Jérémy Dubois
78686b8730
Fix #34 again After some discussions, with actually need two separates groups : - One group for ssh access (evobsd_ssh_group) - One group for sudo/doas access (evobsd_sudo_group) We won't need any client group. A client user will be added to the ssh group, so that we won't have to think about what specific group a user need to be added in.
56 lines
1.2 KiB
YAML
56 lines
1.2 KiB
YAML
---
|
|
- name: "Group '{{ user.name }}' is present"
|
|
group:
|
|
state: present
|
|
name: "{{ user.name }}"
|
|
gid: "{{ user.uid }}"
|
|
|
|
- name: "User '{{ user.name }}' is present"
|
|
user:
|
|
state: present
|
|
name: '{{ user.name }}'
|
|
uid: '{{ user.uid }}'
|
|
password: '{{ user.password_hash_openbsd }}'
|
|
group: "{{ user.name }}"
|
|
groups: wheel
|
|
shell: /bin/ksh
|
|
append: true
|
|
tags:
|
|
- admin
|
|
|
|
- name: "Home directory for '{{ user.name }}' is only accesible by owner"
|
|
file:
|
|
name: '/home/{{ user.name }}'
|
|
mode: "0700"
|
|
owner: "{{ user.name }}"
|
|
group: "{{ user.name }}"
|
|
state: directory
|
|
|
|
- name: "SSH public keys for '{{ user.name }}' are present"
|
|
authorized_key:
|
|
user: "{{ user.name }}"
|
|
key: "{{ ssk_key }}"
|
|
state: present
|
|
with_items: "{{ user.ssh_keys }}"
|
|
loop_control:
|
|
loop_var: ssk_key
|
|
when: user.ssh_keys is defined
|
|
tags:
|
|
- admin
|
|
|
|
- name: "Add {{ user.name }} to {{ evobsd_ssh_group }} group"
|
|
user:
|
|
name: "{{ user.name }}"
|
|
groups: "{{ evobsd_ssh_group }}"
|
|
append: true
|
|
tags:
|
|
- admin
|
|
|
|
- name: "Add {{ user.name }} to {{ evobsd_sudo_group }} group"
|
|
user:
|
|
name: "{{ user.name }}"
|
|
groups: "{{ evobsd_sudo_group }}"
|
|
append: true
|
|
tags:
|
|
- admin
|