This repository has been archived on 2023-05-19. You can view files and clone it, but cannot push or open issues or pull requests.
skylab-ansible/playbooks/update.yaml

162 lines
5.0 KiB
YAML
Raw Normal View History

---
- name: Update system
hosts: all
tags:
- packages
vars_files:
- vars/packages.yaml
tasks:
- name: Update system packages via DNF
when: ansible_distribution == "Rocky"
become: true
ansible.builtin.dnf:
name: "*"
state: latest
- name: Update unix accounts
hosts: all
tags:
- accounts
- access
vars_files:
- vars/access.yaml
- vars/sshkeys.yaml
tasks:
- name: Create management groups
become: true
ansible.builtin.group:
name: "{{ item.name }}"
gid: "{{ item.gid }}"
state: present
loop:
- "{{ skylab_group }}"
- "{{ skylab_group_admin }}"
- "{{ skylab_group_automation }}"
- name: Determine existing skylab users
changed_when: false
ansible.builtin.shell:
cmd: 'grep {{ skylab_group.name }} /etc/group | cut --delimiter : --fields 4 | tr "," "\n"'
register: _existing_skylab_accounts
- name: Delete removed user accounts
become: true
when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid'))
ansible.builtin.user:
name: "{{ item }}"
state: absent
loop: "{{ _existing_skylab_accounts.stdout_lines }}"
- name: Delete removed user groups
become: true
when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid'))
ansible.builtin.group:
name: "{{ item }}"
state: absent
loop: "{{ _existing_skylab_accounts.stdout_lines }}"
- name: Delete removed user home directories
become: true
when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid'))
ansible.builtin.file:
path: "/home/{{ item }}"
state: absent
loop: "{{ _existing_skylab_accounts.stdout_lines }}"
- name: Create account groups
when: item.targets | intersect(skylab_targets)
become: true
ansible.builtin.group:
name: "{{ item.name }}"
gid: "{{ item.uid }}"
state: present
loop: "{{ skylab_accounts }}"
loop_control:
label: "{{ item.uid }},{{ item.name }}"
- name: Determine account groups
ansible.builtin.set_fact:
_determined_member_groups: "{{ _determined_member_groups | default({}) | combine({item.name: [
skylab_group.name,
'wheel' if (item.admin | default(false) and ansible_distribution == 'Rocky') else '',
'sudo' if (item.admin | default(false) and ansible_os_family == 'Debian') else '',
skylab_group_admin.name if item.admin | default(false) else '',
skylab_group_automation.name if item.service | default(false) else '',
]}) }}"
loop: "{{ skylab_accounts }}"
loop_control:
label: "{{ item.uid }},{{ item.name }}"
- name: Create accounts
when: item.targets | intersect(skylab_targets)
become: true
ansible.builtin.user:
name: "{{ item.name }}"
state: present
uid: "{{ item.uid }}"
group: "{{ item.name }}"
groups: "{{ _determined_member_groups[item.name] }}"
comment: "{{ item.fullname | default('') }}"
system: "{{ item.service | default(false) }}"
generate_ssh_key: false
password: "{{ item.password }}"
loop: "{{ skylab_accounts }}"
loop_control:
label: "{{ item.uid }},{{ item.name }}"
- name: Ensure proper ownership of user home directories
become: true
ansible.builtin.file:
path: /home/{{ item.name }}
state: directory
group: "{{ item.name }}"
owner: "{{ item.name }}"
mode: 0700
loop: "{{ skylab_accounts }}"
loop_control:
label: "{{ item.uid }},{{ item.name }}"
- name: Enforce root password
become: true
ansible.builtin.user:
name: root
password: "{{ skylab_root_password }}"
state: present
- name: Create SSH directory
become: true
ansible.builtin.file:
path: /home/{{ item.name }}/.ssh
owner: "{{ item.name }}"
group: "{{ item.name }}"
state: directory
mode: 0700
loop: "{{ skylab_accounts }}"
loop_control:
label: "{{ item.uid }},{{ item.name }}"
- name: Update authorized keys
become: true
when: item.targets | intersect(skylab_targets)
ansible.builtin.authorized_key:
user: "{{ item.name }}"
key: "{{ skylab_ssh_keys[item.name] | join('\n') }}"
state: present
exclusive: true
loop: "{{ skylab_accounts }}"
loop_control:
label: "{{ item.uid }},{{ item.name }}"
- name: Enforce ownership of authorized keys
become: true
when: item.targets | intersect(skylab_targets)
ansible.builtin.file:
path: /home/{{ item.name }}/.ssh/authorized_keys
state: file
owner: "{{ item.name }}"
group: "{{ item.name }}"
mode: 0400
loop: "{{ skylab_accounts }}"
loop_control:
label: "{{ item.uid }},{{ item.name }}"