Perform user deletion based on target users rather than global
Remove with_items usage in favor of loop
This commit is contained in:
parent
d697a50c1a
commit
193c059e2c
@ -2,7 +2,7 @@
|
|||||||
- import_playbook: dependencies.yml
|
- import_playbook: dependencies.yml
|
||||||
|
|
||||||
- hosts: all
|
- hosts: all
|
||||||
name: Prompt for variables
|
name: Update local user accounts and access controls
|
||||||
tasks:
|
tasks:
|
||||||
- import_tasks: tasks/users-preprocessing.yml
|
- import_tasks: tasks/users-preprocessing.yml
|
||||||
|
|
||||||
@ -14,9 +14,7 @@
|
|||||||
group:
|
group:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
state: present
|
state: present
|
||||||
with_items:
|
loop: "{{ targets + ['omni'] }}"
|
||||||
- "{{ targets }}"
|
|
||||||
- omni
|
|
||||||
|
|
||||||
- name: Create users
|
- name: Create users
|
||||||
user:
|
user:
|
||||||
@ -29,20 +27,9 @@
|
|||||||
generate_ssh_key: "{{ 'yes' if generate_keys|bool == true else 'no' }}"
|
generate_ssh_key: "{{ 'yes' if generate_keys|bool == true else 'no' }}"
|
||||||
ssh_key_comment: "{{ item.name }}@{{ inventory_hostname }}"
|
ssh_key_comment: "{{ item.name }}@{{ inventory_hostname }}"
|
||||||
ssh_key_bits: 4096
|
ssh_key_bits: 4096
|
||||||
|
ssh_key_type: ed25519
|
||||||
password: "{{ item.password }}"
|
password: "{{ item.password }}"
|
||||||
with_items:
|
loop: "{{ local_users | difference([None]) }}"
|
||||||
- "{{ local_users | difference([None]) }}"
|
|
||||||
|
|
||||||
- name: Copy new keys
|
|
||||||
when: generate_keys|bool == true
|
|
||||||
fetch:
|
|
||||||
dest: "{{ playbook_dir + '/keys/' + item.name + '/' + inventory_hostname + '.pub' if item.name != 'root' and item.name != 'ansible' else '/dev/null' }}"
|
|
||||||
flat: yes
|
|
||||||
fail_on_missing: no
|
|
||||||
src: /home/{{ item.name }}/.ssh/id_rsa.pub
|
|
||||||
validate_checksum: no
|
|
||||||
with_items:
|
|
||||||
- "{{ local_users | difference([None]) }}"
|
|
||||||
|
|
||||||
- name: Delete users that have been removed
|
- name: Delete users that have been removed
|
||||||
tags: users_delete
|
tags: users_delete
|
||||||
@ -55,18 +42,18 @@
|
|||||||
- name: Coallate user names
|
- name: Coallate user names
|
||||||
set_fact:
|
set_fact:
|
||||||
user_names: "{{ user_names | default([]) + [item.name] }}"
|
user_names: "{{ user_names | default([]) + [item.name] }}"
|
||||||
with_items: "{{ users }}"
|
loop: "{{ users }}"
|
||||||
|
|
||||||
- name: Determine removed users
|
- name: Determine removed users
|
||||||
set_fact:
|
set_fact:
|
||||||
removed_users: "{{ existing_users.stdout_lines | difference(user_names) }}"
|
removed_users: "{{ existing_users.stdout_lines | difference(local_users) | difference([None]) }}"
|
||||||
|
|
||||||
- name: Delete removed user accounts
|
- name: Delete removed user accounts
|
||||||
become: true
|
become: true
|
||||||
user:
|
user:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
state: absent
|
state: absent
|
||||||
with_items: "{{ removed_users }}"
|
loop: "{{ removed_users }}"
|
||||||
|
|
||||||
- name: Grant sudo permissions
|
- name: Grant sudo permissions
|
||||||
tags: users_sudo
|
tags: users_sudo
|
||||||
@ -78,8 +65,7 @@
|
|||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
groups: wheel
|
groups: wheel
|
||||||
state: present
|
state: present
|
||||||
with_items:
|
loop: "{{ local_admin_users | difference([None]) }}"
|
||||||
- "{{ local_admin_users | difference([None]) }}"
|
|
||||||
|
|
||||||
- name: Disable sudo password for ansible
|
- name: Disable sudo password for ansible
|
||||||
become: true
|
become: true
|
||||||
@ -97,24 +83,21 @@
|
|||||||
