "{{ omni_users_secrets.root }}"`
			`state: present`

			`- name: Create SSH directory`
			`become: true`
			`file:`
			`path: /home/{{ item.name }}/.ssh`
			`owner: "{{ item.name }}"`
			`group: "{{ item.name }}"`
			`state: directory`
			`mode: 0755`
			`loop: "{{ omni_users }}"`
			`loop_control:`
			`label: "{{ item.uid }},{{ item.name }}"`

			`- name: Update authorized keys`
			`become: true`
			`when: "'mgmt' in item.targets"`
			`authorized_key:`
			`user: "{{ item.name }}"`
			`key: "{{ omni_ssh_keys[item.name] \| join('\n') }}"`
			`state: present`
			`exclusive: true`
			`loop: "{{ omni_users }}"`
			`loop_control:`
			`label: "{{ item.uid }},{{ item.name }}"`

			`- name: Enforce ownership of authorized keys`
			`become: true`
			`when: "'mgmt' in item.targets"`
			`file:`
			`path: /home/{{ item.name }}/.ssh/authorized_keys`
			`state: file`
			`owner: "{{ item.name }}"`
			`group: "{{ item.name }}"`
			`mode: 0400`
			`loop: "{{ omni_users }}"`
			`loop_control:`
			`label: "{{ item.uid }},{{ item.name }}"`