Ethan Paul
2814d42148
Add network group for filtering network hosts Add network target for auth'ing to network hosts Update playbooks to filter out network targets
162 lines
5.0 KiB
YAML
162 lines
5.0 KiB
YAML
---
|
|
- name: Update system
|
|
hosts: all,!network
|
|
tags:
|
|
- packages
|
|
vars_files:
|
|
- vars/packages.yaml
|
|
tasks:
|
|
- name: Update system packages via DNF
|
|
when: ansible_distribution == "Rocky"
|
|
become: true
|
|
ansible.builtin.dnf:
|
|
name: "*"
|
|
state: latest
|
|
|
|
- name: Update unix accounts
|
|
hosts: all,!network
|
|
tags:
|
|
- accounts
|
|
- access
|
|
vars_files:
|
|
- vars/access.yaml
|
|
- vars/sshkeys.yaml
|
|
tasks:
|
|
- name: Create management groups
|
|
become: true
|
|
ansible.builtin.group:
|
|
name: "{{ item.name }}"
|
|
gid: "{{ item.gid }}"
|
|
state: present
|
|
loop:
|
|
- "{{ skylab_group }}"
|
|
- "{{ skylab_group_admin }}"
|
|
- "{{ skylab_group_automation }}"
|
|
|
|
- name: Determine existing skylab users
|
|
changed_when: false
|
|
ansible.builtin.shell:
|
|
cmd: 'grep {{ skylab_group.name }} /etc/group | cut --delimiter : --fields 4 | tr "," "\n"'
|
|
register: _existing_skylab_accounts
|
|
|
|
- name: Delete removed user accounts
|
|
become: true
|
|
when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid'))
|
|
ansible.builtin.user:
|
|
name: "{{ item }}"
|
|
state: absent
|
|
loop: "{{ _existing_skylab_accounts.stdout_lines }}"
|
|
|
|
- name: Delete removed user groups
|
|
become: true
|
|
when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid'))
|
|
ansible.builtin.group:
|
|
name: "{{ item }}"
|
|
state: absent
|
|
loop: "{{ _existing_skylab_accounts.stdout_lines }}"
|
|
|
|
- name: Delete removed user home directories
|
|
become: true
|
|
when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid'))
|
|
ansible.builtin.file:
|
|
path: "/home/{{ item }}"
|
|
state: absent
|
|
loop: "{{ _existing_skylab_accounts.stdout_lines }}"
|
|
|
|
- name: Create account groups
|
|
when: item.targets | intersect(skylab_targets)
|
|
become: true
|
|
ansible.builtin.group:
|
|
name: "{{ item.name }}"
|
|
gid: "{{ item.uid }}"
|
|
state: present
|
|
loop: "{{ skylab_accounts }}"
|
|
loop_control:
|
|
label: "{{ item.uid }},{{ item.name }}"
|
|
|
|
- name: Determine account groups
|
|
ansible.builtin.set_fact:
|
|
_determined_member_groups: "{{ _determined_member_groups | default({}) | combine({item.name: [
|
|
skylab_group.name,
|
|
'wheel' if (item.admin | default(false) and ansible_distribution == 'Rocky') else '',
|
|
'sudo' if (item.admin | default(false) and ansible_os_family == 'Debian') else '',
|
|
skylab_group_admin.name if item.admin | default(false) else '',
|
|
skylab_group_automation.name if item.service | default(false) else '',
|
|
]}) }}"
|
|
loop: "{{ skylab_accounts }}"
|
|
loop_control:
|
|
label: "{{ item.uid }},{{ item.name }}"
|
|
|
|
- name: Create accounts
|
|
when: item.targets | intersect(skylab_targets)
|
|
become: true
|
|
ansible.builtin.user:
|
|
name: "{{ item.name }}"
|
|
state: present
|
|
uid: "{{ item.uid }}"
|
|
group: "{{ item.name }}"
|
|
groups: "{{ _determined_member_groups[item.name] }}"
|
|
comment: "{{ item.fullname | default('') }}"
|
|
system: "{{ item.service | default(false) }}"
|
|
generate_ssh_key: false
|
|
password: "{{ item.password }}"
|
|
loop: "{{ skylab_accounts }}"
|
|
loop_control:
|
|
label: "{{ item.uid }},{{ item.name }}"
|
|
|
|
- name: Ensure proper ownership of user home directories
|
|
become: true
|
|
ansible.builtin.file:
|
|
path: /home/{{ item.name }}
|
|
state: directory
|
|
group: "{{ item.name }}"
|
|
owner: "{{ item.name }}"
|
|
mode: 0700
|
|
loop: "{{ skylab_accounts }}"
|
|
loop_control:
|
|
label: "{{ item.uid }},{{ item.name }}"
|
|
|
|
- name: Enforce root password
|
|
become: true
|
|
ansible.builtin.user:
|
|
name: root
|
|
password: "{{ skylab_root_password }}"
|
|
state: present
|
|
|
|
- name: Create SSH directory
|
|
become: true
|
|
ansible.builtin.file:
|
|
path: /home/{{ item.name }}/.ssh
|
|
owner: "{{ item.name }}"
|
|
group: "{{ item.name }}"
|
|
state: directory
|
|
mode: 0700
|
|
loop: "{{ skylab_accounts }}"
|
|
loop_control:
|
|
label: "{{ item.uid }},{{ item.name }}"
|
|
|
|
- name: Update authorized keys
|
|
become: true
|
|
when: item.targets | intersect(skylab_targets)
|
|
ansible.builtin.authorized_key:
|
|
user: "{{ item.name }}"
|
|
key: "{{ skylab_ssh_keys[item.name] | join('\n') }}"
|
|
state: present
|
|
exclusive: true
|
|
loop: "{{ skylab_accounts }}"
|
|
loop_control:
|
|
label: "{{ item.uid }},{{ item.name }}"
|
|
|
|
- name: Enforce ownership of authorized keys
|
|
become: true
|
|
when: item.targets | intersect(skylab_targets)
|
|
ansible.builtin.file:
|
|
path: /home/{{ item.name }}/.ssh/authorized_keys
|
|
state: file
|
|
owner: "{{ item.name }}"
|
|
group: "{{ item.name }}"
|
|
mode: 0400
|
|
loop: "{{ skylab_accounts }}"
|
|
loop_control:
|
|
label: "{{ item.uid }},{{ item.name }}"
|