Add local auth and ssh keyauth deployment playbooks

This commit is contained in:
Ethan Paul 2019-12-01 14:14:25 -05:00
parent 6b5df945de
commit c32fc17550
3 changed files with 99 additions and 27 deletions

View File

@ -0,0 +1,78 @@
---
- name: Configure local users
hosts: all:!network
tags:
- auth
- ssh
- users
tasks:
- import_tasks: tasks/preprocess-local-users.yml
- name: Create local user accounts
tags: users_create
become: true
block:
- name: Create groups
group:
name: "{{ item }}"
state: present
loop: "{{ local_targets + ['omni'] }}"
- name: Load user passwords
include_vars:
file: secrets/passwords.yml
- name: Create users
user:
name: "{{ item.name }}"
comment: "{{ item.fullname | default('') }}"
shell: /bin/bash
groups: "{{ item.targets | intersect(local_targets) + ['omni'] }}"
system: "{{ item.svc | default(False) }}"
state: present
generate_ssh_key: false
password: "{{ users_secrets[item.name] }}"
loop: "{{ users_local }}"
- name: Delete removed user accounts
become: true
user:
name: "{{ item }}"
state: absent
loop: "{{ users_local_removed | default([]) | difference(protected_users) }}"
- name: Grant sudo permissions to admin user accounts
become: true
user:
name: "{{ item.name }}"
groups: "{{ 'wheel' if ansible_os_family | lower == 'redhat' else 'sudo' }}"
state: present
loop: "{{ users_local_admin }}"
- name: Disable sudo password for ansible
become: true
lineinfile:
create: true
path: /etc/sudoers.d/30-ansible
line: "ansible ALL=(ALL) NOPASSWD:ALL"
mode: 0644
- name: Disable sudo password for admin users
become: true
lineinfile:
create: true
path: /etc/sudoers.d/40-admin
line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
mode: 0644
state: "{{ 'present' if disable_sudo_password | bool == true else 'absent' }}"
loop: "{{ users_local_admin }}"
- name: Ensure proper ownership of user home directories
become: true
file:
group: "{{ item.name }}"
owner: "{{ item.name }}"
path: /home/{{ item.name }}
recurse: true
state: directory
loop: "{{ users_local }}"

View File

@ -1,32 +1,22 @@
--- ---
- hosts: all - name: Update ssh keys on all devices
name: Update ssh keys on all devices hosts: all
tasks: tasks:
- import_tasks: tasks/users-preprocessing.yml - import_tasks: tasks/preprocess-local-users.yml
- name: Install public keys
tags: users_keys
become: true
block:
- name: Ensure SSH directory exists - name: Ensure SSH directory exists
become: true
file: file:
state: directory state: directory
path: /home/{{ item.name }}/.ssh path: /home/{{ item.name }}/.ssh
loop: "{{ local_users | difference([None]) }}" loop: "{{ users_local }}"
- name: Put keys on remote - name: Put keys on remote
become: true
when: item.keys != [] when: item.keys != []
authorized_key: authorized_key:
user: "{{ item.name }}" user: "{{ item.name }}"
key: "{{ item.sshkeys | join('\n') }}" key: "{{ item.sshkeys | join('\n') }}"
state: present state: present
exclusive: yes exclusive: yes
loop: "{{ local_users | difference([None]) }}" loop: "{{ users_local }}"
- hosts: all
name: Disable SSH password authentication
tags:
- always
tasks:
- import_tasks: tasks/sshd/disable-password-auth.yml
when: enable_ssh_password_auth|bool == false

View File

@ -26,3 +26,7 @@
src: bashrc.sh src: bashrc.sh
dest: /etc/profile.d/ZA-enpn-bashrc.sh dest: /etc/profile.d/ZA-enpn-bashrc.sh
mode: 0644 mode: 0644
- import_playbook: deploy-local-auth.yml
- import_playbook: deploy-sshkeys.yml