evolinux-users: regroup tasks

1. create all accounts
2. configure sudo for everyone
3. configure ssh for everyone

evolinux-users/tasks/account.yml

@@ -1,57 +0,0 @@
----
-
-- name: "Test if '{{ user.name }}' exists"
-  command: 'getent passwd {{ user.name }}'
-  register: loginisbusy
-  failed_when: False
-  changed_when: False
-  check_mode: no
-
-- name: "Test if uid exists for '{{ user.name }}'"
-  command: 'getent passwd {{ user.uid }}'
-  register: uidisbusy
-  failed_when: False
-  changed_when: False
-  check_mode: no
-
-- name: "Add Unix account with classical uid for '{{ user.name }}'"
-  user:
-   state: present
-   uid: '{{ user.uid }}'
-   name: '{{ user.name }}'
-   comment: '{{ user.fullname }}'
-   shell: /bin/bash
-   password: '{{ user.password_hash }}'
-   update_password: on_create
-  when: loginisbusy.rc != 0 and uidisbusy.rc != 0
-
-- name: "Add Unix account with random uid for '{{ user.name }}'"
-  user:
-   state: present
-   name: '{{ user.name }}'
-   comment: '{{ user.fullname }}'
-   shell: /bin/bash
-   password: '{{ user.password_hash }}'
-   update_password: on_create
-  when: loginisbusy.rc != 0 and uidisbusy.rc == 0
-
-- name: "Create secondary groups"
-  group:
-    name: "{{ group }}"
-  with_items: "{{ user.groups }}"
-  loop_control:
-    loop_var: group
-  when: user.groups is defined
-
-- name: "Add user '{{ user.name }}' to secondary groups"
-  user:
-    name: '{{ user.name }}'
-    groups: "{{ user.groups }}"
-    append: yes
-  when: user.groups is defined
-
-- name: "Fix perms on home directory for '{{ user.name }}'"
-  file:
-   name: '/home/{{ user.name }}'
-   mode: "0700"
-   state: directory

evolinux-users/tasks/main.yml

@@ -16,5 +16,13 @@
   with_dict: "{{ evolinux_users }}"
   when: evolinux_users != {}
 
-- include: root_disable_ssh.yml
-  when: evolinux_root_disable_ssh
+- name: Configure sudo
+  include: sudo.yml
+  vars:
+    user: "{{ item.value }}"
+  with_dict: "{{ evolinux_users }}"
+  when: evolinux_users != {}
+
+- name: Configure SSH
+  include: ssh.yml
+  when: evolinux_users != {}

evolinux-users/tasks/profile.yml

@@ -1,18 +0,0 @@
----
-
-- name: search profile for presence of evomaintenance
-  command: 'grep -q "trap.*sudo.*evomaintenance.sh"'
-  changed_when: False
-  failed_when: False
-  check_mode: no
-  register: grep_profile_evomaintenance
-
-# Don't add the trap if it is present or commented
-- name: "Add evomaintenance trap for '{{ user.name }}'"
-  lineinfile:
-    state: present
-    dest: '/home/{{ user.name }}/.profile'
-    insertafter: EOF
-    line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
-    create: yes
-  when: grep_profile_evomaintenance.rc != 0

evolinux-users/tasks/root_disable_ssh.yml

@@ -1,17 +0,0 @@
----
-
-- name: disable root login
-  replace:
-    dest: /etc/ssh/sshd_config
-    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
-    replace: "PermitRootLogin no"
-  notify: reload sshd
-
-### Disabled : it seems useless and too dangerous for now
-# - name: remove root from AllowUsers directive
-#   replace:
-#     dest: /etc/ssh/sshd_config
-#     regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
-#     replace: '\1\4'
-#     validate: '/usr/sbin/sshd -T -f %s'
-#   notify: reload sshd

evolinux-users/tasks/ssh.yml

@@ -1,30 +1,5 @@
 ---
 
-- name: "Create .ssh directory for '{{ user.name }}'"
-  file:
-    dest: '/home/{{ user.name }}/.ssh/'
-    state: directory
-    mode: "0700"
-    owner: '{{ user.name }}'
-    group: '{{ user.name }}'
-
-- name: "Add user's SSH public key for '{{ user.name }}'"
-  authorized_key:
-    user: "{{ user.name }}"
-    key: "{{ user.ssh_key }}"
-    state: present
-  when: user.ssh_key is defined
-
-- name: "Add user's SSH public keys for '{{ user.name }}'"
-  authorized_key:
-    user: "{{ user.name }}"
-    key: "{{ ssk_key }}"
-    state: present
-  with_items: "{{ user.ssh_keys }}"
-  loop_control:
-    loop_var: ssk_key
-  when: user.ssh_keys is defined
-
 - name: verify AllowGroups directive
   command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
   changed_when: False
@@ -32,18 +7,55 @@
   check_mode: no
   register: grep_allowgroups_ssh
 
