From 7f67fa4c600fc678e27b052f880d1c322aed61d1 Mon Sep 17 00:00:00 2001 From: "Vincent V.d Kussen" Date: Tue, 7 Aug 2018 20:22:55 +0200 Subject: [PATCH 1/9] initial commit --- README.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..d425545 --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +https://github.com/stationgroup/ansible-experiments/issues/9 -- 2.44.2 From 47ef7a7045a6495c1a4f5764f8c3127ccb4811a1 Mon Sep 17 00:00:00 2001 From: "Vincent V.d Kussen" Date: Tue, 7 Aug 2018 21:23:08 +0200 Subject: [PATCH 2/9] initial work users role --- roles/users/tasks/main.yml | 8 ++++++++ roles/users/vars/main.yml | 12 ++++++++++++ site.yaml | 7 +++++++ site.yml | 0 4 files changed, 27 insertions(+) create mode 100644 roles/users/tasks/main.yml create mode 100644 roles/users/vars/main.yml create mode 100644 site.yaml create mode 100644 site.yml diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml new file mode 100644 index 0000000..a6e09a9 --- /dev/null +++ b/roles/users/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Ensure groups exist + group: + name: "{{ item.name }}" + gid: "{{ item.gid | default(ommit) }}" + state: present + with_items: groups + diff --git a/roles/users/vars/main.yml b/roles/users/vars/main.yml new file mode 100644 index 0000000..330de7c --- /dev/null +++ b/roles/users/vars/main.yml @@ -0,0 +1,12 @@ +--- +groups: + - + +users: + - remember + - direct + - degree + - sand + - grief + - jam + - king diff --git a/site.yaml b/site.yaml new file mode 100644 index 0000000..413203b --- /dev/null +++ b/site.yaml @@ -0,0 +1,7 @@ +--- +- name: Manage user configuration + hosts: all + remote_user: root + roles: + - users + diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..e69de29 -- 2.44.2 From f12466dead8402628e11f84688efddd4c3596e0a Mon Sep 17 00:00:00 2001 From: "Vincent V.d Kussen" Date: Mon, 13 Aug 2018 16:02:31 +0200 Subject: [PATCH 3/9] config users shell/ssh --- ansible.cfg | 16 +++++ hosts | 1 + roles/users/defaults/main.yml | 4 ++ roles/users/files/keys/remember/key1.pub | 1 + roles/users/files/keys/test/key2.pub | 1 + roles/users/tasks/main.yml | 10 +-- roles/users/tasks/set_facts.yml | 8 +++ roles/users/tasks/ssh_config.yml | 38 ++++++++++ roles/users/tasks/users.yml | 88 ++++++++++++++++++++++++ roles/users/templates/ssh.config.j2 | 6 ++ roles/users/vars/main.yml | 27 +++++--- site.yml | 0 12 files changed, 184 insertions(+), 16 deletions(-) create mode 100644 ansible.cfg create mode 100644 hosts create mode 100644 roles/users/defaults/main.yml create mode 100644 roles/users/files/keys/remember/key1.pub create mode 100644 roles/users/files/keys/test/key2.pub create mode 100644 roles/users/tasks/set_facts.yml create mode 100644 roles/users/tasks/ssh_config.yml create mode 100644 roles/users/tasks/users.yml create mode 100644 roles/users/templates/ssh.config.j2 delete mode 100644 site.yml diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..de6e4f8 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,16 @@ +[ssh_connection] + +[defaults] +retry_files_enabled = False +retry_files_save_path = /tmp/ +inventory=./hosts +host_key_checking=False +gathering = smart +#stdout_callback=skippy + +[privilege_escalation] +become=True +become_method=sudo +become_user=root +#become_ask_pass=False + diff --git a/hosts b/hosts new file mode 100644 index 0000000..3171e7a --- /dev/null +++ b/hosts @@ -0,0 +1 @@ +10.106.116.157 diff --git a/roles/users/defaults/main.yml b/roles/users/defaults/main.yml new file mode 100644 index 0000000..4389d95 --- /dev/null +++ b/roles/users/defaults/main.yml @@ -0,0 +1,4 @@ +default_freebsd_shell: "/bin/csh" +default_linux_shell: "/bin/bash" +default_shell_lines: + - SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh diff --git a/roles/users/files/keys/remember/key1.pub b/roles/users/files/keys/remember/key1.pub new file mode 100644 index 0000000..3013f1a --- /dev/null +++ b/roles/users/files/keys/remember/key1.