evolinux-users: add user to internal group if defined and Debian >= 9

5 years ago · c87e3ee576
parent 74ca43fe05
commit c87e3ee576
3 changed files with 30 additions and 1 deletions
--- a/evolinux-users/README.md
+++ b/evolinux-users/README.md
@ -34,4 +34,5 @@ evolinux_users:

 * `evolinux_sudo_group`: which group to use for sudo (default: `evolinux-sudo`)
 * `evolinux_ssh_group`: which group to use for ssh (default: `evolinux-ssh`)
+* `evolinux_internal_group`: which group to use for all created users (eg. the company name)
 * `evolinux_root_disable_ssh`: disable root's ssh access (default: `True`)
--- a/evolinux-users/defaults/main.yml
+++ b/evolinux-users/defaults/main.yml
@ -3,5 +3,6 @@ evolinux_users: {}

 evolinux_sudo_group: "evolinux-sudo"
 evolinux_ssh_group: "evolinux-ssh"
+evolinux_internal_group: ""

 evolinux_root_disable_ssh: True
--- a/evolinux-users/tasks/user.yml
+++ b/evolinux-users/tasks/user.yml
@ -43,6 +43,8 @@

 # Unix groups

+## Group for SSH authorizations
+
 - name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)"
  group:
    name: "{{ evolinux_ssh_group }}"
@ -56,6 +58,29 @@
    append: yes
  when: ansible_distribution_major_version | version_compare('10', '>=')

+## Optional group for all evolinux users
+
+- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)"
+  group:
+    name: "{{ evolinux_internal_group }}"
+    state: present
+  when:
+    - evolinux_internal_group is defined
+    - evolinux_internal_group != ""
+    - ansible_distribution_major_version | version_compare('9', '>=')
+
+- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)"
+  user:
+    name: '{{ user.name }}'
+    groups: "{{ evolinux_internal_group }}"
+    append: yes
+  when:
+    - evolinux_internal_group is defined
+    - evolinux_internal_group != ""
+    - ansible_distribution_major_version | version_compare('9', '>=')
+
+## Optional secondary groups, defined per user
+
 - name: "Secondary Unix groups are present"
  group:
    name: "{{ group }}"
@ -71,6 +96,8 @@
    append: yes
  when: user.groups is defined

+# Permissions on home directory
+
 - name: "Home directory for '{{ user.name }}' is not accessible by group and other users"
  file:
   name: '/home/{{ user.name }}'
@ -86,7 +113,7 @@
  check_mode: no
  register: grep_profile_evomaintenance

-# Don't add the trap if it is present or commented
+## Don't add the trap if it is present or commented
 - name: "User '{{ user.name }}' has its shell trap for evomaintenance"
  lineinfile:
    state: present