diff --git a/playbooks/update-users-local.yml b/playbooks/update-users-local.yml index d418aa3..b8f371d 100644 --- a/playbooks/update-users-local.yml +++ b/playbooks/update-users-local.yml @@ -2,7 +2,7 @@ - import_playbook: dependencies.yml - hosts: all - name: Prompt for variables + name: Update local user accounts and access controls tasks: - import_tasks: tasks/users-preprocessing.yml @@ -14,9 +14,7 @@ group: name: "{{ item }}" state: present - with_items: - - "{{ targets }}" - - omni + loop: "{{ targets + ['omni'] }}" - name: Create users user: @@ -29,20 +27,9 @@ generate_ssh_key: "{{ 'yes' if generate_keys|bool == true else 'no' }}" ssh_key_comment: "{{ item.name }}@{{ inventory_hostname }}" ssh_key_bits: 4096 + ssh_key_type: ed25519 password: "{{ item.password }}" - with_items: - - "{{ local_users | difference([None]) }}" - - - name: Copy new keys - when: generate_keys|bool == true - fetch: - dest: "{{ playbook_dir + '/keys/' + item.name + '/' + inventory_hostname + '.pub' if item.name != 'root' and item.name != 'ansible' else '/dev/null' }}" - flat: yes - fail_on_missing: no - src: /home/{{ item.name }}/.ssh/id_rsa.pub - validate_checksum: no - with_items: - - "{{ local_users | difference([None]) }}" + loop: "{{ local_users | difference([None]) }}" - name: Delete users that have been removed tags: users_delete @@ -55,18 +42,18 @@ - name: Coallate user names set_fact: user_names: "{{ user_names | default([]) + [item.name] }}" - with_items: "{{ users }}" + loop: "{{ users }}" - name: Determine removed users set_fact: - removed_users: "{{ existing_users.stdout_lines | difference(user_names) }}" + removed_users: "{{ existing_users.stdout_lines | difference(local_users) | difference([None]) }}" - name: Delete removed user accounts become: true user: name: "{{ item }}" state: absent - with_items: "{{ removed_users }}" + loop: "{{ removed_users }}" - name: Grant sudo permissions tags: users_sudo @@ -78,8 +65,7 @@ name: "{{ item }}" groups: wheel state: present - with_items: - - "{{ local_admin_users | difference([None]) }}" + loop: "{{ local_admin_users | difference([None]) }}" - name: Disable sudo password for ansible become: true @@ -97,24 +83,21 @@ line: "{{ item }} ALL=(ALL) NOPASSWD:ALL" mode: 0644 state: "{{ 'absent' if disable_sudo_password|bool == false else 'present' }}" - with_items: - - "{{ local_admin_users | difference([None] )}}" + loop: "{{ local_admin_users | difference([None] )}}" - name: Configure GNOME tags: users_gnome when: ansible_distribution == "Fedora" and disable_gnome_user_list|bool == true + become: true block: - name: Configure GDM profile - become: true blockinfile: path: /etc/ssh/sshd_config block: | user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults - - name: Configure GDM keyfile - become: true blockinfile: create: true path: /etc/dconf/db/gdm.d/00-login-screen @@ -122,15 +105,11 @@ [org/gnome/login-screen] # Do not show the user list disable-user-list=true - - name: Delete existing user database - become: true file: path: /var/lib/gdm/.config/dconf/user state: absent - - name: Restart dconf database - become: true shell: dconf update - name: Install public keys @@ -141,14 +120,14 @@ file: state: directory path: /home/{{ item.name }}/.ssh - with_items: "{{ local_users | difference([None]) }}" + loop: "{{ local_users | difference([None]) }}" - name: Put keys on remote authorized_key: user: "{{ item.name }}" key: "{{ lookup('pipe','cat keys/' + item.name + '/*') if item.name != 'root' else '' }}" state: present exclusive: yes - with_items: "{{ local_users | difference([None]) }}" + loop: "{{ local_users | difference([None]) }}" - name: Ensure proper ownership of user home directories become: true @@ -158,8 +137,7 @@ path: /home/{{ item.name }} recurse: yes state: directory - with_items: - - "{{ local_users | difference([None]) }}" + loop: "{{ local_users | difference([None]) }}" - hosts: all name: Disable SSH password authentication