Merge branch 'ssh-groups' into unstable
This commit is contained in:
commit
6daf6877c1
|
@ -14,6 +14,7 @@ The **patch** part changes incrementally at each release.
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
* evolinux-base: fail2ban is not enabled by default
|
* evolinux-base: fail2ban is not enabled by default
|
||||||
|
* evolinux-users: refactoring of the SSH configuration
|
||||||
* mysql-oracle: copy evolinux config files in mysql.cond.d
|
* mysql-oracle: copy evolinux config files in mysql.cond.d
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
@ -53,6 +54,7 @@ The **patch** part changes incrementally at each release.
|
||||||
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
|
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
|
||||||
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
|
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
|
||||||
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
|
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
|
||||||
|
* evolinux-users: split AllowGroups/AllowUsers modes for SSH directives
|
||||||
* mongodb: allow unauthenticated packages for Jessie
|
* mongodb: allow unauthenticated packages for Jessie
|
||||||
* mongodb: configuration is forced by default but it's configurable (default: `false`)
|
* mongodb: configuration is forced by default but it's configurable (default: `false`)
|
||||||
* mongodb: rename logrotate script
|
* mongodb: rename logrotate script
|
||||||
|
|
|
@ -63,16 +63,16 @@
|
||||||
|
|
||||||
- name: "Get current user"
|
- name: "Get current user"
|
||||||
command: logname
|
command: logname
|
||||||
|
changed_when: False
|
||||||
register: logname
|
register: logname
|
||||||
check_mode: no
|
check_mode: no
|
||||||
changed_when: False
|
|
||||||
when: evolinux_ssh_allow_current_user
|
when: evolinux_ssh_allow_current_user
|
||||||
|
|
||||||
# we must double-escape caracters, because python
|
# we must double-escape caracters, because python
|
||||||
- name: verify AllowUsers directive
|
- name: verify AllowUsers directive
|
||||||
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||||
changed_when: False
|
|
||||||
failed_when: False
|
failed_when: False
|
||||||
|
changed_when: False
|
||||||
register: grep_allowusers_ssh
|
register: grep_allowusers_ssh
|
||||||
check_mode: no
|
check_mode: no
|
||||||
when: evolinux_ssh_allow_current_user
|
when: evolinux_ssh_allow_current_user
|
||||||
|
|
|
@ -1,4 +1,7 @@
|
||||||
---
|
---
|
||||||
evolinux_users: {}
|
evolinux_users: {}
|
||||||
|
|
||||||
evolinux_sudo_group: "evolinux-sudo"
|
evolinux_sudo_group: "evolinux-sudo"
|
||||||
|
evolinux_ssh_group: "evolinux-ssh"
|
||||||
|
|
||||||
evolinux_root_disable_ssh: True
|
evolinux_root_disable_ssh: True
|
||||||
|
|
|
@ -1,57 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: "Test if '{{ user.name }}' exists"
|
|
||||||
command: 'getent passwd {{ user.name }}'
|
|
||||||
register: loginisbusy
|
|
||||||
failed_when: False
|
|
||||||
changed_when: False
|
|
||||||
check_mode: no
|
|
||||||
|
|
||||||
- name: "Test if uid exists for '{{ user.name }}'"
|
|
||||||
command: 'getent passwd {{ user.uid }}'
|
|
||||||
register: uidisbusy
|
|
||||||
failed_when: False
|
|
||||||
changed_when: False
|
|
||||||
check_mode: no
|
|
||||||
|
|
||||||
- name: "Add Unix account with classical uid for '{{ user.name }}'"
|
|
||||||
user:
|
|
||||||
state: present
|
|
||||||
uid: '{{ user.uid }}'
|
|
||||||
name: '{{ user.name }}'
|
|
||||||
comment: '{{ user.fullname }}'
|
|
||||||
shell: /bin/bash
|
|
||||||
password: '{{ user.password_hash }}'
|
|
||||||
update_password: on_create
|
|
||||||
when: loginisbusy.rc != 0 and uidisbusy.rc != 0
|
|
||||||
|
|
||||||
- name: "Add Unix account with random uid for '{{ user.name }}'"
|
|
||||||
user:
|
|
||||||
state: present
|
|
||||||
name: '{{ user.name }}'
|
|
||||||
comment: '{{ user.fullname }}'
|
|
||||||
shell: /bin/bash
|
|
||||||
password: '{{ user.password_hash }}'
|
|
||||||
update_password: on_create
|
|
||||||