+- debug:
+    var: grep_allowgroups_ssh
+    verbosity: 1
+
 - name: verify AllowUsers directive
-  shell: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
+  command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
   changed_when: False
   failed_when: False
   check_mode: no
   register: grep_allowusers_ssh
 
-# If AllowGroups is present or
-# if AllowUsers is absent and Debian 9+, use AllowGroups mode
-- include: ssh_allowgroups.yml
-  when: grep_allowgroups_ssh.rc == 0 or (grep_allowusers_ssh.rc != 0 and ansible_distribution_major_version | version_compare('9', '>='))
+- debug:
+    var: grep_allowusers_ssh
+    verbosity: 1
+
+- set_fact:
+    # If "AllowGroups is present" or "AllowUsers is absent and Debian 9+",
+    ssh_allowgroups: "{{ grep_allowgroups_ssh.rc == 0 or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('9', '>='))) }}"
+    # If "AllowGroups is absent"
+    ssh_allowusers: "{{ grep_allowgroups_ssh.rc != 0 }}"
+
+- debug:
+    var: ssh_allowgroups
+    verbosity: 1
+
+- debug:
+    var: ssh_allowusers
+    verbosity: 1
+
+- include: ssh_allowgroups.yml
+  when:
+  - ssh_allowgroups
+  - not ssh_allowusers
 
-# If AllowGroups is absent, use AllowUsers mode
 - include: ssh_allowusers.yml
-  when: grep_allowgroups_ssh.rc != 0
+  vars:
+    user: "{{ item.value }}"
+  with_dict: "{{ evolinux_users }}"
+  when:
+  - ssh_allowusers
+  - not ssh_allowgroups
+
+
+- name: disable root login
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
+    replace: "PermitRootLogin no"
+  notify: reload sshd
+  when: evolinux_root_disable_ssh
+
+- meta: flush_handlers

evolinux-users/tasks/ssh_allowgroups.yml

@@ -1,15 +1,13 @@
 ---
 
-- name: "Unix group '{{ evolinux_ssh_group }}' is present"
-  group:
-    name: "{{ evolinux_ssh_group }}"
-    state: present
-
-- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}'"
-  user:
-    name: '{{ user.name }}'
-    groups: "{{ evolinux_ssh_group }}"
-    append: yes
+# this check must be repeated for each user
+# even if it's been done before
+- name: verify AllowGroups directive
+  shell: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  register: grep_allowgroups_ssh
 
 - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
   lineinfile:
@@ -24,42 +22,7 @@
   replace:
     dest: /etc/ssh/sshd_config
     regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
-    replace: '\1 {{ user.name }}'
+    replace: '\1 {{ evolinux_ssh_group }}'
     validate: '/usr/sbin/sshd -T -f %s'
   notify: reload sshd
   when: grep_allowgroups_ssh.rc == 0
-
-# - name: disable AllowUsers directive if present
-#   replace:
-#     dest: /etc/ssh/sshd_config
-#     regexp: '^(AllowUsers)'
-#     replace: '# \1'
-#     validate: '/usr/sbin/sshd -T -f %s'
-#   notify: reload sshd
-  
-- name: "verify Match Group directive"
-  command: "grep 'Match Group' /etc/ssh/sshd_config"
-  changed_when: False
-  failed_when: False
-  check_mode: no
-  register: grep_matchgroup_ssh
-
-- name: "Add Match Group sshd directive with '{{ evolinux_ssh_group }}'"
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    line: "\nMatch Group {{ evolinux_ssh_group }}\n    PasswordAuthentication no"
-    insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
-    validate: '/usr/sbin/sshd -T -f %s'
-  notify: reload sshd
-  when:
-    - grep_matchgroup_ssh.rc != 0
-
-- name: "Append '{{ evolinux_ssh_group }}' to Match Group's sshd directive"
-  replace:
-    dest: /etc/ssh/sshd_config
-    regexp: '^(Match Group ((?!{{ evolinux_ssh_group }}).)*)$'
-    replace: '\1,{{ evolinux_ssh_group }}'
-    validate: '/usr/sbin/sshd -T -f %s'
-  notify: reload sshd
-  when:
-    - grep_matchgroup_ssh.rc == 0

