--- - import_playbook: meta.yml - name: Configure system authentication hosts: all roles: - role: sshd tasks: - import_tasks: tasks/preprocess-users.yml - name: Create local user accounts tags: users_create become: true block: - name: Create groups group: name: "{{ item }}" state: present loop: "{{ omni_local_targets + ['omni'] }}" - name: Load user passwords include_vars: file: secrets/passwords.yml - name: Create users user: name: "{{ item.name }}" comment: "{{ item.fullname | default('') }}" shell: /bin/bash groups: "{{ item.targets | intersect(omni_local_targets) + ['omni'] }}" system: "{{ item.svc | default(false) }}" state: present generate_ssh_key: false password: "{{ omni_users_secrets[item.name] }}" loop: "{{ _users_local }}" - name: Delete removed user accounts become: true user: name: "{{ item }}" state: absent loop: "{{ _users_local_removed | default([]) | difference(omni_protected_users) }}" - name: Grant sudo permissions to admin user accounts become: true user: name: "{{ item.name }}" groups: "{{ 'wheel' if ansible_os_family | lower == 'redhat' else 'sudo' }}" state: present loop: "{{ _users_local_admin }}" - name: Disable sudo password for ansible become: true lineinfile: create: true path: /etc/sudoers.d/30-ansible line: "ansible ALL=(ALL) NOPASSWD:ALL" mode: 0644 - name: Disable sudo password for admin users become: true lineinfile: create: true path: /etc/sudoers.d/40-admin line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL" mode: 0644 state: "{{ 'present' if omni_disable_sudo_password | default(false) | bool == true else 'absent' }}" loop: "{{ _users_local_admin }}" - name: Ensure proper ownership of user home directories become: true file: group: "{{ item.name }}" owner: "{{ item.name }}" path: /home/{{ item.name }} recurse: true state: directory loop: "{{ _users_local }}" - import_tasks: tasks/deploy-ssh-keys.yml