You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
170 lines
4.4 KiB
170 lines
4.4 KiB
--- |
|
|
|
# Unix account |
|
|
|
- name: "Test if '{{ user.name }}' exists" |
|
command: 'getent passwd {{ user.name }}' |
|
register: loginisbusy |
|
failed_when: False |
|
changed_when: False |
|
check_mode: no |
|
|
|
- name: "Test if uid exists for '{{ user.name }}'" |
|
command: 'getent passwd {{ user.uid }}' |
|
register: uidisbusy |
|
failed_when: False |
|
changed_when: False |
|
check_mode: no |
|
|
|
- name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')" |
|
user: |
|
state: present |
|
uid: '{{ user.uid }}' |
|
name: '{{ user.name }}' |
|
comment: '{{ user.fullname }}' |
|
shell: /bin/bash |
|
password: '{{ user.password_hash }}' |
|
update_password: on_create |
|
when: |
|
- loginisbusy.rc != 0 |
|
- uidisbusy.rc != 0 |
|
|
|
- name: "Unix account for '{{ user.name }}' is present (with random uid)" |
|
user: |
|
state: present |
|
name: '{{ user.name }}' |
|
comment: '{{ user.fullname }}' |
|
shell: /bin/bash |
|
password: '{{ user.password_hash }}' |
|
update_password: on_create |
|
when: |
|
- loginisbusy.rc != 0 |
|
- uidisbusy.rc == 0 |
|
|
|
- name: Is /etc/aliases present? |
|
stat: |
|
path: /etc/aliases |
|
register: etc_aliases |
|
|
|
- name: Set mail alias |
|
lineinfile: |
|
state: present |
|
dest: /etc/aliases |
|
line: '{{ user.name }}: root' |
|
regexp: '^{{ user.name }}:' |
|
when: etc_aliases.stat.exists |
|
notify: "newaliases" |
|
|
|
# Unix groups |
|
|
|
## Group for SSH authorizations |
|
|
|
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)" |
|
group: |
|
name: "{{ evolinux_ssh_group }}" |
|
state: present |
|
when: ansible_distribution_major_version | version_compare('10', '>=') |
|
|
|
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)" |
|
user: |
|
name: '{{ user.name }}' |
|
groups: "{{ evolinux_ssh_group }}" |
|
append: yes |
|
when: ansible_distribution_major_version | version_compare('10', '>=') |
|
|
|
## Optional group for all evolinux users |
|
|
|
- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)" |
|
group: |
|
name: "{{ evolinux_internal_group }}" |
|
state: present |
|
when: |
|
- evolinux_internal_group is defined |
|
- evolinux_internal_group != "" |
|
- ansible_distribution_major_version | version_compare('9', '>=') |
|
|
|
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)" |
|
user: |
|
name: '{{ user.name }}' |
|
groups: "{{ evolinux_internal_group }}" |
|
append: yes |
|
when: |
|
- evolinux_internal_group is defined |
|
- evolinux_internal_group != "" |
|
- ansible_distribution_major_version | version_compare('9', '>=') |
|
|
|
## Optional secondary groups, defined per user |
|
|
|
- name: "Secondary Unix groups are present" |
|
group: |
|
name: "{{ group }}" |
|
with_items: "{{ user.groups }}" |
|
loop_control: |
|
loop_var: group |
|
when: |
|
- user.groups is defined |
|
- user.groups != [] |
|
|
|
- name: "Unix user '{{ user.name }}' belongs to secondary groups" |
|
user: |
|
name: '{{ user.name }}' |
|
groups: "{{ user.groups | join(',') }}" |
|
append: yes |
|
when: |
|
- user.groups is defined |
|
- user.groups != [] |
|
|
|
# Permissions on home directory |
|
|
|
- name: "Home directory for '{{ user.name }}' is not accessible by group and other users" |
|
file: |
|
name: '/home/{{ user.name }}' |
|
mode: "0700" |
|
state: directory |
|
|
|
# Evomaintenance |
|
|
|
- name: Search profile for presence of evomaintenance |
|
command: 'grep -q "trap.*sudo.*evomaintenance.sh" /home/{{ user.name }}/.profile' |
|
changed_when: False |
|
failed_when: False |
|
check_mode: no |
|
register: grep_profile_evomaintenance |
|
|
|
## Don't add the trap if it is present or commented |
|
- name: "User '{{ user.name }}' has its shell trap for evomaintenance" |
|
lineinfile: |
|
state: present |
|
dest: '/home/{{ user.name }}/.profile' |
|
insertafter: EOF |
|
line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' |
|
when: grep_profile_evomaintenance.rc != 0 |
|
|
|
# SSH keys |
|
|
|
- name: "SSH directory for '{{ user.name }}' is present" |
|
file: |
|
dest: '/home/{{ user.name }}/.ssh/' |
|
state: directory |
|
mode: "0700" |
|
owner: '{{ user.name }}' |
|
group: '{{ user.name }}' |
|
|
|
- name: "SSH public key for '{{ user.name }}' is present" |
|
authorized_key: |
|
user: "{{ user.name }}" |
|
key: "{{ user.ssh_key }}" |
|
state: present |
|
when: user.ssh_key is defined |
|
|
|
- name: "SSH public keys for '{{ user.name }}' are present" |
|
authorized_key: |
|
user: "{{ user.name }}" |
|
key: "{{ ssk_key }}" |
|
state: present |
|
with_items: "{{ user.ssh_keys }}" |
|
loop_control: |
|
loop_var: ssk_key |
|
when: user.ssh_keys is defined |
|
|
|
- meta: flush_handlers
|
|
|