--- - import_playbook: dependencies.yml - hosts: all name: Prompt for variables vars_prompt: - name: "generate_keys" prompt: "Generate SSH keypair for new users?" default: yes private: no when: generate_keys is not defined # - name: "disable_sudo_password" # prompt: "Disable required user password when running sudo commands?" # default: no # private: no # when: disable_sudo_password is not defined - name: "disable_gnome_user_list" prompt: "Disable the GNOME user list?" default: yes private: no when: disable_gnome_user_list is not defined tasks: - name: Pre-processing tags: always block: - name: Load users include_vars: file: users.yml - name: Reconcile user targets with host targets to get host users set_fact: local_users: "{{ local_users | default([]) + [item if item.targets | intersect(targets) else None] }}" with_items: "{{ users }}" - name: Get administrative users set_fact: local_admin_users: "{{ local_admin_users | default([]) + [item.name if item.admin else None] }}" with_items: "{{ local_users | difference([None]) }}" - name: Create local user accounts tags: users_create become: true block: - name: Create groups group: name: "{{ item }}" state: present with_items: - "{{ targets }}" - omni - name: Create users user: name: "{{ item.name }}" comment: "{{ item.fullname | default('') }}" shell: /bin/bash groups: "{{ item.targets | intersect(targets) }} + {{ [ 'omni' ] if item.name != 'root' else [] }}" system: "{{ item.svc | default('no') }}" state: present generate_ssh_key: "{{ 'yes' if generate_keys|bool == true else 'no' }}" ssh_key_comment: "{{ item.name }}@{{ inventory_hostname }}" ssh_key_bits: 4096 password: "{{ item.password }}" with_items: - "{{ local_users | difference([None]) }}" - name: Copy new keys when: generate_keys|bool == true fetch: dest: "{{ playbook_dir + '/keys/' + item.name + '/' + inventory_hostname + '.pub' if item.name != 'root' and item.name != 'ansible' else '/dev/null' }}" flat: yes fail_on_missing: no src: /home/{{ item.name }}/.ssh/id_rsa.pub validate_checksum: no with_items: - "{{ local_users | difference([None]) }}" - name: Delete users that have been removed tags: users_delete block: - name: Determine existing users shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"' changed_when: false register: existing_users - name: Coallate user names set_fact: user_names: "{{ user_names | default([]) + [item.name] }}" with_items: "{{ users }}" - name: Determine removed users set_fact: removed_users: "{{ existing_users.stdout_lines | difference(user_names) }}" - name: Delete removed user accounts become: true user: name: "{{ item }}" state: absent with_items: "{{ removed_users }}" - name: Grant sudo permissions tags: users_sudo block: - name: Add users to sudo group on Fedora/CentOS/RHEL when: ansible_distribution == "Fedora" or ansible_distribution == "Red Hat Enterprise Linux" or ansible_distribution == "CentOS" become: true user: name: "{{ item }}" groups: wheel state: present with_items: - "{{ local_admin_users | difference([None]) }}" - name: Disable sudo password for ansible become: true lineinfile: create: yes path: /etc/sudoers.d/30-ansible line: "ansible ALL=(ALL) NOPASSWD:ALL" mode: 0644 - name: Disable sudo password for admin users become: true lineinfile: create: yes path: /etc/sudoers.d/40-admin line: "{{ item }} ALL=(ALL) NOPASSWD:ALL" mode: 0644 state: "{{ 'absent' if disable_sudo_password|bool == false else 'present' }}" with_items: - "{{ local_admin_users | difference([None] )}}" - name: Configure GNOME tags: users_gnome when: ansible_distribution == "Fedora" and disable_gnome_user_list|bool == true block: - name: Configure GDM profile become: true blockinfile: path: /etc/ssh/sshd_config block: | user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults - name: Configure GDM keyfile become: true blockinfile: path: /etc/dconf/db/gdm.d/00-login-screen block: | [org/gnome/login-screen] # Do not show the user list disable-user-list=true - name: Delete existing user database become: true file: path: /var/lib/gdm/.config/dconf/user state: absent - name: Restart dconf database become: true shell: dconf update - name: Install public keys tags: users_keys become: true block: - name: Ensure SSH directory exists file: state: directory path: /home/{{ item.name }}/.ssh with_items: "{{ local_users | difference([None]) }}" - name: Put keys on remote authorized_key: user: "{{ item.name }}" key: "{{ lookup('pipe','cat keys/' + item.name + '/*') if item.name != 'root' else '' }}" state: present exclusive: yes with_items: "{{ local_users | difference([None]) }}" - name: Ensure proper ownership of user home directories become: true file: group: "{{ item.name }}" owner: "{{ item.name }}" path: /home/{{ item.name }} recurse: yes state: directory with_items: - "{{ local_users | difference([None]) }}"