when: loginisbusy.rc != 0 and uidisbusy.rc == 0
|
|
||||||
|
|
||||||
- name: "Create secondary groups"
|
|
||||||
group:
|
|
||||||
name: "{{ group }}"
|
|
||||||
with_items: "{{ user.groups }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: group
|
|
||||||
when: user.groups is defined
|
|
||||||
|
|
||||||
- name: "Add user '{{ user.name }}' to secondary groups"
|
|
||||||
user:
|
|
||||||
name: '{{ user.name }}'
|
|
||||||
groups: "{{ user.groups }}"
|
|
||||||
append: yes
|
|
||||||
when: user.groups is defined
|
|
||||||
|
|
||||||
- name: "Fix perms on home directory for '{{ user.name }}'"
|
|
||||||
file:
|
|
||||||
name: '/home/{{ user.name }}'
|
|
||||||
mode: "0700"
|
|
||||||
state: directory
|
|
|
@ -1,9 +1,10 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- fail:
|
- assert:
|
||||||
|
that:
|
||||||
|
- ansible_distribution == "Debian"
|
||||||
|
- ansible_distribution_major_version | version_compare('8', '>=')
|
||||||
msg: only compatible with Debian >= 8
|
msg: only compatible with Debian >= 8
|
||||||
when:
|
|
||||||
- ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
|
|
||||||
|
|
||||||
- debug:
|
- debug:
|
||||||
msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"
|
msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"
|
||||||
|
@ -16,5 +17,13 @@
|
||||||
with_dict: "{{ evolinux_users }}"
|
with_dict: "{{ evolinux_users }}"
|
||||||
when: evolinux_users != {}
|
when: evolinux_users != {}
|
||||||
|
|
||||||
- include: root_disable_ssh.yml
|
- name: Configure sudo
|
||||||
when: evolinux_root_disable_ssh
|
include: sudo.yml
|
||||||
|
vars:
|
||||||
|
user: "{{ item.value }}"
|
||||||
|
with_dict: "{{ evolinux_users }}"
|
||||||
|
when: evolinux_users != {}
|
||||||
|
|
||||||
|
- name: Configure SSH
|
||||||
|
include: ssh.yml
|
||||||
|
when: evolinux_users != {}
|
||||||
|
|
|
@ -1,18 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: search profile for presence of evomaintenance
|
|
||||||
command: 'grep -q "trap.*sudo.*evomaintenance.sh"'
|
|
||||||
changed_when: False
|
|
||||||
failed_when: False
|
|
||||||
check_mode: no
|
|
||||||
register: grep_profile_evomaintenance
|
|
||||||
|
|
||||||
# Don't add the trap if it is present or commented
|
|
||||||
- name: "Add evomaintenance trap for '{{ user.name }}'"
|
|
||||||
lineinfile:
|
|
||||||
state: present
|
|
||||||
dest: '/home/{{ user.name }}/.profile'
|
|
||||||
insertafter: EOF
|
|
||||||
line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
|
|
||||||
create: yes
|
|
||||||
when: grep_profile_evomaintenance.rc != 0
|
|
|
@ -1,17 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: disable root login
|
|
||||||
replace:
|
|
||||||
dest: /etc/ssh/sshd_config
|
|
||||||
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
|
||||||
replace: "PermitRootLogin no"
|
|
||||||
notify: reload sshd
|
|
||||||
|
|
||||||
### Disabled : it seems useless and too dangerous for now
|
|
||||||
# - name: remove root from AllowUsers directive
|
|
||||||
# replace:
|
|
||||||
# dest: /etc/ssh/sshd_config
|
|
||||||
# regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
|
|
||||||
# replace: '\1\4'
|
|
||||||
# validate: '/usr/sbin/sshd -T -f %s'
|
|
||||||
# notify: reload sshd
|
|
|
@ -1,97 +1,64 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
||||||
- name: "Create .ssh directory for '{{ user.name }}'"
|
|
||||||
file:
|
|
||||||
dest: '/home/{{ user.name }}/.ssh/'
|
|
||||||
state: directory
|
|
||||||
mode: "0700"
|
|
||||||
owner: '{{ user.name }}'
|
|
||||||
group: '{{ user.name }}'
|
|
||||||
|
|
||||||
- name: "Add user's SSH public key for '{{ user.name }}'"
|
|
||||||
authorized_key:
|
|
||||||
user: "{{ user.name }}"
|
|
||||||
key: "{{ user.ssh_key }}"
|
|
||||||
state: present
|
|
||||||
when: user.ssh_key is defined
|
|
||||||
|
|
||||||
- name: "Add user's SSH public keys for '{{ user.name }}'"
|
|
||||||
authorized_key:
|
|
||||||
user: "{{ user.name }}"
|
|
||||||
key: "{{ ssk_key }}"
|
|
||||||
state: present
|
|
||||||
