Finish update-users playbook

This commit is contained in:
Ethan N. Paul 2018-12-12 23:52:32 -05:00
parent 69d0dcd95b
commit 16b69c51e8
4 changed files with 60 additions and 16 deletions

View File

@ -1 +0,0 @@
../../keys

1
playbooks/keys Symbolic link
View File

@ -0,0 +1 @@
../keys

View File

@ -1,4 +1,6 @@
--- ---
- include_playbook: dependencies.yml
- hosts: all - hosts: all
name: Init name: Init
tasks: tasks:

View File

@ -1,32 +1,44 @@
--- ---
- import_playbook: dependencies.yml
- hosts: all - hosts: all
name: Prompt for variables name: Prompt for variables
vars_prompt: vars_prompt:
- name: "generate_keys" - name: "generate_keys"
prompt: "Generate SSH keypair for new users?" prompt: "Generate SSH keypair for new users?"
default: yes default: yes
private: no
when: generate_keys is not defined when: generate_keys is not defined
- name: "enable_sudo_password" - name: "enable_sudo_password"
prompt: "Require user password when running sudo commands?" prompt: "Require user password when running sudo commands?"
default: yes default: yes
private: no
when: enable_sudo_password is not defined when: enable_sudo_password is not defined
- name: "disable_gnome_user_list" - name: "disable_gnome_user_list"
prompt: "Disable the GNOME user list?" prompt: "Disable the GNOME user list?"
default: yes default: yes
private: no
when: disable_gnome_user_list is not defined when: disable_gnome_user_list is not defined
tasks: tasks:
- name: Load user variables - name: Pre-processing
include_vars: tags: always
file: users.yml
- name: Create local user accounts
block: block:
- name: Load users
include_vars:
file: users.yml
- name: Reconcile user targets with host targets to get host users - name: Reconcile user targets with host targets to get host users
set_fact: set_fact:
local_users: "{{ local_users | default([]) + [item if item.targets | intersect(targets) else None] }}" local_users: "{{ local_users | default([]) + [item if item.targets | intersect(targets) else None] }}"
with_items: "{{ users }}" with_items: "{{ users }}"
- name: Get administrative users
set_fact:
local_admin_users: "{{ local_admin_users | default([]) + [item.name if item.admin else None] }}"
with_items: "{{ local_users | difference([None]) }}"
- name: Create local user accounts
tags: users_create
block:
- name: Create groups - name: Create groups
become: true become: true
group: group:
@ -46,11 +58,14 @@
system: "{{ item.svc | default('no') }}" system: "{{ item.svc | default('no') }}"
state: present state: present
generate_ssh_key: "{{ generate_keys }}" generate_ssh_key: "{{ generate_keys }}"
ssh_key_comment: "{{ item.name }}@{{ inventory_hostname }}"
ssh_key_bits: 4096
password: "{{ item.password }}" password: "{{ item.password }}"
with_items: with_items:
- "{{ local_users | difference([None]) }}" - "{{ local_users | difference([None]) }}"
- name: Delete users that have been removed - name: Delete users that have been removed
tags: users_delete
block: block:
- name: Determine existing users - name: Determine existing users
shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"' shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"'
@ -74,12 +89,8 @@
with_items: "{{ removed_users }}" with_items: "{{ removed_users }}"
- name: Grant sudo permissions - name: Grant sudo permissions
tags: users_sudo
block: block:
- name: Get administrative users
set_fact:
local_admin_users: "{{ local_admin_users | default([]) + [item.name if item.admin else None] }}"
with_items: "{{ local_users | difference([None]) }}"
- name: Add users to sudo group on Fedora/CentOS/RHEL - name: Add users to sudo group on Fedora/CentOS/RHEL
when: ansible_distribution == "Fedora" or ansible_distribution == "Red Hat Enterprise Linux" or ansible_distribution == "CentOS" when: ansible_distribution == "Fedora" or ansible_distribution == "Red Hat Enterprise Linux" or ansible_distribution == "CentOS"
become: true become: true
@ -94,23 +105,24 @@
become: true become: true
lineinfile: lineinfile:
create: yes create: yes
path: /etc/sudoers/30-ansible path: /etc/sudoers.d/30-ansible
line: "ansible ALL=(ALL) NOPASSWD:ALL" line: "ansible ALL=(ALL) NOPASSWD:ALL"
mode: 0644 mode: 0644
- name: Disable sudo password for admin users - name: Disable sudo password for admin users
when: enable_sudo_password is False when: not enable_sudo_password
become: true become: true
lineinfile: lineinfile:
create: yes create: yes
path: /etc/sudoers/30-ansible path: /etc/sudoers.d/30-ansible
line: "{{ item }} ALL=(ALL) NOPASSWD:ALL" line: "{{ item }} ALL=(ALL) NOPASSWD:ALL"
mode: 0644 mode: 0644
with_items: with_items:
- "{{ local_admin_users | difference([None] )}}" - "{{ local_admin_users | difference([None] )}}"
- name: Configure GNOME - name: Configure GNOME
when: ansible_distribution == "Fedora" and disable_gnome_user_list is True tags: users_gnome
when: ansible_distribution == "Fedora" and disable_gnome_user_list
block: block:
- name: Configure GDM profile - name: Configure GDM profile
become: true become: true
@ -132,8 +144,38 @@
- name: Delete existing user database - name: Delete existing user database
become: true become: true
shell: "mv /var/lib/gdm/.config/dconf/user /var/lib/gdm/.config/user.bkup" file:
path: /var/lib/gdm/.config/dconf/user
state: absent
- name: Restart dconf database - name: Restart dconf database
become: true become: true
shell: dconf update shell: dconf update
- name: Install public keys
tags: users_keys
become: true
block:
- name: Ensure SSH directory exists
file:
state: directory
path: /home/{{ item.name }}/.ssh
with_items: "{{ local_users | difference([None]) }}"
- name: Put keys on remote
authorized_key:
user: "{{ item.name }}"
key: "{{ lookup('pipe','cat keys/' + item.name + '/*') if item.name != 'root' else '' }}"
state: present
exclusive: yes
with_items: "{{ local_users | difference([None]) }}"
- name: Ensure proper ownership of user home directories
become: true
file:
group: "{{ item.name }}"
owner: "{{ item.name }}"
path: /home/{{ item.name }}
recurse: yes
state: directory
with_items:
- "{{ local_users | difference([None]) }}"