diff --git a/playbooks/configure-auth.yml b/playbooks/configure-auth.yml index ed97d53..64154de 100644 --- a/playbooks/configure-auth.yml +++ b/playbooks/configure-auth.yml @@ -1 +1,80 @@ --- +- name: Configure local users + hosts: all:!network + tags: + - auth + - ssh + - users + roles: + - role: sshd + tasks: + - import_tasks: tasks/preprocess-local-users.yml + + - name: Create local user accounts + tags: users_create + become: true + block: + - name: Create groups + group: + name: "{{ item }}" + state: present + loop: "{{ local_targets + ['omni'] }}" + + - name: Load user passwords + include_vars: + file: secrets/passwords.yml + + - name: Create users + user: + name: "{{ item.name }}" + comment: "{{ item.fullname | default('') }}" + shell: /bin/bash + groups: "{{ item.targets | intersect(local_targets) + ['omni'] }}" + system: "{{ item.svc | default(False) }}" + state: present + generate_ssh_key: false + password: "{{ users_secrets[item.name] }}" + loop: "{{ users_local }}" + + - name: Delete removed user accounts + become: true + user: + name: "{{ item }}" + state: absent + loop: "{{ users_local_removed | default([]) | difference(protected_users) }}" + + - name: Grant sudo permissions to admin user accounts + become: true + user: + name: "{{ item.name }}" + groups: "{{ 'wheel' if ansible_os_family | lower == 'redhat' else 'sudo' }}" + state: present + loop: "{{ users_local_admin }}" + + - name: Disable sudo password for ansible + become: true + lineinfile: + create: true + path: /etc/sudoers.d/30-ansible + line: "ansible ALL=(ALL) NOPASSWD:ALL" + mode: 0644 + + - name: Disable sudo password for admin users + become: true + lineinfile: + create: true + path: /etc/sudoers.d/40-admin + line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL" + mode: 0644 + state: "{{ 'present' if disable_sudo_password | bool == true else 'absent' }}" + loop: "{{ users_local_admin }}" + + - name: Ensure proper ownership of user home directories + become: true + file: + group: "{{ item.name }}" + owner: "{{ item.name }}" + path: /home/{{ item.name }} + recurse: true + state: directory + loop: "{{ users_local }}" diff --git a/tasks/preprocess-users.yml b/tasks/preprocess-users.yml new file mode 100644 index 0000000..fbe3bb6 --- /dev/null +++ b/tasks/preprocess-users.yml @@ -0,0 +1,39 @@ +--- +- name: Load users variables + include_vars: + file: users.yml + +- name: Reconcile user targets with host targets to get host users + set_fact: + users_local: >- + {{ + users_local | default([]) + ([item] if item.targets | intersect(local_targets) else []) + }} + loop: "{{ omni_users }}" + +- name: Determine local user names + set_fact: + users_local_names: "{{ users_local_names | default([]) + [item.name] }}" + loop: "{{ users_local }}" + +- name: Determine administrative users + set_fact: + users_local_admin: >- + {{ + users_local_admin | default([]) + ([item] if item.admin | default(False) else []) + }} + loop: "{{ users_local }}" + +- name: Determine existing users + shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"' + changed_when: false + register: users_local_existing + +- name: Determine removed users + set_fact: + users_local_removed: >- + {{ + users_local_removed | default([]) + + ([item] if item not in users_local_names else []) + }} + loop: "{{ users_local_existing.stdout_lines }}" diff --git a/vars/secrets b/vars/secrets index 13a84c3..13a35d8 160000 --- a/vars/secrets +++ b/vars/secrets @@ -1 +1 @@ -Subproject commit 13a84c38c2f5d2f918e89810ceae2641a952d9de +Subproject commit 13a35d8e308ef8053b3d3031371e389f9e440a14