with_items: "{{ user.ssh_keys }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: ssk_key
|
|
||||||
when: user.ssh_keys is defined
|
|
||||||
|
|
||||||
- name: verify AllowGroups directive
|
- name: verify AllowGroups directive
|
||||||
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
register: grep_allowgroups_ssh
|
|
||||||
check_mode: no
|
check_mode: no
|
||||||
|
register: grep_allowgroups_ssh
|
||||||
|
|
||||||
# If AllowGroups is present, we don't change
|
|
||||||
- debug:
|
- debug:
|
||||||
msg: "AllowGroups detected : You have to configure SSH manually"
|
var: grep_allowgroups_ssh
|
||||||
when: grep_allowgroups_ssh.rc == 0
|
verbosity: 1
|
||||||
|
|
||||||
- block:
|
|
||||||
# If AllowGroups is not present, we proceed as usual
|
|
||||||
- name: verify AllowUsers directive
|
- name: verify AllowUsers directive
|
||||||
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
|
check_mode: no
|
||||||
register: grep_allowusers_ssh
|
register: grep_allowusers_ssh
|
||||||
check_mode: no
|
|
||||||
|
|
||||||
- name: "Add AllowUsers sshd directive for '{{ user.name }}'"
|
- debug:
|
||||||
lineinfile:
|
var: grep_allowusers_ssh
|
||||||
dest: /etc/ssh/sshd_config
|
verbosity: 1
|
||||||
line: "\nAllowUsers {{ user.name }}"
|
|
||||||
insertafter: 'Subsystem'
|
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
|
||||||
notify: reload sshd
|
|
||||||
when: grep_allowusers_ssh.rc != 0
|
|
||||||
|
|
||||||
- name: "Modify AllowUsers sshd directive for '{{ user.name }}'"
|
- assert:
|
||||||
|
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
|
||||||
|
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
# If "AllowGroups is present" or "AllowUsers is absent and Debian 9+",
|
||||||
|
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('9', '>='))) }}"
|
||||||
|
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <9"
|
||||||
|
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('9', '<'))) }}"
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
var: ssh_allowgroups
|
||||||
|
verbosity: 1
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
var: ssh_allowusers
|
||||||
|
verbosity: 1
|
||||||
|
|
||||||
|
- include: ssh_allowgroups.yml
|
||||||
|
when:
|
||||||
|
- ssh_allowgroups
|
||||||
|
- not ssh_allowusers
|
||||||
|
|
||||||
|
- include: ssh_allowusers.yml
|
||||||
|
vars:
|
||||||
|
user: "{{ item.value }}"
|
||||||
|
with_dict: "{{ evolinux_users }}"
|
||||||
|
when:
|
||||||
|
- ssh_allowusers
|
||||||
|
- not ssh_allowgroups
|
||||||
|
|
||||||
|
- name: disable root login
|
||||||
replace:
|
replace:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
|
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
||||||
replace: '\1 {{ user.name }}'
|
replace: "PermitRootLogin no"
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when: grep_allowusers_ssh.rc == 0
|
when: evolinux_root_disable_ssh
|
||||||
|
|
||||||
- name: "verify Match User directive"
|
- meta: flush_handlers
|
||||||
command: "grep 'Match User' /etc/ssh/sshd_config"
|
|
||||||
changed_when: False
|
|
||||||
failed_when: False
|
|
||||||
register: grep_matchuser_ssh
|
|
||||||
check_mode: no
|
|
||||||
|
|
||||||
- name: "Add Match User sshd directive for '{{ user.name }}' (Jessie)"
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/ssh/sshd_config
|
|
||||||
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
|
|
||||||
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
|
||||||
notify: reload sshd
|
|
||||||
when:
|
|
||||||
- ansible_distribution_release == "jessie"
|
|
||||||
- grep_matchuser_ssh.rc != 0
|
|
||||||
|
|
||||||
- name: "Modify Match User's sshd directive for '{{ user.name }}' (Jessie)"
|
|
||||||
replace:
|
|
||||||
dest: /etc/ssh/sshd_config
|
|
||||||
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
|
|
||||||
replace: '\1,{{ user.name }}'
|
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
|
||||||
notify: reload sshd
|
|
||||||
when:
|
|
||||||
- ansible_distribution_release == "jessie"
|
|
||||||
- grep_matchuser_ssh.rc == 0
|
|
||||||
|
|
||||||
