Add preprocessing tasks and auth playbook

Update secrets submodule
2020-02-11 23:26:05 -05:00 · 2020-02-11 23:26:05 -05:00 · c59b9f54bb
commit c59b9f54bb
parent bb3578f997
3 changed files with 119 additions and 1 deletions
--- a/playbooks/configure-auth.yml
+++ b/playbooks/configure-auth.yml
@ -1 +1,80 @@
 ---
 - name: Configure local users
  hosts: all:!network
  tags:
    - auth
    - ssh
    - users
  roles:
    - role: sshd
  tasks:
    - import_tasks: tasks/preprocess-local-users.yml
    - name: Create local user accounts
      tags: users_create
      become: true
      block:
        - name: Create groups
          group:
            name: "{{ item }}"
            state: present
          loop: "{{ local_targets + ['omni'] }}"
        - name: Load user passwords
          include_vars:
            file: secrets/passwords.yml
        - name: Create users
          user:
            name: "{{ item.name }}"
            comment: "{{ item.fullname | default('') }}"
            shell: /bin/bash
            groups: "{{ item.targets | intersect(local_targets) + ['omni'] }}"
            system: "{{ item.svc | default(False) }}"
            state: present
            generate_ssh_key: false
            password: "{{ users_secrets[item.name] }}"
          loop: "{{ users_local }}"
    - name: Delete removed user accounts
      become: true
      user:
        name: "{{ item }}"
        state: absent
      loop: "{{ users_local_removed | default([]) | difference(protected_users) }}"
    - name: Grant sudo permissions to admin user accounts
      become: true
      user:
        name: "{{ item.name }}"
        groups: "{{ 'wheel' if ansible_os_family | lower == 'redhat' else 'sudo' }}"
        state: present
      loop: "{{ users_local_admin }}"
    - name: Disable sudo password for ansible
      become: true
      lineinfile:
        create: true
        path: /etc/sudoers.d/30-ansible
        line: "ansible ALL=(ALL) NOPASSWD:ALL"
        mode: 0644
    - name: Disable sudo password for admin users
      become: true
      lineinfile:
        create: true
        path: /etc/sudoers.d/40-admin
        line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
        mode: 0644
        state: "{{ 'present' if disable_sudo_password | bool == true else 'absent' }}"
      loop: "{{ users_local_admin }}"
    - name: Ensure proper ownership of user home directories
      become: true
      file:
        group: "{{ item.name }}"
        owner: "{{ item.name }}"
        path: /home/{{ item.name }}
        recurse: true
        state: directory
      loop: "{{ users_local }}"
--- a/tasks/preprocess-users.yml
+++ b/tasks/preprocess-users.yml
@ -0,0 +1,39 @@
 ---
 - name: Load users variables
  include_vars:
    file: users.yml
 - name: Reconcile user targets with host targets to get host users
  set_fact:
    users_local: >-
      {{
      users_local | default([]) + ([item] if item.targets | intersect(local_targets) else [])
      }}
  loop: "{{ omni_users }}"
 - name: Determine local user names
  set_fact:
    users_local_names: "{{ users_local_names | default([]) + [item.name] }}"
  loop: "{{ users_local }}"
 - name: Determine administrative users
  set_fact:
    users_local_admin: >-
      {{
      users_local_admin | default([]) + ([item] if item.admin | default(False) else [])
      }}
  loop: "{{ users_local }}"
 - name: Determine existing users
  shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"'
  changed_when: false
  register: users_local_existing
 - name: Determine removed users
  set_fact:
    users_local_removed: >-
      {{
      users_local_removed | default([]) +
      ([item] if item not in users_local_names else [])
      }}
  loop: "{{ users_local_existing.stdout_lines }}"
--- a/vars/secrets
+++ b/vars/secrets
@ -1 +1 @@
-Subproject commit 13a84c38c2f5d2f918e89810ceae2641a952d9de
+Subproject commit 13a35d8e308ef8053b3d3031371e389f9e440a14
		`@ -1 +1 @@`
			`Subproject commit 13a84c38c2f5d2f918e89810ceae2641a952d9de`				`Subproject commit 13a35d8e308ef8053b3d3031371e389f9e440a14`