Update playbooks and finalize the update-users playbook

This commit is contained in:
Ethan N. Paul 2018-12-11 00:48:37 -05:00
parent b68b7160de
commit 6c6de5a954
5 changed files with 133 additions and 16 deletions

1
playbooks/group_vars Symbolic link
View File

@ -0,0 +1 @@
../groups

1
playbooks/host_vars Symbolic link
View File

@ -0,0 +1 @@
../hosts

View File

@ -6,7 +6,7 @@
when: ansible_distribution != "CentOS" and ansible_distribution != "Red Hat Enterprise Linux" and ansible_distribution != "Fedora" when: ansible_distribution != "CentOS" and ansible_distribution != "Red Hat Enterprise Linux" and ansible_distribution != "Fedora"
meta: end_play meta: end_play
debug: debug:
msg: "Standard configuration deployment is only supported on Fedora 27/28, Centos 7.5, and RHEL" msg: "Standard configuration deployment is only supported on Fedora 28/29, Centos 7.5, and RHEL"
- name: Set hostname - name: Set hostname
become: true become: true
@ -30,13 +30,13 @@
- hosts: all - hosts: all
name: System packages name: System packages
tasks: tasks:
- import_tasks: common/centos/repositories.yml - import_tasks: tasks/centos/repositories.yml
when: ansible_distribution == "CentOS" when: ansible_distribution == "CentOS"
- import_tasks: common/centos/packages.yml - import_tasks: tasks/centos/packages.yml
when: ansible_distribution == "CentOS" when: ansible_distribution == "CentOS"
- import_tasks: common/fedora/packages.yml - import_tasks: tasks/fedora/packages.yml
when: ansible_distribution == "Fedora" when: ansible_distribution == "Fedora"
# - import_tasks: common/debian/packages.yml # - import_tasks: tasks/debian/packages.yml
# when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" # when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
@ -49,9 +49,9 @@
- name: Install systemd-networkd - name: Install systemd-networkd
when: enable_networkd == true when: enable_networkd == true
block: block:
- import_tasks: common/centos/networkd.yml - import_tasks: tasks/centos/networkd.yml
when: ansible_distribution == "CentOS" when: ansible_distribution == "CentOS"
- import_tasks: common/fedora/networkd.yml - import_tasks: tasks/fedora/networkd.yml
when: ansible_distribution == "Fedora" when: ansible_distribution == "Fedora"
# - import_tasks: common/debian/networkd.yml # - import_tasks: common/debian/networkd.yml
# when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" # when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"

1
playbooks/tasks Symbolic link
View File

@ -0,0 +1 @@
../tasks

View File

@ -1,11 +1,4 @@
--- ---
- hosts: all
name: Load variables
tasks:
- name: Load user variables
include_vars:
file: users.yml
- hosts: all - hosts: all
name: Prompt for variables name: Prompt for variables
vars_prompt: vars_prompt:
@ -13,13 +6,134 @@
prompt: "Generate SSH keypair for new users?" prompt: "Generate SSH keypair for new users?"
default: yes default: yes
when: generate_keys is not defined when: generate_keys is not defined
- name: "enable_sudo_password" - name: "enable_sudo_password"
prompt: "Require user password when running sudo commands?" prompt: "Require user password when running sudo commands?"
default: yes default: yes
when: enable_sudo_password is not defined when: enable_sudo_password is not defined
- name: "disable_gnome_user_list" - name: "disable_gnome_user_list"
prompt: "Disable the GNOME user list?" prompt: "Disable the GNOME user list?"
default: yes default: yes
when: disable_gnome_user_list is not defined when: disable_gnome_user_list is not defined
tasks:
- name: Load user variables
include_vars:
file: users.yml
- name: Create local user accounts
block:
- name: Reconcile user targets with host targets to get host users
set_fact:
local_users: "{{ local_users | default([]) + [item if item.targets | intersect(targets) else None] }}"
with_items: "{{ users }}"
- name: Create groups
become: true
group:
name: "{{ item }}"
state: present
with_items:
- "{{ targets }}"
- omni
- name: Create users
become: true
user:
name: "{{ item.name }}"
comment: "{{ item.fullname | default('') }}"
shell: /bin/bash
groups: "{{ item.targets | intersect(targets) }} + {{ [ 'omni' ] if item.name != 'root' else [] }}"
system: "{{ item.svc | default('no') }}"
state: present
generate_ssh_key: "{{ generate_keys }}"
password: "{{ item.password }}"
with_items:
- "{{ local_users | difference([None]) }}"
- name: Delete users that have been removed
block:
- name: Determine existing users
shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"'
changed_when: false
register: existing_users
- name: Coallate user names
set_fact:
user_names: "{{ user_names | default([]) + [item.name] }}"
with_items: "{{ users }}"
- name: Determine removed users
set_fact:
removed_users: "{{ existing_users.stdout_lines | difference(user_names) }}"
- name: Delete removed user accounts
become: true
user:
name: "{{ item }}"
state: absent
with_items: "{{ removed_users }}"
- name: Grant sudo permissions
block:
- name: Get administrative users
set_fact:
local_admin_users: "{{ local_admin_users | default([]) + [item.name if item.admin else None] }}"
with_items: "{{ local_users | difference([None]) }}"
- name: Add users to sudo group on Fedora/CentOS/RHEL
when: ansible_distribution == "Fedora" or ansible_distribution == "Red Hat Enterprise Linux" or ansible_distribution == "CentOS"
become: true
user:
name: "{{ item.name }}"
groups: wheel
state: present
with_items:
- "{{ local_users | difference([None]) }}"
- name: Disable sudo password for ansible
become: true
lineinfile:
create: yes
path: /etc/sudoers/30-ansible
line: "ansible ALL=(ALL) NOPASSWD:ALL"
mode: 0644
- name: Disable sudo password for admin users
when: enable_sudo_password is False
become: true
lineinfile:
create: yes
path: /etc/sudoers/30-ansible
line: "{{ item }} ALL=(ALL) NOPASSWD:ALL"
mode: 0644
with_items:
- "{{ local_admin_users | difference([None] )}}"
- name: Configure GNOME
when: ansible_distribution == "Fedora" and disable_gnome_user_list is True
block:
- name: Configure GDM profile
become: true
blockinfile:
path: /etc/ssh/sshd_config
block: |
user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults
- name: Configure GDM keyfile
become: true
blockinfile:
path: /etc/dconf/db/gdm.d/00-login-screen
block: |
[org/gnome/login-screen]
# Do not show the user list
disable-user-list=true
- name: Delete existing user database
become: true
shell: "mv /var/lib/gdm/.config/dconf/user /var/lib/gdm/.config/user.bkup"
- name: Restart dconf database
become: true
shell: dconf update