line: "{{ item }} ALL=(ALL) NOPASSWD:ALL"
|
line: "{{ item }} ALL=(ALL) NOPASSWD:ALL"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
state: "{{ 'absent' if disable_sudo_password|bool == false else 'present' }}"
|
state: "{{ 'absent' if disable_sudo_password|bool == false else 'present' }}"
|
||||||
with_items:
|
loop: "{{ local_admin_users | difference([None] )}}"
|
||||||
- "{{ local_admin_users | difference([None] )}}"
|
|
||||||
|
|
||||||
- name: Configure GNOME
|
- name: Configure GNOME
|
||||||
tags: users_gnome
|
tags: users_gnome
|
||||||
when: ansible_distribution == "Fedora" and disable_gnome_user_list|bool == true
|
when: ansible_distribution == "Fedora" and disable_gnome_user_list|bool == true
|
||||||
|
become: true
|
||||||
block:
|
block:
|
||||||
- name: Configure GDM profile
|
- name: Configure GDM profile
|
||||||
become: true
|
|
||||||
blockinfile:
|
blockinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: /etc/ssh/sshd_config
|
||||||
block: |
|
block: |
|
||||||
user-db:user
|
user-db:user
|
||||||
system-db:gdm
|
system-db:gdm
|
||||||
file-db:/usr/share/gdm/greeter-dconf-defaults
|
file-db:/usr/share/gdm/greeter-dconf-defaults
|
||||||
|
|
||||||
- name: Configure GDM keyfile
|
- name: Configure GDM keyfile
|
||||||
become: true
|
|
||||||
blockinfile:
|
blockinfile:
|
||||||
create: true
|
create: true
|
||||||
path: /etc/dconf/db/gdm.d/00-login-screen
|
path: /etc/dconf/db/gdm.d/00-login-screen
|
||||||
@ -122,15 +105,11 @@
|
|||||||
[org/gnome/login-screen]
|
[org/gnome/login-screen]
|
||||||
# Do not show the user list
|
# Do not show the user list
|
||||||
disable-user-list=true
|
disable-user-list=true
|
||||||
|
|
||||||
- name: Delete existing user database
|
- name: Delete existing user database
|
||||||
become: true
|
|
||||||
file:
|
file:
|
||||||
path: /var/lib/gdm/.config/dconf/user
|
path: /var/lib/gdm/.config/dconf/user
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
- name: Restart dconf database
|
- name: Restart dconf database
|
||||||
become: true
|
|
||||||
shell: dconf update
|
shell: dconf update
|
||||||
|
|
||||||
- name: Install public keys
|
- name: Install public keys
|
||||||
@ -141,14 +120,14 @@
|
|||||||
file:
|
file:
|
||||||
state: directory
|
state: directory
|
||||||
path: /home/{{ item.name }}/.ssh
|
path: /home/{{ item.name }}/.ssh
|
||||||
with_items: "{{ local_users | difference([None]) }}"
|
loop: "{{ local_users | difference([None]) }}"
|
||||||
- name: Put keys on remote
|
- name: Put keys on remote
|
||||||
authorized_key:
|
authorized_key:
|
||||||
user: "{{ item.name }}"
|
user: "{{ item.name }}"
|
||||||
key: "{{ lookup('pipe','cat keys/' + item.name + '/*') if item.name != 'root' else '' }}"
|
key: "{{ lookup('pipe','cat keys/' + item.name + '/*') if item.name != 'root' else '' }}"
|
||||||
state: present
|
state: present
|
||||||
exclusive: yes
|
exclusive: yes
|
||||||
with_items: "{{ local_users | difference([None]) }}"
|
loop: "{{ local_users | difference([None]) }}"
|
||||||
|
|
||||||
- name: Ensure proper ownership of user home directories
|
- name: Ensure proper ownership of user home directories
|
||||||
become: true
|
become: true
|
||||||
@ -158,8 +137,7 @@
|
|||||||
path: /home/{{ item.name }}
|
path: /home/{{ item.name }}
|
||||||
recurse: yes
|
recurse: yes
|
||||||
state: directory
|
state: directory
|
||||||
with_items:
|
loop: "{{ local_users | difference([None]) }}"
|
||||||
- "{{ local_users | difference([None]) }}"
|
|
||||||
|
|
||||||
- hosts: all
|
- hosts: all
|
||||||
name: Disable SSH password authentication
|
name: Disable SSH password authentication
|
||||||
|
|||||||
Reference in New Issue
Block a user