evolinux-users/tasks/ssh_allowusers.yml

@@ -1,5 +1,14 @@
 ---
 
+# this check must be repeated for each user
+# even if it's been done before
+- name: verify AllowUsers directive
+  shell: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  register: grep_allowusers_ssh
+
 - name: "Add AllowUsers sshd directive with '{{ user.name }}'"
   lineinfile:
     dest: /etc/ssh/sshd_config

evolinux-users/tasks/sudo.yml

@@ -0,0 +1,9 @@
+---
+
+- include: sudo_jessie.yml
+  when: ansible_distribution_release == "jessie"
+
+- include: sudo_stretch.yml
+  when: ansible_distribution_major_version | version_compare('9', '>=')
+
+- meta: flush_handlers

evolinux-users/tasks/user.yml

@@ -1,15 +1,119 @@
 ---
 
-- include: account.yml
+# Unix account
 
-- include: profile.yml
+- name: "Test if '{{ user.name }}' exists"
+  command: 'getent passwd {{ user.name }}'
+  register: loginisbusy
+  failed_when: False
+  changed_when: False
+  check_mode: no
 
-- include: ssh.yml
+- name: "Test if uid exists for '{{ user.name }}'"
+  command: 'getent passwd {{ user.uid }}'
+  register: uidisbusy
+  failed_when: False
+  changed_when: False
+  check_mode: no
 
-- include: sudo_jessie.yml
-  when: ansible_distribution_release == "jessie"
+- name: "Add Unix account with classical uid for '{{ user.name }}'"
+  user:
+   state: present
+   uid: '{{ user.uid }}'
+   name: '{{ user.name }}'
+   comment: '{{ user.fullname }}'
+   shell: /bin/bash
+   password: '{{ user.password_hash }}'
+   update_password: on_create
+  when: loginisbusy.rc != 0 and uidisbusy.rc != 0
 
-- include: sudo_stretch.yml
-  when: ansible_distribution_major_version | version_compare('9', '>=')
+- name: "Add Unix account with random uid for '{{ user.name }}'"
+  user:
+   state: present
+   name: '{{ user.name }}'
+   comment: '{{ user.fullname }}'
+   shell: /bin/bash
+   password: '{{ user.password_hash }}'
+   update_password: on_create
+  when: loginisbusy.rc != 0 and uidisbusy.rc == 0
+
+# Unix groups
+
+- name: "Unix group '{{ evolinux_ssh_group }}' is present"
+  group:
+    name: "{{ evolinux_ssh_group }}"
+    state: present
+
+- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}'"
+  user:
+    name: '{{ user.name }}'
+    groups: "{{ evolinux_ssh_group }}"
+    append: yes
+
+- name: "Create secondary groups"
+  group:
+    name: "{{ group }}"
+  with_items: "{{ user.groups }}"
+  loop_control:
+    loop_var: group
+  when: user.groups is defined
+
+- name: "Add user '{{ user.name }}' to secondary groups"
+  user:
+    name: '{{ user.name }}'
+    groups: "{{ user.groups }}"
+    append: yes
+  when: user.groups is defined
+
+- name: "Fix perms on home directory for '{{ user.name }}'"
+  file:
+   name: '/home/{{ user.name }}'
+   mode: "0700"
+   state: directory
+
+ # Evomaintenance
+
+- name: search profile for presence of evomaintenance
+  command: 'grep -q "trap.*sudo.*evomaintenance.sh"'
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  register: grep_profile_evomaintenance
+
+# Don't add the trap if it is present or commented
+- name: "Add evomaintenance trap for '{{ user.name }}'"
+  lineinfile:
+    state: present
+    dest: '/home/{{ user.name }}/.profile'
+    insertafter: EOF
+    line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
+  when: grep_profile_evomaintenance.rc != 0
+
+# SSH keys
+
+- name: "Create .ssh directory for '{{ user.name }}'"
+  file:
+    dest: '/home/{{ user.name }}/.ssh/'
+    state: directory
+    mode: "0700"
+    owner: '{{ user.name }}'
+    group: '{{ user.name }}'
+
+- name: "Add user's SSH public key for '{{ user.name }}'"
+  authorized_key:
+    user: "{{ user.name }}"
+    key: "{{ user.ssh_key }}"
+    state: present
+  when: user.ssh_key is defined
+
+- name: "Add user's SSH public keys for '{{ user.name }}'"
+  authorized_key:
+    user: "{{ user.name }}"
+    key: "{{ ssk_key }}"
+    state: present
+  with_items: "{{ user.ssh_keys }}"
+  loop_control:
+    loop_var: ssk_key
+  when: user.ssh_keys is defined
 
 - meta: flush_handlers