forked from evolix/ansible-roles
197 lines
5.6 KiB
YAML
197 lines
5.6 KiB
YAML
---
|
|
|
|
# Unix account
|
|
|
|
- fail:
|
|
msg: "You must provide a value for the 'user.name ' variable."
|
|
when: (user.name is not defined) or (user.name | length == 0)
|
|
|
|
- fail:
|
|
msg: "You must provide a value for the 'user.uid ' variable."
|
|
when: (user.uid is not defined) or (user.uid | string | length == 0)
|
|
|
|
- name: "Test if '{{ user.name }}' exists"
|
|
command: 'id -u "{{ user.name }}"'
|
|
register: get_id_from_login
|
|
failed_when: False
|
|
changed_when: False
|
|
check_mode: no
|
|
|
|
- name: "Test if uid '{{ user.uid }}' exists"
|
|
command: 'id -un -- "{{ user.uid }}"'
|
|
register: get_login_from_id
|
|
failed_when: False
|
|
changed_when: False
|
|
check_mode: no
|
|
|
|
# Error if
|
|
# the uid already exists
|
|
# and the user associated with this uid is not the desired user
|
|
- name: "Fail if uid already exists for another user"
|
|
fail:
|
|
msg: "Uid '{{ user.uid }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ user.name }}'"
|
|
when:
|
|
- get_login_from_id.rc == 0
|
|
- get_login_from_id.stdout != user.name
|
|
|
|
# Create/Update the user account with defined uid if
|
|
# the user doesn't already exist and the uid isn't already used
|
|
# or the user exists with the defined uid
|
|
- name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')"
|
|
user:
|
|
state: present
|
|
uid: '{{ user.uid }}'
|
|
name: '{{ user.name }}'
|
|
comment: '{{ user.fullname }}'
|
|
shell: /bin/bash
|
|
password: '{{ user.password_hash }}'
|
|
update_password: "on_create"
|
|
when:
|
|
- (get_id_from_login.rc != 0 and get_login_from_id.rc != 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout == user.name)
|
|
|
|
# Create/Update the user account without defined uid if
|
|
# the user doesn't already exist but the defined uid is already used
|
|
# or another user already exists with a the same uid
|
|
- name: "Unix account for '{{ user.name }}' is present (with random uid)"
|
|
user:
|
|
state: present
|
|
name: '{{ user.name }}'
|
|
comment: '{{ user.fullname }}'
|
|
shell: /bin/bash
|
|
password: '{{ user.password_hash }}'
|
|
update_password: "on_create"
|
|
when:
|
|
- (get_id_from_login.rc != 0 and get_login_from_id.rc == 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout != user.name)
|
|
|
|
- name: Is /etc/aliases present?
|
|
stat:
|
|
path: /etc/aliases
|
|
register: etc_aliases
|
|
|
|
- name: Set mail alias
|
|
lineinfile:
|
|
state: present
|
|
dest: /etc/aliases
|
|
line: '{{ user.name }}: root'
|
|
regexp: '^{{ user.name }}:'
|
|
when: etc_aliases.stat.exists
|
|
notify: "newaliases"
|
|
|
|
# Unix groups
|
|
|
|
## Group for SSH authorizations
|
|
|
|
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)"
|
|
group:
|
|
name: "{{ evolinux_ssh_group }}"
|
|
state: present
|
|
when: ansible_distribution_major_version is version('10', '>=')
|
|
|
|
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)"
|
|
user:
|
|
name: '{{ user.name }}'
|
|
groups: "{{ evolinux_ssh_group }}"
|
|
append: yes
|
|
when: ansible_distribution_major_version is version('10', '>=')
|
|
|
|
## Optional group for all evolinux users
|
|
|
|
- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)"
|
|
group:
|
|
name: "{{ evolinux_internal_group }}"
|
|
state: present
|
|
when:
|
|
- evolinux_internal_group is defined
|
|
- evolinux_internal_group | length > 0
|
|
- ansible_distribution_major_version is version('9', '>=')
|
|
|
|
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)"
|
|
user:
|
|
name: '{{ user.name }}'
|
|
groups: "{{ evolinux_internal_group }}"
|
|
append: yes
|
|
when:
|
|
- evolinux_internal_group is defined
|
|
- evolinux_internal_group | length > 0
|
|
- ansible_distribution_major_version is version('9', '>=')
|
|
|
|
## Optional secondary groups, defined per user
|
|
|
|
- name: "Secondary Unix groups are present"
|
|
group:
|
|
name: "{{ group }}"
|
|
loop: "{{ user.groups }}"
|
|
loop_control:
|
|
loop_var: group
|
|
when:
|
|
- user.groups is defined
|
|
- user.groups | length > 0
|
|
|
|
- name: "Unix user '{{ user.name }}' belongs to secondary groups"
|
|
user:
|
|
name: '{{ user.name }}'
|
|
groups: "{{ user.groups | join(',') }}"
|
|
append: yes
|
|
when:
|
|
- user.groups is defined
|
|
- user.groups | length > 0
|
|
|
|
# Permissions on home directory
|
|
|
|
- name: "Home directory for '{{ user.name }}' is not accessible by group and other users"
|
|
file:
|
|
name: '/home/{{ user.name }}'
|
|
mode: "0700"
|
|
state: directory
|
|
|
|
# Evomaintenance
|
|
|
|
- name: Search profile for presence of evomaintenance
|
|
command: 'grep -q "trap.*sudo.*evomaintenance.sh" /home/{{ user.name }}/.profile'
|
|
changed_when: False
|
|
failed_when: False
|
|
check_mode: no
|
|
register: grep_profile_evomaintenance
|
|
|
|
## Don't add the trap if it is present or commented
|
|
- name: "User '{{ user.name }}' has its shell trap for evomaintenance"
|
|
lineinfile:
|
|
state: present
|
|
dest: '/home/{{ user.name }}/.profile'
|
|
insertafter: EOF
|
|
line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
|
|
when: grep_profile_evomaintenance.rc != 0
|
|
|
|
# SSH keys
|
|
|
|
- name: "SSH directory for '{{ user.name }}' is present"
|
|
file:
|
|
dest: '/home/{{ user.name }}/.ssh/'
|
|
state: directory
|
|
mode: "0700"
|
|
owner: '{{ user.name }}'
|
|
group: '{{ user.name }}'
|
|
|
|
- name: "SSH public key for '{{ user.name }}' is present"
|
|
authorized_key:
|
|
user: "{{ user.name }}"
|
|
key: "{{ user.ssh_key }}"
|
|
state: present
|
|
when:
|
|
- user.ssh_key is defined
|
|
- user.ssh_key | length > 0
|
|
|
|
- name: "SSH public keys for '{{ user.name }}' are present"
|
|
authorized_key:
|
|
user: "{{ user.name }}"
|
|
key: "{{ ssk_key }}"
|
|
state: present
|
|
loop: "{{ user.ssh_keys }}"
|
|
loop_control:
|
|
loop_var: ssk_key
|
|
when:
|
|
- user.ssh_keys is defined
|
|
- user.ssh_keys | length > 0
|
|
|
|
- meta: flush_handlers
|