--- - name: Configure server management services hosts: servers tasks: - import_tasks: tasks/sshd/secure.yml - name: Enable cockpit when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" become: true systemd: name: cockpit.socket enabled: true state: started - name: Configure virtualization management services hosts: virtualization tasks: - name: Create docker group become: true group: name: docker state: present - name: Configure local accounts hosts: all vars_files: - vars/accounts.yaml - vars/secrets/passwords.yaml - vars/sshkeys.yaml tasks: - name: Create omni group become: true group: name: "{{ omni_group.name }}" gid: "{{ omni_group.gid }}" state: present - name: Determine existing omni users changed_when: false shell: cmd: 'grep omni /etc/group | cut --delimiter : --fields 4 | tr "," "\n"' register: _existing_omni_users - name: Delete removed user accounts become: true when: item not in (omni_users | items2dict(key_name='name', value_name='uid')) user: name: "{{ item }}" state: absent loop: "{{ _existing_omni_users.stdout_lines }}" - name: Delete removed user groups become: true when: item not in (omni_users | items2dict(key_name='name', value_name='uid')) group: name: "{{ item }}" state: absent loop: "{{ _existing_omni_users.stdout_lines }}" - name: Delete removed user home directories become: true when: item not in (omni_users | items2dict(key_name='name', value_name='uid')) file: path: "/home/{{ item }}" state: absent loop: "{{ _existing_omni_users.stdout_lines }}" - name: Create account groups become: true group: name: "{{ item.name }}" gid: "{{ item.uid }}" state: present loop: "{{ omni_users }}" loop_control: label: "{{ item.uid }},{{ item.name }}" - name: Create accounts become: true user: name: "{{ item.name }}" state: present uid: "{{ item.uid }}" group: "{{ item.name }}" groups: >- {{ [omni_group.name] + (['wheel' if ansible_os_family | lower == 'redhat' else 'sudo'] if item.admin | default(false) else []) + (['docker' if 'virtualization' in group_names else omni_group.name] if item.admin | default(false) else []) }} # The 'else omni_group.name' above is just some non-breaking value to cover the # false condition, it doesn't have special meaning comment: "{{ item.fullname | default('') }}" shell: "{{ '/bin/bash' if 'mgmt' in item.targets else '/bin/false' }}" system: "{{ item.svc | default(false) }}" generate_ssh_key: false password: "{{ omni_users_secrets[item.name] | default(none) }}" loop: "{{ omni_users }}" loop_control: label: "{{ item.uid }},{{ item.name }}" - name: Disable sudo password for ansible become: true lineinfile: create: true path: /etc/sudoers.d/30-ansible line: "ansible ALL=(ALL) NOPASSWD:ALL" mode: 0644 - name: Ensure proper ownership of user home directories become: true file: path: /home/{{ item.name }} state: directory group: "{{ item.name }}" owner: "{{ item.name }}" mode: 0700 loop: "{{ omni_users }}" loop_control: label: "{{ item.uid }},{{ item.name }}" - name: Enforce root password become: true user: name: root password: "{{ omni_users_secrets.root }}" state: present - name: Create SSH directory become: true file: path: /home/{{ item.name }}/.ssh owner: "{{ item.name }}" group: "{{ item.name }}" state: directory mode: 0755 loop: "{{ omni_users }}" loop_control: label: "{{ item.uid }},{{ item.name }}" - name: Update authorized keys become: true when: "'mgmt' in item.targets" authorized_key: user: "{{ item.name }}" key: "{{ omni_ssh_keys[item.name] | join('\n') }}" state: present exclusive: true loop: "{{ omni_users }}" loop_control: label: "{{ item.uid }},{{ item.name }}" - name: Enforce ownership of authorized keys become: true when: "'mgmt' in item.targets" file: path: /home/{{ item.name }}/.ssh/authorized_keys state: file owner: "{{ item.name }}" group: "{{ item.name }}" mode: 0400 loop: "{{ omni_users }}" loop_control: label: "{{ item.uid }},{{ item.name }}"