133 lines
4.3 KiB
YAML
133 lines
4.3 KiB
YAML
---
|
|
- import_playbook: dependencies.yml
|
|
|
|
- hosts: all:!network
|
|
name: Update local user accounts and access controls
|
|
tasks:
|
|
- import_tasks: tasks/users-preprocessing.yml
|
|
|
|
- name: Create local user accounts
|
|
tags: users_create
|
|
become: true
|
|
block:
|
|
- name: Create groups
|
|
group:
|
|
name: "{{ item }}"
|
|
state: present
|
|
loop: "{{ targets + ['omni'] }}"
|
|
|
|
- name: Create users
|
|
user:
|
|
name: "{{ item.name }}"
|
|
comment: "{{ item.fullname | default('') }}"
|
|
shell: /bin/bash
|
|
groups: "{{ item.targets | intersect(targets) + ['omni'] }}"
|
|
system: "{{ item.svc | default(False) }}"
|
|
state: present
|
|
generate_ssh_key: "{{ True if generate_keys | bool == true else False }}"
|
|
ssh_key_comment: "{{ item.name }}@{{ inventory_hostname }}"
|
|
ssh_key_bits: 4096
|
|
ssh_key_type: ed25519
|
|
password: "{{ item.password }}"
|
|
loop: "{{ local_users }}"
|
|
|
|
- name: Delete removed user accounts
|
|
become: true
|
|
user:
|
|
name: "{{ item }}"
|
|
state: absent
|
|
loop: "{{ local_removed_users | difference(protected_users) }}"
|
|
|
|
- name: Grant sudo permissions to admin user accounts
|
|
become: true
|
|
user:
|
|
name: "{{ item.name }}"
|
|
groups: "{{ 'wheel' if ansible_os_family | lower == 'redhat' else 'sudo' }}"
|
|
state: present
|
|
loop: "{{ local_admin_users }}"
|
|
|
|
- name: Disable sudo password for ansible
|
|
become: true
|
|
lineinfile:
|
|
create: true
|
|
path: /etc/sudoers.d/30-ansible
|
|
line: "ansible ALL=(ALL) NOPASSWD:ALL"
|
|
mode: 0644
|
|
|
|
- name: Disable sudo password for admin users
|
|
become: true
|
|
lineinfile:
|
|
create: true
|
|
path: /etc/sudoers.d/40-admin
|
|
line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
|
|
mode: 0644
|
|
state: "{{ 'absent' if disable_sudo_password | bool == false else 'present' }}"
|
|
loop: "{{ local_admin_users }}"
|
|
|
|
- name: Configure GNOME
|
|
tags: users_gnome
|
|
when: ansible_distribution == "Fedora" and disable_gnome_user_list | bool == true
|
|
become: true
|
|
block:
|
|
- name: Configure GDM profile
|
|
blockinfile:
|
|
create: true
|
|
path: /etc/dconf/profile/gdm
|
|
block: |
|
|
user-db:user
|
|
system-db:gdm
|
|
file-db:/usr/share/gdm/greeter-dconf-defaults
|
|
- name: Configure GDM keyfile
|
|
blockinfile:
|
|
create: true
|
|
path: /etc/dconf/db/gdm.d/00-login-screen
|
|
block: |
|
|
[org/gnome/login-screen]
|
|
# Do not show the user list
|
|
disable-user-list=true
|
|
- name: Delete existing user database
|
|
file:
|
|
path: /var/lib/gdm/.config/dconf/user
|
|
state: absent
|
|
- name: Restart dconf database
|
|
shell: dconf update
|
|
|
|
- name: Ensure proper ownership of user home directories
|
|
become: true
|
|
file:
|
|
group: "{{ item.name }}"
|
|
owner: "{{ item.name }}"
|
|
path: /home/{{ item.name }}
|
|
recurse: true
|
|
state: directory
|
|
loop: "{{ local_users }}"
|
|
|
|
# - hosts: router.net.enp.one
|
|
# name: Configure users on router
|
|
# connection: network_cli
|
|
# vars:
|
|
# ansible_network_os: edgeos
|
|
# tasks:
|
|
# - import_tasks: tasks/users-preprocessing.yml
|
|
#
|
|
# - name: Create users
|
|
# edgeos_config:
|
|
# lines:
|
|
# - set system login user {{ item.name }} authentication encrypted-password "{{ item.password }}"
|
|
# - set system login user {{ item.name }} full-name "{{ item.fullname if item.fullname is defined else "" }}"
|
|
# - set system login user {{ item.name }} level {{ 'operator' if item.name != 'ansible' else 'admin' }}
|
|
# loop: "{{ local_users | difference([None]) }}"
|
|
#
|
|
# - name: Grant administrative access to admin users
|
|
# edgeos_config:
|
|
# lines:
|
|
# - set system login user {{ item.name }} level admin
|
|
# loop: "{{ local_admin_users | difference([None]) }}"
|
|
#
|
|
# - name: Assemble key files for loadkey usage
|
|
# edgeos_command:
|
|
# commands: sudo tee /tmp/{{ item.name }}.keys<<<"{{ item.sshkeys | join('\n') }}"
|
|
# loop: "{{ local_admin_users | difference([None]) }}"
|
|
#
|
|
# - import_playbook: deploy-sshkeys.yml
|