Ansible roles by Evolix
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

170 lines
4.4 KiB

---
# Unix account
- name: "Test if '{{ user.name }}' exists"
command: 'getent passwd {{ user.name }}'
register: loginisbusy
failed_when: False
changed_when: False
check_mode: no
- name: "Test if uid exists for '{{ user.name }}'"
command: 'getent passwd {{ user.uid }}'
register: uidisbusy
failed_when: False
changed_when: False
check_mode: no
- name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')"
user:
state: present
uid: '{{ user.uid }}'
name: '{{ user.name }}'
comment: '{{ user.fullname }}'
shell: /bin/bash
password: '{{ user.password_hash }}'
update_password: on_create
when:
- loginisbusy.rc != 0
- uidisbusy.rc != 0
- name: "Unix account for '{{ user.name }}' is present (with random uid)"
user:
state: present
name: '{{ user.name }}'
comment: '{{ user.fullname }}'
shell: /bin/bash
password: '{{ user.password_hash }}'
update_password: on_create
when:
- loginisbusy.rc != 0
- uidisbusy.rc == 0
- name: Is /etc/aliases present?
stat:
path: /etc/aliases
register: etc_aliases
- name: Set mail alias
lineinfile:
state: present
dest: /etc/aliases
line: '{{ user.name }}: root'
regexp: '^{{ user.name }}:'
when: etc_aliases.stat.exists
notify: "newaliases"
# Unix groups
## Group for SSH authorizations
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)"
group:
name: "{{ evolinux_ssh_group }}"
state: present
when: ansible_distribution_major_version | version_compare('10', '>=')
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)"
user:
name: '{{ user.name }}'
groups: "{{ evolinux_ssh_group }}"
append: yes
when: ansible_distribution_major_version | version_compare('10', '>=')
## Optional group for all evolinux users
- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)"
group:
name: "{{ evolinux_internal_group }}"
state: present
when:
- evolinux_internal_group is defined
- evolinux_internal_group != ""
- ansible_distribution_major_version | version_compare('9', '>=')
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)"
user:
name: '{{ user.name }}'
groups: "{{ evolinux_internal_group }}"
append: yes
when:
- evolinux_internal_group is defined
- evolinux_internal_group != ""
- ansible_distribution_major_version | version_compare('9', '>=')
## Optional secondary groups, defined per user
- name: "Secondary Unix groups are present"
group:
name: "{{ group }}"
with_items: "{{ user.groups }}"
loop_control:
loop_var: group
when:
- user.groups is defined
- user.groups != []
- name: "Unix user '{{ user.name }}' belongs to secondary groups"
user:
name: '{{ user.name }}'
groups: "{{ user.groups | join(',') }}"
append: yes
when:
- user.groups is defined
- user.groups != []
# Permissions on home directory
- name: "Home directory for '{{ user.name }}' is not accessible by group and other users"
file:
name: '/home/{{ user.name }}'
mode: "0700"
state: directory
# Evomaintenance
- name: Search profile for presence of evomaintenance
command: 'grep -q "trap.*sudo.*evomaintenance.sh" /home/{{ user.name }}/.profile'
changed_when: False
failed_when: False
check_mode: no
register: grep_profile_evomaintenance
## Don't add the trap if it is present or commented
- name: "User '{{ user.name }}' has its shell trap for evomaintenance"
lineinfile:
state: present
dest: '/home/{{ user.name }}/.profile'
insertafter: EOF
line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
when: grep_profile_evomaintenance.rc != 0
# SSH keys
- name: "SSH directory for '{{ user.name }}' is present"
file:
dest: '/home/{{ user.name }}/.ssh/'
state: directory
mode: "0700"
owner: '{{ user.name }}'
group: '{{ user.name }}'
- name: "SSH public key for '{{ user.name }}' is present"
authorized_key:
user: "{{ user.name }}"
key: "{{ user.ssh_key }}"
state: present
when: user.ssh_key is defined
- name: "SSH public keys for '{{ user.name }}' are present"
authorized_key:
user: "{{ user.name }}"
key: "{{ ssk_key }}"
state: present
with_items: "{{ user.ssh_keys }}"
loop_control:
loop_var: ssk_key
when: user.ssh_keys is defined
- meta: flush_handlers