diff --git a/evolinux-users/tasks/account.yml b/evolinux-users/tasks/account.yml index 1ed142f9..45e095f7 100644 --- a/evolinux-users/tasks/account.yml +++ b/evolinux-users/tasks/account.yml @@ -1,57 +1,61 @@ --- - -- name: "Test if '{{ user.name }}' exists" - command: 'getent passwd {{ user.name }}' - register: loginisbusy - failed_when: False - changed_when: False - check_mode: no - -- name: "Test if uid exists for '{{ user.name }}'" - command: 'getent passwd {{ user.uid }}' - register: uidisbusy - failed_when: False - changed_when: False - check_mode: no - -- name: "Add Unix account with classical uid for '{{ user.name }}'" - user: - state: present - uid: '{{ user.uid }}' - name: '{{ user.name }}' - comment: '{{ user.fullname }}' - shell: /bin/bash - password: '{{ user.password_hash }}' - update_password: on_create - when: loginisbusy.rc != 0 and uidisbusy.rc != 0 - -- name: "Add Unix account with random uid for '{{ user.name }}'" - user: - state: present - name: '{{ user.name }}' - comment: '{{ user.fullname }}' - shell: /bin/bash - password: '{{ user.password_hash }}' - update_password: on_create - when: loginisbusy.rc != 0 and uidisbusy.rc == 0 - - name: "Create secondary groups" group: - name: "{{ group }}" - with_items: "{{ user.groups }}" - loop_control: - loop_var: group - when: user.groups is defined + name: "{{ item }}" + with_items: "{{ evolinux_users.values() | map(attribute='groups') | list | unique }}" -- name: "Add user '{{ user.name }}' to secondary groups" +#- name: "Test if '{{ user }}' exists" +# command: 'getent passwd {{ user }}' +# register: loginisbusy +# failed_when: False +# changed_when: False +# check_mode: no +# +#- name: "Test if uid exists for '{{ user }}'" +# command: 'getent passwd {{ user }}' +# register: uidisbusy +# failed_when: False +# changed_when: False +# check_mode: no +# +#- name: "Add Unix account with classical uid for '{{ user }}'" +# user: +# state: present +# uid: '{{ evolinux_users[user].value.uid }}' +# name: '{{ user.name }}' +# comment: '{{ user.fullname }}' +# shell: /bin/bash +# password: '{{ user.password_hash }}' +# update_password: on_create +# when: loginisbusy.rc != 0 and uidisbusy.rc != 0 +# +- name: "Add Unix account" user: - name: '{{ user.name }}' - groups: "{{ user.groups }}" - append: yes - when: user.groups is defined + state: present + uid: '{{ item.value.uid }}' + name: '{{ item.key }}' + groups: '{{ item.value.groups }}' + comment: '{{ item.value.fullname }}' + shell: /bin/bash + password: '{{ item.value.password_hash }}' + update_password: on_create + when: loginisbusy.rc != 0 and uidisbusy.rc == 0 + with_dict: "{{ evolinux_users }}" -- name: "Fix perms on home directory for '{{ user.name }}'" +- name: "Fix perms on home directory" file: - name: '/home/{{ user.name }}' - mode: "0700" - state: directory + name: "/home/{{ item }}" + state: directory + owner: "{{ item }}" + group: "{{ item }}" + mode: "0700" + with_items: "{{ evolinux_users | list }}" + +- name: "Add evomaintenance trap" + lineinfile: + state: present + dest: '/home/{{ item }}/.profile' + insertafter: EOF + regexp: "evomaintenance.sh" + line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' + with_items: "{{ evolinux_users | list }}" diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml index ec1400bd..2b8a9701 100644 --- a/evolinux-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -9,11 +9,18 @@ msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!" when: evolinux_users == {} -- name: Create user accounts - include: user.yml - vars: - user: "{{ item.value }}" - with_dict: "{{ evolinux_users }}" +- block: + - include: account.yml + + - include: ssh.yml + + - include: sudo_jessie.yml + when: ansible_distribution_release == "jessie" + + - include: sudo_stretch.yml + when: ansible_distribution_major_version | version_compare('9', '>=') + + - meta: flush_handlers when: evolinux_users != {} - include: root_disable_ssh.yml diff --git a/evolinux-users/tasks/profile.yml b/evolinux-users/tasks/profile.yml deleted file mode 100644 index 99af2512..00000000 --- a/evolinux-users/tasks/profile.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -- name: search profile for presence of evomaintenance - command: 'grep -q "trap.*sudo.