when: grep_allowgroups_ssh.rc != 0
|
|
||||||
|
|
28
evolinux-users/tasks/ssh_allowgroups.yml
Normal file
28
evolinux-users/tasks/ssh_allowgroups.yml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
# this check must be repeated for each user
|
||||||
|
# even if it's been done before
|
||||||
|
- name: verify AllowGroups directive
|
||||||
|
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||||
|
changed_when: False
|
||||||
|
failed_when: False
|
||||||
|
check_mode: no
|
||||||
|
register: grep_allowgroups_ssh
|
||||||
|
|
||||||
|
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
line: "\nAllowGroups {{ evolinux_ssh_group }}"
|
||||||
|
insertafter: 'Subsystem'
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when: grep_allowgroups_ssh.rc != 0
|
||||||
|
|
||||||
|
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
||||||
|
replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
|
||||||
|
replace: '\1 {{ evolinux_ssh_group }}'
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when: grep_allowgroups_ssh.rc == 0
|
53
evolinux-users/tasks/ssh_allowusers.yml
Normal file
53
evolinux-users/tasks/ssh_allowusers.yml
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
# this check must be repeated for each user
|
||||||
|
# even if it's been done before
|
||||||
|
- name: verify AllowUsers directive
|
||||||
|
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||||
|
changed_when: False
|
||||||
|
failed_when: False
|
||||||
|
check_mode: no
|
||||||
|
register: grep_allowusers_ssh
|
||||||
|
|
||||||
|
- name: "Add AllowUsers sshd directive with '{{ user.name }}'"
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
line: "\nAllowUsers {{ user.name }}"
|
||||||
|
insertafter: 'Subsystem'
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when: grep_allowusers_ssh.rc != 0
|
||||||
|
|
||||||
|
- name: "Append '{{ user.name }}' to AllowUsers sshd directive"
|
||||||
|
replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
|
||||||
|
replace: '\1 {{ user.name }}'
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when: grep_allowusers_ssh.rc == 0
|
||||||
|
|
||||||
|
- name: "verify Match User directive"
|
||||||
|
command: "grep -E '^Match User' /etc/ssh/sshd_config"
|
||||||
|
changed_when: False
|
||||||
|
failed_when: False
|
||||||
|
check_mode: no
|
||||||
|
register: grep_matchuser_ssh
|
||||||
|
|
||||||
|
- name: "Add Match User sshd directive with '{{ user.name }}'"
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
|
||||||
|
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when: grep_matchuser_ssh.rc != 0
|
||||||
|
|
||||||
|
- name: "Append '{{ user.name }}' to Match User's sshd directive"
|
||||||
|
replace:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
|
||||||
|
replace: '\1,{{ user.name }}'
|
||||||
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
|
notify: reload sshd
|
||||||
|
when: grep_matchuser_ssh.rc == 0
|
9
evolinux-users/tasks/sudo.yml
Normal file
9
evolinux-users/tasks/sudo.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- include: sudo_jessie.yml
|
||||||
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
|
- include: sudo_stretch.yml
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- meta: flush_handlers
|
|
@ -5,6 +5,7 @@
|
||||||
src: sudoers_stretch.j2
|
src: sudoers_stretch.j2
|
||||||
dest: /etc/sudoers.d/evolinux
|
dest: /etc/sudoers.d/evolinux
|
||||||
force: no
|
force: no
|
||||||
|
mode: "0440"
|
||||||
validate: '/usr/sbin/visudo -cf %s'
|
validate: '/usr/sbin/visudo -cf %s'
|
||||||
register: copy_sudoers_evolinux
|
register: copy_sudoers_evolinux
|
||||||
|
|
||||||
|
|
|
@ -1,15 +1,125 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include: account.yml
|
# Unix account
|
||||||
|
|
||||||
- include: profile.yml
|
- name: "Test if '{{ user.name }}' exists"
|
||||||
|
command: 'getent passwd {{ user.name }}'
|
||||||
|
register: loginisbusy
|
||||||
|
failed_when: False
|
||||||
|
changed_when: False
|
||||||
|
check_mode: no
|
||||||
|
|
||||||
- include: ssh.yml
|
