ansible-roles/admin-users/tasks/adduser_debian.yml

141 lines
3.7 KiB
YAML

---
- name: Test if uid exists for '{{ user.name }}'
command: 'getent passwd {{ user.uid }}'
register: uidisbusy
failed_when: False
changed_when: False
check_mode: no
- name: Add Unix account with classical uid for '{{ user.name }}'
user:
state: present
uid: '{{ user.uid }}'
name: '{{ user.name }}'
comment: '{{ user.fullname }}'
shell: /bin/bash
password: '{{ user.password_hash }}'
update_password: on_create
when: uidisbusy|failed
- name: Add Unix account with random uid for '{{ user.name }}'
user:
state: present
name: '{{ user.name }}'
comment: '{{ user.fullname }}'
shell: /bin/bash
password: '{{ user.password_hash }}'
update_password: on_create
when: uidisbusy|success
- name: Fix perms on homedirectory for '{{ user.name }}'
file:
name: '/home/{{ user.name }}'
mode: "0700"
state: directory
- name: is evomaintenance installed?
stat:
path: "/usr/share/scripts/evomaintenance.sh"
register: evomaintenance_script
check_mode: no
- name: Add evomaintenance trap for '{{ user.name }}'
lineinfile:
state: present
dest: '/home/{{ user.name }}/.profile'
insertafter: EOF
line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
when: evomaintenance_script.stat.exists
- name: Create .ssh directory for '{{ user.name }}'
file:
dest: '/home/{{ user.name }}/.ssh/'
state: directory
mode: "0700"
owner: '{{ user.name }}'
group: '{{ user.name }}'
- name: Add user's SSH public key for '{{ user.name }}'
authorized_key:
user: "{{ user.name }}"
key: "{{ user.ssh_key }}"
state: present
- name: verify AllowUsers directive
command: "grep AllowUsers /etc/ssh/sshd_config"
changed_when: False
failed_when: False
register: grep_allowusers_ssh
check_mode: no
- name: Add AllowUsers sshd directive for '{{ user.name }}'
lineinfile:
dest: /etc/ssh/sshd_config
line: "\nAllowUsers {{ user.name }}"
insertafter: '^UsePAM'
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when: grep_allowusers_ssh.rc != 0
- name: Modify AllowUsers sshd directive for '{{ user.name }}'
replace:
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers ((?!{{ user.name }}).)*)$'
replace: '\1 {{ user.name }}'
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when: grep_allowusers_ssh.rc == 0
- name: verify Match User directive
command: "grep 'Match User' /etc/ssh/sshd_config"
changed_when: False
failed_when: False
register: grep_matchuser_ssh
check_mode: no
- name: Add Match User sshd directive for '{{ user.name }}'
lineinfile:
dest: /etc/ssh/sshd_config
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when: grep_matchuser_ssh.rc != 0
- name: Modify Match User's sshd directive for '{{ user.name }}'
replace:
dest: /etc/ssh/sshd_config
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
replace: '\1,{{ user.name }}'
validate: '/usr/sbin/sshd -T -f %s'
notify: reload sshd
when: grep_matchuser_ssh.rc == 0
- name: Verify Evolinux sudoers file presence
template:
src: sudoers_debian.j2
dest: /etc/sudoers.d/evolinux
force: false
validate: '/usr/sbin/visudo -cf %s'
register: copy_sudoers_evolinux
- name: Verify Evolinux sudoers file permissions
file:
path: /etc/sudoers.d/evolinux
mode: "0440"
state: file
- name: Add user in sudoers file for '{{ user.name }}'
replace:
dest: /etc/sudoers.d/evolinux
regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$'
replace: '\1,{{ user.name }}'
validate: '/usr/sbin/visudo -cf %s'
when: not copy_sudoers_evolinux.changed
- meta: flush_handlers