diff --git a/playbooks/deploy-local-auth.yml b/playbooks/deploy-local-auth.yml new file mode 100644 index 0000000..96ac384 --- /dev/null +++ b/playbooks/deploy-local-auth.yml @@ -0,0 +1,78 @@ +--- +- name: Configure local users + hosts: all:!network + tags: + - auth + - ssh + - users + tasks: + - import_tasks: tasks/preprocess-local-users.yml + + - name: Create local user accounts + tags: users_create + become: true + block: + - name: Create groups + group: + name: "{{ item }}" + state: present + loop: "{{ local_targets + ['omni'] }}" + + - name: Load user passwords + include_vars: + file: secrets/passwords.yml + + - name: Create users + user: + name: "{{ item.name }}" + comment: "{{ item.fullname | default('') }}" + shell: /bin/bash + groups: "{{ item.targets | intersect(local_targets) + ['omni'] }}" + system: "{{ item.svc | default(False) }}" + state: present + generate_ssh_key: false + password: "{{ users_secrets[item.name] }}" + loop: "{{ users_local }}" + + - name: Delete removed user accounts + become: true + user: + name: "{{ item }}" + state: absent + loop: "{{ users_local_removed | default([]) | difference(protected_users) }}" + + - name: Grant sudo permissions to admin user accounts + become: true + user: + name: "{{ item.name }}" + groups: "{{ 'wheel' if ansible_os_family | lower == 'redhat' else 'sudo' }}" + state: present + loop: "{{ users_local_admin }}" + + - name: Disable sudo password for ansible + become: true + lineinfile: + create: true + path: /etc/sudoers.d/30-ansible + line: "ansible ALL=(ALL) NOPASSWD:ALL" + mode: 0644 + + - name: Disable sudo password for admin users + become: true + lineinfile: + create: true + path: /etc/sudoers.d/40-admin + line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL" + mode: 0644 + state: "{{ 'present' if disable_sudo_password | bool == true else 'absent' }}" + loop: "{{ users_local_admin }}" + + - name: Ensure proper ownership of user home directories + become: true + file: + group: "{{ item.name }}" + owner: "{{ item.name }}" + path: /home/{{ item.name }} + recurse: true + state: directory + loop: "{{ users_local }}" diff --git a/playbooks/deploy-sshkeys.yml b/playbooks/deploy-sshkeys.yml index d42d460..45e7fb0 100644 --- a/playbooks/deploy-sshkeys.yml +++ b/playbooks/deploy-sshkeys.yml @@ -1,32 +1,22 @@ --- -- hosts: all - name: Update ssh keys on all devices +- name: Update ssh keys on all devices + hosts: all tasks: - - import_tasks: tasks/users-preprocessing.yml + - import_tasks: tasks/preprocess-local-users.yml - - name: Install public keys - tags: users_keys + - name: Ensure SSH directory exists become: true - block: - - name: Ensure SSH directory exists - file: - state: directory - path: /home/{{ item.name }}/.ssh - loop: "{{ local_users | difference([None]) }}" + file: + state: directory + path: /home/{{ item.name }}/.ssh + loop: "{{ users_local }}" - - name: Put keys on remote - when: item.keys != [] - authorized_key: - user: "{{ item.name }}" - key: "{{ item.sshkeys | join('\n') }}" - state: present - exclusive: yes - loop: "{{ local_users | difference([None]) }}" - -- hosts: all - name: Disable SSH password authentication - tags: - - always - tasks: - - import_tasks: tasks/sshd/disable-password-auth.yml - when: enable_ssh_password_auth|bool == false + - name: Put keys on remote + become: true + when: item.keys != [] + authorized_key: + user: "{{ item.name }}" + key: "{{ item.sshkeys | join('\n') }}" + state: present + exclusive: yes + loop: "{{ users_local }}" diff --git a/playbooks/initialize.yml b/playbooks/initialize.yml index ccbfc9c..bb64eba 100644 --- a/playbooks/initialize.yml +++ b/playbooks/initialize.yml @@ -26,3 +26,7 @@ src: bashrc.sh dest: /etc/profile.d/ZA-enpn-bashrc.sh mode: 0644 + +- import_playbook: deploy-local-auth.yml + +- import_playbook: deploy-sshkeys.yml