Add local auth and ssh keyauth deployment playbooks
This commit is contained in:
parent
6b5df945de
commit
c32fc17550
78
playbooks/deploy-local-auth.yml
Normal file
78
playbooks/deploy-local-auth.yml
Normal file
@ -0,0 +1,78 @@
|
||||
---
|
||||
- name: Configure local users
|
||||
hosts: all:!network
|
||||
tags:
|
||||
- auth
|
||||
- ssh
|
||||
- users
|
||||
tasks:
|
||||
- import_tasks: tasks/preprocess-local-users.yml
|
||||
|
||||
- name: Create local user accounts
|
||||
tags: users_create
|
||||
become: true
|
||||
block:
|
||||
- name: Create groups
|
||||
group:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
loop: "{{ local_targets + ['omni'] }}"
|
||||
|
||||
- name: Load user passwords
|
||||
include_vars:
|
||||
file: secrets/passwords.yml
|
||||
|
||||
- name: Create users
|
||||
user:
|
||||
name: "{{ item.name }}"
|
||||
comment: "{{ item.fullname | default('') }}"
|
||||
shell: /bin/bash
|
||||
groups: "{{ item.targets | intersect(local_targets) + ['omni'] }}"
|
||||
system: "{{ item.svc | default(False) }}"
|
||||
state: present
|
||||
generate_ssh_key: false
|
||||
password: "{{ users_secrets[item.name] }}"
|
||||
loop: "{{ users_local }}"
|
||||
|
||||
- name: Delete removed user accounts
|
||||
become: true
|
||||
user:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ users_local_removed | default([]) | difference(protected_users) }}"
|
||||
|
||||
- name: Grant sudo permissions to admin user accounts
|
||||
become: true
|
||||
user:
|
||||
name: "{{ item.name }}"
|
||||
groups: "{{ 'wheel' if ansible_os_family | lower == 'redhat' else 'sudo' }}"
|
||||
state: present
|
||||
loop: "{{ users_local_admin }}"
|
||||
|
||||
- name: Disable sudo password for ansible
|
||||
become: true
|
||||
lineinfile:
|
||||
create: true
|
||||
path: /etc/sudoers.d/30-ansible
|
||||
line: "ansible ALL=(ALL) NOPASSWD:ALL"
|
||||
mode: 0644
|
||||
|
||||
- name: Disable sudo password for admin users
|
||||
become: true
|
||||
lineinfile:
|
||||
create: true
|
||||
path: /etc/sudoers.d/40-admin
|
||||
line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
|
||||
mode: 0644
|
||||
state: "{{ 'present' if disable_sudo_password | bool == true else 'absent' }}"
|
||||
loop: "{{ users_local_admin }}"
|
||||
|
||||
- name: Ensure proper ownership of user home directories
|
||||
become: true
|
||||
file:
|
||||
group: "{{ item.name }}"
|
||||
owner: "{{ item.name }}"
|
||||
path: /home/{{ item.name }}
|
||||
recurse: true
|
||||
state: directory
|
||||
loop: "{{ users_local }}"
|
@ -1,32 +1,22 @@
|
||||
---
|
||||
- hosts: all
|
||||
name: Update ssh keys on all devices
|
||||
- name: Update ssh keys on all devices
|
||||
hosts: all
|
||||
tasks:
|
||||
- import_tasks: tasks/users-preprocessing.yml
|
||||
- import_tasks: tasks/preprocess-local-users.yml
|
||||
|
||||
- name: Install public keys
|
||||
tags: users_keys
|
||||
become: true
|
||||
block:
|
||||
- name: Ensure SSH directory exists
|
||||
become: true
|
||||
file:
|
||||
state: directory
|
||||
path: /home/{{ item.name }}/.ssh
|
||||
loop: "{{ local_users | difference([None]) }}"
|
||||
loop: "{{ users_local }}"
|
||||
|
||||
- name: Put keys on remote
|
||||
become: true
|
||||
when: item.keys != []
|
||||
authorized_key:
|
||||
user: "{{ item.name }}"
|
||||
key: "{{ item.sshkeys | join('\n') }}"
|
||||
state: present
|
||||
exclusive: yes
|
||||
loop: "{{ local_users | difference([None]) }}"
|
||||
|
||||
- hosts: all
|
||||
name: Disable SSH password authentication
|
||||
tags:
|
||||
- always
|
||||
tasks:
|
||||
- import_tasks: tasks/sshd/disable-password-auth.yml
|
||||
when: enable_ssh_password_auth|bool == false
|
||||
loop: "{{ users_local }}"
|
||||
|
@ -26,3 +26,7 @@
|
||||
src: bashrc.sh
|
||||
dest: /etc/profile.d/ZA-enpn-bashrc.sh
|
||||
mode: 0644
|
||||
|
||||
- import_playbook: deploy-local-auth.yml
|
||||
|
||||
- import_playbook: deploy-sshkeys.yml
|
||||
|
Reference in New Issue
Block a user