Finish update-users playbook
This commit is contained in:
Ethan N. Paul
parent
69d0dcd95b
commit
16b69c51e8
@ -1 +0,0 @@
|
|||||||
../../keys
|
|
||||||
1
playbooks/keys
Symbolic link
1
playbooks/keys
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
../keys
|
||||||
@ -1,4 +1,6 @@
|
|||||||
---
|
---
|
||||||
|
- include_playbook: dependencies.yml
|
||||||
|
|
||||||
- hosts: all
|
- hosts: all
|
||||||
name: Init
|
name: Init
|
||||||
tasks:
|
tasks:
|
||||||
|
|||||||
@ -1,32 +1,44 @@
|
|||||||
---
|
---
|
||||||
|
- import_playbook: dependencies.yml
|
||||||
|
|
||||||
- hosts: all
|
- hosts: all
|
||||||
name: Prompt for variables
|
name: Prompt for variables
|
||||||
vars_prompt:
|
vars_prompt:
|
||||||
- name: "generate_keys"
|
- name: "generate_keys"
|
||||||
prompt: "Generate SSH keypair for new users?"
|
prompt: "Generate SSH keypair for new users?"
|
||||||
default: yes
|
default: yes
|
||||||
|
private: no
|
||||||
when: generate_keys is not defined
|
when: generate_keys is not defined
|
||||||
- name: "enable_sudo_password"
|
- name: "enable_sudo_password"
|
||||||
prompt: "Require user password when running sudo commands?"
|
prompt: "Require user password when running sudo commands?"
|
||||||
default: yes
|
default: yes
|
||||||
|
private: no
|
||||||
when: enable_sudo_password is not defined
|
when: enable_sudo_password is not defined
|
||||||
- name: "disable_gnome_user_list"
|
- name: "disable_gnome_user_list"
|
||||||
prompt: "Disable the GNOME user list?"
|
prompt: "Disable the GNOME user list?"
|
||||||
default: yes
|
default: yes
|
||||||
|
private: no
|
||||||
when: disable_gnome_user_list is not defined
|
when: disable_gnome_user_list is not defined
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Load user variables
|
- name: Pre-processing
|
||||||
|
tags: always
|
||||||
|
block:
|
||||||
|
- name: Load users
|
||||||
include_vars:
|
include_vars:
|
||||||
file: users.yml
|
file: users.yml
|
||||||
|
|
||||||
- name: Create local user accounts
|
|
||||||
block:
|
|
||||||
- name: Reconcile user targets with host targets to get host users
|
- name: Reconcile user targets with host targets to get host users
|
||||||
set_fact:
|
set_fact:
|
||||||
local_users: "{{ local_users | default([]) + [item if item.targets | intersect(targets) else None] }}"
|
local_users: "{{ local_users | default([]) + [item if item.targets | intersect(targets) else None] }}"
|
||||||
with_items: "{{ users }}"
|
with_items: "{{ users }}"
|
||||||
|
- name: Get administrative users
|
||||||
|
set_fact:
|
||||||
|
local_admin_users: "{{ local_admin_users | default([]) + [item.name if item.admin else None] }}"
|
||||||
|
with_items: "{{ local_users | difference([None]) }}"
|
||||||
|
|
||||||
|
- name: Create local user accounts
|
||||||
|
tags: users_create
|
||||||
|
block:
|
||||||
- name: Create groups
|
- name: Create groups
|
||||||
become: true
|
become: true
|
||||||
group:
|
group:
|
||||||
@ -46,11 +58,14 @@
|
|||||||
system: "{{ item.svc | default('no') }}"
|
system: "{{ item.svc | default('no') }}"
|
||||||
state: present
|
state: present
|
||||||
generate_ssh_key: "{{ generate_keys }}"
|
generate_ssh_key: "{{ generate_keys }}"
|
||||||
|
ssh_key_comment: "{{ item.name }}@{{ inventory_hostname }}"
|
||||||
|
ssh_key_bits: 4096
|
||||||
password: "{{ item.password }}"
|
password: "{{ item.password }}"
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ local_users | difference([None]) }}"
|
- "{{ local_users | difference([None]) }}"
|
||||||
|
|
||||||
- name: Delete users that have been removed
|
- name: Delete users that have been removed
|
||||||
|
tags: users_delete
|
||||||
block:
|
block:
|
||||||
- name: Determine existing users
|
- name: Determine existing users
|
||||||
shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"'
|
shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"'
|
||||||
@ -74,12 +89,8 @@
|
|||||||
with_items: "{{ removed_users }}"
|
with_items: "{{ removed_users }}"
|
||||||
|
|
||||||
- name: Grant sudo permissions
|
- name: Grant sudo permissions
|
||||||
|
tags: users_sudo
|
||||||
block:
|
block:
|
||||||
- name: Get administrative users
|
|
||||||
set_fact:
|
|
||||||
local_admin_users: "{{ local_admin_users | default([]) + [item.name if item.admin else None] }}"
|
|
||||||
with_items: "{{ local_users | difference([None]) }}"
|
|
||||||
|
|
||||||
- name: Add users to sudo group on Fedora/CentOS/RHEL
|
- name: Add users to sudo group on Fedora/CentOS/RHEL
|
||||||
when: ansible_distribution == "Fedora" or ansible_distribution == "Red Hat Enterprise Linux" or ansible_distribution == "CentOS"
|
when: ansible_distribution == "Fedora" or ansible_distribution == "Red Hat Enterprise Linux" or ansible_distribution == "CentOS"
|
||||||
become: true
|
become: true
|
||||||
@ -94,23 +105,24 @@
|
|||||||
become: true
|
become: true
|
||||||
lineinfile:
|
lineinfile:
|
||||||
create: yes
|
create: yes
|
||||||
path: /etc/sudoers/30-ansible
|
path: /etc/sudoers.d/30-ansible
|
||||||
line: "ansible ALL=(ALL) NOPASSWD:ALL"
|
line: "ansible ALL=(ALL) NOPASSWD:ALL"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
- name: Disable sudo password for admin users
|
- name: Disable sudo password for admin users
|
||||||
when: enable_sudo_password is False
|
when: not enable_sudo_password
|
||||||
become: true
|
become: true
|
||||||
lineinfile:
|
lineinfile:
|
||||||
create: yes
|
create: yes
|
||||||
path: /etc/sudoers/30-ansible
|
path: /etc/sudoers.d/30-ansible
|
||||||
line: "{{ item }} ALL=(ALL) NOPASSWD:ALL"
|
line: "{{ item }} ALL=(ALL) NOPASSWD:ALL"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ local_admin_users | difference([None] )}}"
|
- "{{ local_admin_users | difference([None] )}}"
|
||||||
|
|
||||||
- name: Configure GNOME
|
- name: Configure GNOME
|
||||||
when: ansible_distribution == "Fedora" and disable_gnome_user_list is True
|
tags: users_gnome
|
||||||
|
when: ansible_distribution == "Fedora" and disable_gnome_user_list
|
||||||
block:
|
block:
|
||||||
- name: Configure GDM profile
|
- name: Configure GDM profile
|
||||||
become: true
|
become: true
|
||||||
@ -132,8 +144,38 @@
|
|||||||
|
|
||||||
- name: Delete existing user database
|
- name: Delete existing user database
|
||||||
become: true
|
become: true
|
||||||
shell: "mv /var/lib/gdm/.config/dconf/user /var/lib/gdm/.config/user.bkup"
|
file:
|
||||||
|
path: /var/lib/gdm/.config/dconf/user
|
||||||
|
state: absent
|
||||||
|
|
||||||
- name: Restart dconf database
|
- name: Restart dconf database
|
||||||
become: true
|
become: true
|
||||||
shell: dconf update
|
shell: dconf update
|
||||||
|
|
||||||
|
- name: Install public keys
|
||||||
|
tags: users_keys
|
||||||
|
become: true
|
||||||
|
block:
|
||||||
|
- name: Ensure SSH directory exists
|
||||||
|
file:
|
||||||
|
state: directory
|
||||||
|
path: /home/{{ item.name }}/.ssh
|
||||||
|
with_items: "{{ local_users | difference([None]) }}"
|
||||||
|
- name: Put keys on remote
|
||||||
|
authorized_key:
|
||||||
|
user: "{{ item.name }}"
|
||||||
|
key: "{{ lookup('pipe','cat keys/' + item.name + '/*') if item.name != 'root' else '' }}"
|
||||||
|
state: present
|
||||||
|
exclusive: yes
|
||||||
|
with_items: "{{ local_users | difference([None]) }}"
|
||||||
|
|
||||||
|
- name: Ensure proper ownership of user home directories
|
||||||
|
become: true
|
||||||
|
file:
|
||||||
|
group: "{{ item.name }}"
|
||||||
|
owner: "{{ item.name }}"
|
||||||
|
path: /home/{{ item.name }}
|
||||||
|
recurse: yes
|
||||||
|
state: directory
|
||||||
|
with_items:
|
||||||
|
- "{{ local_users | difference([None]) }}"
|
||||||
|
|||||||
Reference in New Issue
Block a user