162 lines
5.0 KiB
YAML
162 lines
5.0 KiB
YAML
|
---
|
||
|
- name: Update system
|
||
|
hosts: all
|
||
|
tags:
|
||
|
- packages
|
||
|
vars_files:
|
||
|
- vars/packages.yaml
|
||
|
tasks:
|
||
|
- name: Update system packages via DNF
|
||
|
when: ansible_distribution == "Rocky"
|
||
|
become: true
|
||
|
ansible.builtin.dnf:
|
||
|
name: "*"
|
||
|
state: latest
|
||
|
|
||
|
- name: Update unix accounts
|
||
|
hosts: all
|
||
|
tags:
|
||
|
- accounts
|
||
|
- access
|
||
|
vars_files:
|
||
|
- vars/access.yaml
|
||
|
- vars/sshkeys.yaml
|
||
|
tasks:
|
||
|
- name: Create management groups
|
||
|
become: true
|
||
|
ansible.builtin.group:
|
||
|
name: "{{ item.name }}"
|
||
|
gid: "{{ item.gid }}"
|
||
|
state: present
|
||
|
loop:
|
||
|
- "{{ skylab_group }}"
|
||
|
- "{{ skylab_group_admin }}"
|
||
|
- "{{ skylab_group_automation }}"
|
||
|
|
||
|
- name: Determine existing skylab users
|
||
|
changed_when: false
|
||
|
ansible.builtin.shell:
|
||
|
cmd: 'grep {{ skylab_group.name }} /etc/group | cut --delimiter : --fields 4 | tr "," "\n"'
|
||
|
register: _existing_skylab_accounts
|
||
|
|
||
|
- name: Delete removed user accounts
|
||
|
become: true
|
||
|
when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid'))
|
||
|
ansible.builtin.user:
|
||
|
name: "{{ item }}"
|
||
|
state: absent
|
||
|
loop: "{{ _existing_skylab_accounts.stdout_lines }}"
|
||
|
|
||
|
- name: Delete removed user groups
|
||
|
become: true
|
||
|
when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid'))
|
||
|
ansible.builtin.group:
|
||
|
name: "{{ item }}"
|
||
|
state: absent
|
||
|
loop: "{{ _existing_skylab_accounts.stdout_lines }}"
|
||
|
|
||
|
- name: Delete removed user home directories
|
||
|
become: true
|
||
|
when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid'))
|
||
|
ansible.builtin.file:
|
||
|
path: "/home/{{ item }}"
|
||
|
state: absent
|
||
|
loop: "{{ _existing_skylab_accounts.stdout_lines }}"
|
||
|
|
||
|
- name: Create account groups
|
||
|
when: item.targets | intersect(skylab_targets)
|
||
|
become: true
|
||
|
ansible.builtin.group:
|
||
|
name: "{{ item.name }}"
|
||
|
gid: "{{ item.uid }}"
|
||
|
state: present
|
||
|
loop: "{{ skylab_accounts }}"
|
||
|
loop_control:
|
||
|
label: "{{ item.uid }},{{ item.name }}"
|
||
|
|
||
|
- name: Determine account groups
|
||
|
ansible.builtin.set_fact:
|
||
|
_determined_member_groups: "{{ _determined_member_groups | default({}) | combine({item.name: [
|
||
|
skylab_group.name,
|
||
|
'wheel' if (item.admin | default(false) and ansible_distribution == 'Rocky') else '',
|
||
|
'sudo' if (item.admin | default(false) and ansible_os_family == 'Debian') else '',
|
||
|
skylab_group_admin.name if item.admin | default(false) else '',
|
||
|
skylab_group_automation.name if item.service | default(false) else '',
|
||
|
]}) }}"
|
||
|
loop: "{{ skylab_accounts }}"
|
||
|
loop_control:
|
||
|
label: "{{ item.uid }},{{ item.name }}"
|
||
|
|
||
|
- name: Create accounts
|
||
|
when: item.targets | intersect(skylab_targets)
|
||
|
become: true
|
||
|
ansible.builtin.user:
|
||
|
name: "{{ item.name }}"
|
||
|
state: present
|
||
|
uid: "{{ item.uid }}"
|
||
|
group: "{{ item.name }}"
|
||
|
groups: "{{ _determined_member_groups[item.name] }}"
|
||
|
comment: "{{ item.fullname | default('') }}"
|
||
|
system: "{{ item.service | default(false) }}"
|
||
|
generate_ssh_key: false
|
||
|
password: "{{ item.password }}"
|
||
|
loop: "{{ skylab_accounts }}"
|
||
|
loop_control:
|
||
|
label: "{{ item.uid }},{{ item.name }}"
|
||
|
|
||
|
- name: Ensure proper ownership of user home directories
|
||
|
become: true
|
||
|
ansible.builtin.file:
|
||
|
path: /home/{{ item.name }}
|
||
|
state: directory
|
||
|
group: "{{ item.name }}"
|
||
|
owner: "{{ item.name }}"
|
||
|
mode: 0700
|
||
|
loop: "{{ skylab_accounts }}"
|
||
|
loop_control:
|
||
|
label: "{{ item.uid }},{{ item.name }}"
|
||
|
|
||
|
- name: Enforce root password
|
||
|
become: true
|
||
|
ansible.builtin.user:
|
||
|
name: root
|
||
|
password: "{{ skylab_root_password }}"
|
||
|
state: present
|
||
|
|
||
|
- name: Create SSH directory
|
||
|
become: true
|
||
|
ansible.builtin.file:
|
||
|
path: /home/{{ item.name }}/.ssh
|
||
|
owner: "{{ item.name }}"
|
||
|
group: "{{ item.name }}"
|
||
|
state: directory
|
||
|
mode: 0700
|
||
|
loop: "{{ skylab_accounts }}"
|
||
|
loop_control:
|
||
|
label: "{{ item.uid }},{{ item.name }}"
|
||
|
|
||
|
- name: Update authorized keys
|
||
|
become: true
|
||
|
when: item.targets | intersect(skylab_targets)
|
||
|
ansible.builtin.authorized_key:
|
||
|
user: "{{ item.name }}"
|
||
|
key: "{{ skylab_ssh_keys[item.name] | join('\n') }}"
|
||
|
state: present
|
||
|
exclusive: true
|
||
|
loop: "{{ skylab_accounts }}"
|
||
|
loop_control:
|
||
|
label: "{{ item.uid }},{{ item.name }}"
|
||
|
|
||
|
- name: Enforce ownership of authorized keys
|
||
|
become: true
|
||
|
when: item.targets | intersect(skylab_targets)
|
||
|
ansible.builtin.file:
|
||
|
path: /home/{{ item.name }}/.ssh/authorized_keys
|
||
|
state: file
|
||
|
owner: "{{ item.name }}"
|
||
|
group: "{{ item.name }}"
|
||
|
mode: 0400
|
||
|
loop: "{{ skylab_accounts }}"
|
||
|
loop_control:
|
||
|
label: "{{ item.uid }},{{ item.name }}"
|