- name: "Test if uid exists for '{{ user.name }}'"
|
||||||
|
command: 'getent passwd {{ user.uid }}'
|
||||||
|
register: uidisbusy
|
||||||
|
failed_when: False
|
||||||
|
changed_when: False
|
||||||
|
check_mode: no
|
||||||
|
|
||||||
- include: sudo_jessie.yml
|
- name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')"
|
||||||
when: ansible_distribution_release == "jessie"
|
user:
|
||||||
|
state: present
|
||||||
|
uid: '{{ user.uid }}'
|
||||||
|
name: '{{ user.name }}'
|
||||||
|
comment: '{{ user.fullname }}'
|
||||||
|
shell: /bin/bash
|
||||||
|
password: '{{ user.password_hash }}'
|
||||||
|
update_password: on_create
|
||||||
|
when:
|
||||||
|
- loginisbusy.rc != 0
|
||||||
|
- uidisbusy.rc != 0
|
||||||
|
|
||||||
- include: sudo_stretch.yml
|
- name: "Unix account for '{{ user.name }}' is present (with random uid)"
|
||||||
|
user:
|
||||||
|
state: present
|
||||||
|
name: '{{ user.name }}'
|
||||||
|
comment: '{{ user.fullname }}'
|
||||||
|
shell: /bin/bash
|
||||||
|
password: '{{ user.password_hash }}'
|
||||||
|
update_password: on_create
|
||||||
|
when:
|
||||||
|
- loginisbusy.rc != 0
|
||||||
|
- uidisbusy.rc == 0
|
||||||
|
|
||||||
|
# Unix groups
|
||||||
|
|
||||||
|
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 9 or later)"
|
||||||
|
group:
|
||||||
|
name: "{{ evolinux_ssh_group }}"
|
||||||
|
state: present
|
||||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 9 or later)"
|
||||||
|
user:
|
||||||
|
name: '{{ user.name }}'
|
||||||
|
groups: "{{ evolinux_ssh_group }}"
|
||||||
|
append: yes
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: "Secondary Unix groups are present"
|
||||||
|
group:
|
||||||
|
name: "{{ group }}"
|
||||||
|
with_items: "{{ user.groups }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: group
|
||||||
|
when: user.groups is defined
|
||||||
|
|
||||||
|
- name: "Unix user '{{ user.name }}' belongs to secondary groups"
|
||||||
|
user:
|
||||||
|
name: '{{ user.name }}'
|
||||||
|
groups: "{{ user.groups }}"
|
||||||
|
append: yes
|
||||||
|
when: user.groups is defined
|
||||||
|
|
||||||
|
- name: "Home directory for '{{ user.name }}' is not accessible by group and other users"
|
||||||
|
file:
|
||||||
|
name: '/home/{{ user.name }}'
|
||||||
|
mode: "0700"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
# Evomaintenance
|
||||||
|
|
||||||
|
- name: Search profile for presence of evomaintenance
|
||||||
|
command: 'grep -q "trap.*sudo.*evomaintenance.sh" /home/{{ user.name }}/.profile'
|
||||||
|
changed_when: False
|
||||||
|
failed_when: False
|
||||||
|
check_mode: no
|
||||||
|
register: grep_profile_evomaintenance
|
||||||
|
|
||||||
|
# Don't add the trap if it is present or commented
|
||||||
|
- name: "User '{{ user.name }}' has its shell trap for evomaintenance"
|
||||||
|
lineinfile:
|
||||||
|
state: present
|
||||||
|
dest: '/home/{{ user.name }}/.profile'
|
||||||
|
insertafter: EOF
|
||||||
|
line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
|
||||||
|
when: grep_profile_evomaintenance.rc != 0
|
||||||
|
|
||||||
|
# SSH keys
|
||||||
|
|
||||||
|
- name: "SSH directory for '{{ user.name }}' is present"
|
||||||
|
file:
|
||||||
|
dest: '/home/{{ user.name }}/.ssh/'
|
||||||
|
state: directory
|
||||||
|
mode: "0700"
|
||||||
|
owner: '{{ user.name }}'
|
||||||
|
group: '{{ user.name }}'
|
||||||
|
|
||||||
|
- name: "SSH public key for '{{ user.name }}' is present"
|
||||||
|
authorized_key:
|
||||||
|
user: "{{ user.name }}"
|
||||||
|
key: "{{ user.ssh_key }}"
|
||||||
|
state: present
|
||||||
|
when: user.ssh_key is defined
|
||||||
|
|
||||||
|
- name: "SSH public keys for '{{ user.name }}' are present"
|
||||||
|
authorized_key:
|
||||||
|
user: "{{ user.name }}"
|
||||||
|
key: "{{ ssk_key }}"
|
||||||
|
state: present
|
||||||
|
with_items: "{{ user.ssh_keys }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: ssk_key
|
||||||
|
when: user.ssh_keys is defined
|
||||||
|
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
|
Loading…
Reference in a new issue