admin-users: users are in sudo group for Stretch

2017-07-27 18:58:16 -04:00 · 2017-07-27 18:58:16 -04:00 · 2dfd384fb8
parent 2fc65d1b8b
commit 2dfd384fb8
7 changed files with 99 additions and 75 deletions
--- a/admin-users/tasks/debian/main.yml
+++ b/admin-users/tasks/debian/main.yml
@ -0,0 +1,15 @@
+---
+
+- include: user.yml
+
+- include: profile.yml
+
+- include: ssh.yml
+
+- include: sudo_jessie.yml
+  when: ansible_distribution_release == 'jessie'
+
+- include: sudo_stretch.yml
+  when: ansible_distribution_release == 'stretch'
+
+- meta: flush_handlers
--- a/admin-users/tasks/debian/profile.yml
+++ b/admin-users/tasks/debian/profile.yml
@ -0,0 +1,15 @@
+---
+
+- name: is evomaintenance installed?
+  stat:
+    path: "/usr/share/scripts/evomaintenance.sh"
+  register: evomaintenance_script
+  check_mode: no
+
+- name: "Add evomaintenance trap for '{{ user.name }}'"
+  lineinfile:
+    state: present
+    dest: '/home/{{ user.name }}/.profile'
+    insertafter: EOF
+    line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
+  when: evomaintenance_script.stat.exists
--- a/admin-users/tasks/adduser_debian.yml
+++ b/admin-users/tasks/adduser_debian.yml
@ -1,52 +1,5 @@
 ---

- name: "Test if uid exists for '{{ user.name }}'"
-  command: 'getent passwd {{ user.uid }}'
-  register: uidisbusy
-  failed_when: False
-  changed_when: False
-  check_mode: no
-
- name: "Add Unix account with classical uid for '{{ user.name }}'"
-  user:
-   state: present
-   uid: '{{ user.uid }}'
-   name: '{{ user.name }}'
-   comment: '{{ user.fullname }}'
-   shell: /bin/bash
-   password: '{{ user.password_hash }}'
-   update_password: on_create
-  when: uidisbusy.rc != 0
-
- name: "Add Unix account with random uid for '{{ user.name }}'"
-  user:
-   state: present
-   name: '{{ user.name }}'
-   comment: '{{ user.fullname }}'
-   shell: /bin/bash
-   password: '{{ user.password_hash }}'
-   update_password: on_create
-  when: uidisbusy.rc == 0
-
- name: "Fix perms on homedirectory for '{{ user.name }}'"
-  file:
-   name: '/home/{{ user.name }}'
-   mode: "0700"
-   state: directory
-
- name: is evomaintenance installed?
-  stat:
-    path: "/usr/share/scripts/evomaintenance.sh"
-  register: evomaintenance_script
-  check_mode: no
-
- name: "Add evomaintenance trap for '{{ user.name }}'"
-  lineinfile:
-    state: present
-    dest: '/home/{{ user.name }}/.profile'
-    insertafter: EOF
-    line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
-  when: evomaintenance_script.stat.exists

 - name: "Create .ssh directory for '{{ user.name }}'"
  file:
@ -111,27 +64,3 @@
    validate: '/usr/sbin/sshd -T -f %s'
  notify: reload sshd
  when: grep_matchuser_ssh.rc == 0
-
- name: Verify Evolinux sudoers file presence
-  template:
-    src: sudoers_debian.j2
-    dest: /etc/sudoers.d/evolinux
-    force: false
-    validate: '/usr/sbin/visudo -cf %s'
-  register: copy_sudoers_evolinux
-
- name: Verify Evolinux sudoers file permissions
-  file:
-    path: /etc/sudoers.d/evolinux
-    mode: "0440"
-    state: file
-
- name: "Add user in sudoers file for '{{ user.name }}'"
-  replace:
-    dest: /etc/sudoers.d/evolinux
-    regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$'
-    replace: '\1,{{ user.name }}'
-    validate: '/usr/sbin/visudo -cf %s'
-  when: not copy_sudoers_evolinux.changed
-
- meta: flush_handlers
--- a/admin-users/tasks/debian/sudo_jessie.yml
+++ b/admin-users/tasks/debian/sudo_jessie.yml
@ -0,0 +1,23 @@
+---
+
+- name: Verify Evolinux sudoers file presence
+  template:
+    src: sudoers_debian.j2
+    dest: /etc/sudoers.d/evolinux
+    force: false
+    validate: '/usr/sbin/visudo -cf %s'
+  register: copy_sudoers_evolinux
+
+- name: Verify Evolinux sudoers file permissions
+  file:
+    path: /etc/sudoers.d/evolinux
+    mode: "0440"
+    state: file
+
+- name: "Add user in sudoers file for '{{ user.name }}'"
+  replace:
+    dest: /etc/sudoers.d/evolinux
+    regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$'
+    replace: '\1,{{ user.name }}'
+    validate: '/usr/sbin/visudo -cf %s'
+  when: not copy_sudoers_evolinux.changed
--- a/admin-users/tasks/debian/sudo_stretch.yml
+++ b/admin-users/tasks/debian/sudo_stretch.yml
@ -0,0 +1,7 @@
+---
+
+- name: "'{{ user.name }}' is in the sudo group"
+  user:
+    name: "{{ user.name }}"
+    groups: sudo
+    append: yes
--- a/admin-users/tasks/debian/user.yml
+++ b/admin-users/tasks/debian/user.yml
@ -0,0 +1,35 @@
+---
+
+- name: "Test if uid exists for '{{ user.name }}'"
+  command: 'getent passwd {{ user.uid }}'
+  register: uidisbusy
+  failed_when: False
+  changed_when: False
+  check_mode: no
+
+- name: "Add Unix account with classical uid for '{{ user.name }}'"
+  user:
+   state: present
+   uid: '{{ user.uid }}'
+   name: '{{ user.name }}'
+   comment: '{{ user.fullname }}'
+   shell: /bin/bash
+   password: '{{ user.password_hash }}'
+   update_password: on_create
+  when: uidisbusy.rc != 0
+
+- name: "Add Unix account with random uid for '{{ user.name }}'"
+  user:
+   state: present
+   name: '{{ user.name }}'
+   comment: '{{ user.fullname }}'
+   shell: /bin/bash
+   password: '{{ user.password_hash }}'
+   update_password: on_create
+  when: uidisbusy.rc == 0
+
+- name: "Fix perms on homedirectory for '{{ user.name }}'"
+  file:
+   name: '/home/{{ user.name }}'
+   mode: "0700"
+   state: directory
--- a/admin-users/tasks/main.yml
+++ b/admin-users/tasks/main.yml
@ -1,15 +1,15 @@
 ---

 - debug:
-    msg: "Warning: empty variable 'admin_users' admin-users tasks will skipped!"
+    msg: "Warning: empty 'admin_users' variable, tasks will be skipped!"
  when: admin_users == {}

- include: adduser_debian.yml
+- include: debian/main.yml
  vars:
    user: "{{ item.value }}"
  with_dict: "{{ admin_users }}"
  when: ansible_distribution == "Debian" and admin_users != {}

-# - include: adduser_openbsd.yml user={{ item.value }}
+# - include: openbsd/main.yml user={{ item.value }}
 #   with_dict: "{{ admin_users }}"
-#   when: ansible_distribution == "OpenBSD"
+#   when: ansible_distribution == "OpenBSD" and admin_users != {}