*evomaintenance.sh"' - changed_when: False - failed_when: False - register: grep_profile_evomaintenance - -# Don't add the trap if it is present or commented -- name: "Add evomaintenance trap for '{{ user.name }}'" - lineinfile: - state: present - dest: '/home/{{ user.name }}/.profile' - insertafter: EOF - line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' - when: grep_profile_evomaintenance.rc != 0 diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 8982dd6c..59bc0038 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -1,30 +1,20 @@ --- - - -- name: "Create .ssh directory for '{{ user.name }}'" +- name: "Fix perms on ssh directory" file: - dest: '/home/{{ user.name }}/.ssh/' + name: "/home/{{ item }}/.ssh" state: directory + owner: "{{ item }}" + group: "{{ item }}" mode: "0700" - owner: '{{ user.name }}' - group: '{{ user.name }}' + with_items: "{{ evolinux_users | list }}" -- name: "Add user's SSH public key for '{{ user.name }}'" +- name: "Add user's SSH public key" authorized_key: - user: "{{ user.name }}" - key: "{{ user.ssh_key }}" + user: "{{ item.key }}" + key: "{{ item.value.ssh_key }}" state: present - when: user.ssh_key is defined - -- name: "Add user's SSH public keys for '{{ user.name }}'" - authorized_key: - user: "{{ user.name }}" - key: "{{ ssk_key }}" - state: present - with_items: "{{ user.ssh_keys }}" - loop_control: - loop_var: ssk_key - when: user.ssh_keys is defined + when: item.value.ssh_key is defined + with_dict: "{{ evolinux_users }}" # we must double-escape caracters, because python - name: verify AllowUsers directive @@ -34,22 +24,23 @@ register: grep_allowusers_ssh check_mode: no -- name: "Add AllowUsers sshd directive for '{{ user.name }}'" +- name: "Add AllowUsers sshd directive" lineinfile: dest: /etc/ssh/sshd_config - line: "\nAllowUsers {{ user.name }}" + line: "\nAllowUsers {{ evolinux_users | list | join(' ') }}" insertafter: 'Subsystem' validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd when: grep_allowusers_ssh.rc != 0 -- name: "Modify AllowUsers sshd directive for '{{ user.name }}'" +- name: "Update AllowUsers sshd directive" replace: dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$' - replace: '\1 {{ user.name }}' + regexp: '^(AllowUsers ((?!\b{{ item }}\b).)*)$' + replace: '\1 {{ item }}' validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd + with_items: "{{ evolinux_users | list }}" when: grep_allowusers_ssh.rc == 0 - name: "verify Match User directive" @@ -59,10 +50,10 @@ register: grep_matchuser_ssh check_mode: no -- name: "Add Match User sshd directive for '{{ user.name }}' (Jessie)" +- name: "Add Match User sshd directive (Jessie)" lineinfile: dest: /etc/ssh/sshd_config - line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" + line: "\nMatch User {{ evolinux_users | list | join(',') }}\n PasswordAuthentication no" insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd @@ -70,13 +61,14 @@ - ansible_distribution_release == "jessie" - grep_matchuser_ssh.rc != 0 -- name: "Modify Match User's sshd directive for '{{ user.name }}' (Jessie)" +- name: "Update Match User's sshd directive (Jessie)" replace: dest: /etc/ssh/sshd_config - regexp: '^(Match User ((?!{{ user.name }}).)*)$' - replace: '\1,{{ user.name }}' + regexp: '^(Match User ((?!{{ item }}).)*)$' + replace: '\1,{{ item }}' validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd + with_items: "{{ evolinux_users | list }}" when: - ansible_distribution_release == "jessie" - grep_matchuser_ssh.rc == 0 diff --git a/evolinux-users/tasks/sudo_jessie.yml b/evolinux-users/tasks/sudo_jessie.yml index f675954e..15ee2786 100644 --- a/evolinux-users/tasks/sudo_jessie.yml +++ b/evolinux-users/tasks/sudo_jessie.yml @@ -1,5 +1,4 @@ --- - - name: "Verify Evolinux sudoers file presence (jessie)" template: src: sudoers_jessie.j2 @@ -9,10 +8,11 @@ validate: '/usr/sbin/visudo -cf %s' register: copy_sudoers_evolinux -- name: "Add user in sudoers file for '{{ user.name }}' (jessie)" +- name: "Add user in sudoers file for '{{ item }}' (jessie)" replace: dest: /etc/sudoers.d/evolinux - regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' - replace: '\1,{{ user.name }}' + regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ item }}).)*)$' + replace: '\1,{{ item }}' validate: '/usr/sbin/visudo -cf %s' when: not copy_sudoers_evolinux.changed + with_items: "{{ evolinux_users | list }}" diff --git a/evolinux-users/tasks/sudo_stretch.yml b/evolinux-users/tasks/sudo_stretch.yml index f77ae484..9473c0b5 100644 --- a/evolinux-users/tasks/sudo_stretch.yml +++ b/evolinux-users/tasks/sudo_stretch.yml @@ -1,5 +1,4 @@ --- - - name: "Verify Evolinux sudoers file presence (Debian 9 or later)" template: src: sudoers_stretch.j2 @@ -15,6 +14,7 @@ - name: "Add user to evolinux-sudo group (Debian 9 or later)" user: - name: '{{ user.name }}' + name: '{{ item }}' groups: "{{ evolinux_sudo_group }}" append: yes + with_items: "{{ evolinux_users | list }}" diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml deleted file mode 100644 index 73fea728..00000000 --- a/evolinux-users/tasks/user.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- include: account.yml - -- include: profile.yml - -- include: ssh.yml - -- include: sudo_jessie.yml - when: ansible_distribution_release == "jessie" - -- include: sudo_stretch.yml - when: ansible_distribution_major_version | version_compare('9', '>=') - -- meta: flush_handlers