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMfztaQoo3Alf4Ie4ZrSEkhojOcKl8VRdoRiYb/7FL3IS/5IcSKcan/MGJlRht3ibwJBx9/CY8wZivHgNKCqtbZWGepfOtgWOqI4ROo4sELmRgV8PZUACjCSfaOkOdvCJEjhw3n+aI5jmK9IUA+mwdXkZj/NckNDZAQ+FRqwR6sX7svM4TF/zEI70JvO3xnDgCuC2PgiztVFfMqbWl33NgkG3kWkJ+JarF2pNsxO/+82s/hoC4P+dpZD1PHhJC7OxUiAHe5nwF7heQh9DUBQxJBhitn7C3XqlxEf7Kx3/kO9CUJVDaxS84UUnfUPc0u1iYpE+5ypqkDSyj3yQNpwXf diff --git a/roles/users/files/keys/test/key2.pub b/roles/users/files/keys/test/key2.pub new file mode 100644 index 0000000..88ca4dd --- /dev/null +++ b/roles/users/files/keys/test/key2.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMfztaQoo3Alf4Ie4ZrSEkhojOcKl8VRdoRiYb/7FL3IS/5IcSKcan/MGJlRht3ibwJBx9/CY8wZivHgNKCqtbZWGepfOtgWOqI4ROo4sELmRgV8PZUACjCSfaOkOdvCJEjhw3n+aI5jmK9IUA+mwdXkZj/NckNDZAQ+FRqwR6sX7svM4TF/zEI70JvO3xnDgCuC2PgiztVFfMqbWl33NgkG3kWkJ+JarF2pNsxO/+82s/hoC4P+dpZD1PHhJC7OxUiAHe5nwF7heQh9DUBQxJBhitn7C3XqlxEf7Kx3/kO9CUJVDaxS84UUnfUPc0u1iYpE+5ypqkDSyj3yQNpwXd diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index a6e09a9..0904bb2 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -1,8 +1,4 @@ --- -- name: Ensure groups exist - group: - name: "{{ item.name }}" - gid: "{{ item.gid | default(ommit) }}" - state: present - with_items: groups - +- include_tasks: set_facts.yml +- include_tasks: users.yml +- include_tasks: ssh_config.yml diff --git a/roles/users/tasks/set_facts.yml b/roles/users/tasks/set_facts.yml new file mode 100644 index 0000000..4124706 --- /dev/null +++ b/roles/users/tasks/set_facts.yml @@ -0,0 +1,8 @@ +- set_fact: + default_shell: "{{ default_freebsd_shell }}" + when: ansible_os_family == 'FreeBSD' + +- set_fact: + default_shell: "{{ default_linux_shell }}" + when: ansible_os_family == 'Debian' + diff --git a/roles/users/tasks/ssh_config.yml b/roles/users/tasks/ssh_config.yml new file mode 100644 index 0000000..dbb9649 --- /dev/null +++ b/roles/users/tasks/ssh_config.yml @@ -0,0 +1,38 @@ +- name: Ensure .ssh folder is created + file: + path: "/home/{{item.name}}/.ssh" + state: directory + mode: 0600 + with_items: + - "{{ users }}" + +- name: Check if user has ~/.ssh/config + stat: + path: "/home/{{ item.name }}/.ssh/config" + with_items: "{{ users }}" + register: sshconfig + +#- name: debug items +# debug: +# msg: "{{ item.item.name }} {{item.stat}}" +# with_items: +# - "{{ sshconfig.results }}" + +- name: Create ~/.ssh/config when absent + file: + path: "/home/{{ item.item.name }}/.ssh/config" + owner: "{{ item.item.name }}" + mode: 0600 + state: touch + when: item.stat.exists == False + with_items: + - "{{ sshconfig.results }}" + no_log: True + +- name: Configure ~/.ssh/config + template: + src: ssh.config.j2 + dest: "/home/{{ item.name }}/.ssh/config" + owner: "{{ item.name }}" + with_items: + - "{{ users }}" diff --git a/roles/users/tasks/users.yml b/roles/users/tasks/users.yml new file mode 100644 index 0000000..0ec6149 --- /dev/null +++ b/roles/users/tasks/users.yml @@ -0,0 +1,88 @@ +--- +- name: Ensure groups exist + group: + name: "{{ item.name }}" + gid: "{{ item.gid | default(omit) }}" + state: present + with_items: "{{ user_groups }}" + +- name: Ensure users exist + user: + name: "{{ item.name }}" + id: "{{ item.id | default(omit) }}" + groups: "{{ item.groups | default(omit) }}" + shell: "{{ item.shell | default(default_shell) }}" + state: present + no_log: True + with_items: "{{ users }}" + +- name: Configure authorized_keys + authorized_key: + user: "{{ item.0.name }}" + key: "{{ lookup('file', 'keys/' + item.0.name + '/' + item.1.file + '.pub') }}" + state: "{{ item.1.state | default(present) }}" + with_subelements: + - "{{ users }}" + - keys + +#- name: debug +# debug: +# msg: "{{ item.0 }} - {{ item.1 }}" +# with_nested: +# - "{{ users }}" +# - "{{ users | map(attribute='shell_lines') | list }}" +# when: ansible_os_family == 'Debian' and item.1 is defined + +- name: check vars + debug: + msg: "{{ item.0.name }} --- {{ item.1 }}" + with_subelements: + - "{{ users }}" + - shell_lines + - skip_missing: true + when: ansible_os_family == 'Debian' + +- name: Add Ansible comment in bashrc + lineinfile: + path: "/home/{{ item.name }}/.bashrc" + line: "## Ansible managed below this line ###########" + insertafter: EOF + state: present + with_items: + - "{{ users }}" + when: ansible_os_family == 'Debian' + +- name: Configure bashrc + lineinfile: + path: "/home/{{ item.0.name }}/.bashrc" + line: "{{ item.1.line }}" + insertafter: "^## Ansible managed below this line" + state: "{{ item.1.state }}" + with_subelements: + - "{{ users }}" + - shell_lines + - skip_missing: true + when: ansible_os_family == 'Debian' + +- name: Add Ansible comment in cshrc + lineinfile: + path: "/home/{{ item.0.name }}/.bashrc" + line: "## Ansible managed blow this line ###########" + insertafter: EOF + state: present + with_items: + - "{{ users }}" + when: ansible_os_family == 'FreeBSD' + +- name: Configure cshrc + lineinfile: + path: "/home/{{ item.0.name }}/.cshrc" + line: "{{ item.1.line }}" + insertafter: EOF + state: "{{ item.1.state }}" + with_subelements: + - "{{ users }}" + - shell_lines + - skip_missing: true + when: ansible_os_family == 'FreeBSD' + diff --git a/roles/users/templates/ssh.config.j2 b/roles/users/templates/ssh.config.j2 new file mode 100644 index 0000000..e770b37 --- /dev/null +++ b/roles/users/templates/ssh.config.j2 @@ -0,0 +1,6 @@ +host blabla + hostname {{ ansible_hostname }} + User {{ item.name }} + RemoteForward /home/{{ item.name }}/.gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent + RemoteForward /home/{{ item.name }}/.gnupg/S.gpg-agent.ssh $HOME/.gnupg/S.gpg-agent.ssh + ServerAliveInterval 10 diff --git a/roles/users/vars/main.yml b/roles/users/vars/main.yml index 330de7c..f30fee5 100644 --- a/roles/users/vars/main.yml +++ b/roles/users/vars/main.yml @@ -1,12 +1,21 @@ --- -groups: - - +user_groups: + - name: remember users: - - remember - - direct - - degree - - sand - - grief - - jam - - king + - name: remember + keys: + - file: key1 + state: present + shell_lines: + - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" + state: present + - line: "line2" + state: absent + - name: test + keys: + - file: key2 + state: absent + # shell_lines: + # - "line1" + # - "line2" diff --git a/site.yml b/site.yml deleted file mode 100644 index e69de29..0000000 -- 2.44.2 From a96d82d5ed4a4e8bb5f1556c0257c1e8bddaef90 Mon Sep 17 00:00:00 2001 From: "Vincent V.d Kussen" Date: Wed, 15 Aug 2018 20:35:23 +0200 Subject: [PATCH 4/9] ssh-config role / docs / updated user config --- README.md | 56 ++++++++++++++++++++++ ansible.cfg | 3 +- group_vars/all | 38 +++++++++++++++ hosts | 3 +- roles/ssh-config/defaults/main.yml | 0 roles/ssh-config/tasks/main.yml | 44 +++++++++++++++++ roles/users/tasks/ssh_config.yml | 73 ++++++++++++++++++----------- roles/users/tasks/users.yml | 64 +++++-------------------- roles/users/templates/ssh.config.j2 | 6 --- roles/users/vars/main.yml | 54 ++++++++++++--------- site.yaml | 1 + 11 files changed, 233 insertions(+), 109 deletions(-) create mode 100644 group_vars/all create mode 100644 roles/ssh-config/defaults/main.yml create mode 100644 roles/ssh-config/tasks/main.yml delete mode 100644 roles/users/templates/ssh.config.j2 diff --git a/README.md b/README.md index d425545..98b748c 100644 --- a/README.md +++ b/README.md @@ -1 +1,57 @@ +# Users +Ansible role to create/configure users on Linux/FreeBSD + +## Variables +| user_groups | +| --- | +| name | name of the group | +| gid | group ID | +| state | whether the group shoud be created or removed | +| users | + +## Default variables +The default shells depending on the OS are: + +- Linux: `/bin/bash` +- FreeBSD: `/bin/cshrc` + +This is defined in the `defaults` section of the **users roles** + + +## Example Playbook + +``` +user_groups: + - name: mygroup + gid: 700 + + +users: + - name: remember + state: present + password: "blabla" + groups: + - mygroup + uid: 1100 + keys: + - file: key1 + state: present + shell_lines: + - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" + state: present + - line: "alias ls='ls lah'" + state: present + - name: test + keys: + - file: key2 + state: absent + shell_lines: + - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" + state: absent +``` +## Using the Role +### Adding user + +### Configure users' shell + https://github.com/stationgroup/ansible-experiments/issues/9 diff --git a/ansible.cfg b/ansible.cfg index de6e4f8..83a7ce4 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -6,7 +6,8 @@ retry_files_save_path = /tmp/ inventory=./hosts host_key_checking=False gathering = smart -#stdout_callback=skippy +#stdout_callback=unixy +stdout_callback=debug [privilege_escalation] become=True diff --git a/group_vars/all b/group_vars/all new file mode 100644 index 0000000..cca3099 --- /dev/null +++ b/group_vars/all @@ -0,0 +1,38 @@ +--- +user_groups: + - name: mygroup + gid: 700 + - name: mysecondgroup + gid: 702 + state: absent + + +users: + - name: remember + state: present + password: "blabla" + groups: + - mygroup + uid: 1100 + keys: + - file: key1 + state: present + shell_lines: + - line: "testline" + state: present + - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" + state: present + - line: "alias ls='ls lah'" + state: present + ssh_config: + - ServerAliveInterval: 10 + - name: test + keys: + - file: key2 + state: absent + shell_lines: + - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" + state: present +# ssh_config: +# - host: "{{ ansible_hostname }}" +# hostname: "{{ ansible_hostname }}" diff --git a/hosts b/hosts index 3171e7a..0d9fc62 100644 --- a/hosts +++ b/hosts @@ -1 +1,2 @@ -10.106.116.157 +10.106.116.157 ssh_short_name=host1 +10.106.116.139 ssh_short_name=host2 diff --git a/roles/ssh-config/defaults/main.yml b/roles/ssh-config/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/ssh-config/tasks/main.yml b/roles/ssh-config/tasks/main.yml new file mode 100644 index 0000000..0211c42 --- /dev/null +++ b/roles/ssh-config/tasks/main.yml @@ -0,0 +1,44 @@ +--- +- name: Check if user has ~/.ssh/config + stat: + path: "/home/{{ item.name }}/.ssh/config" + with_items: "{{ users }}" + register: sshconfig + + +- name: Create ~/.ssh/config when absent + file: + path: "/home/{{ item.item.name }}/.ssh/config" + owner: "{{ item.item.name }}" + group: "{{ item.item.name }}" + mode: 0600 + state: touch + when: item.stat.exists == False + with_items: + - "{{ sshconfig.results }}" + no_log: True + + +- name: Configure ~/.ssh/config + blockinfile: + path: "/home/{{ item.0.name }}/.ssh/config" + owner: "{{ item.0.name }}" + group: "{{ item.0.name }}" + mode: 0600 + marker: "# {mark} ANSIBLE MANAGED BLOCK" + content: | + {% for host in groups['all'] -%} + Host {{ hostvars[host]['ssh_short_name'] }} + Hostname {{ hostvars[host]['inventory_hostname'] }} + RemoteForward /home/{{ item.0.name }}/.gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent + RemoteForward /home/{{ item.0.name }}/.gnupg/S.gpg-agent.ssh $HOME/.gnupg/S.gpg-agent.ssh + {% for k,v in item.1.items() %} + {% if k|lower != "host" and k|lower != "hostname" %} + {{k}} {{v}} + {% endif %} + {% endfor %} + {% endfor %} + with_subelements: + - "{{ users }}" + - ssh_config + - skip_missing: true diff --git a/roles/users/tasks/ssh_config.yml b/roles/users/tasks/ssh_config.yml index dbb9649..78d6c85 100644 --- a/roles/users/tasks/ssh_config.yml +++ b/roles/users/tasks/ssh_config.yml @@ -2,37 +2,56 @@ file: path: "/home/{{item.name}}/.ssh" state: directory - mode: 0600 + mode: 0700 + owner: "{{ item.name }}" + group: "{{ item.name }}" with_items: - "{{ users }}" -- name: Check if user has ~/.ssh/config - stat: - path: "/home/{{ item.name }}/.ssh/config" - with_items: "{{ users }}" - register: sshconfig -#- name: debug items -# debug: -# msg: "{{ item.item.name }} {{item.stat}}" +- name: Configure authorized_keys + authorized_key: + user: "{{ item.0.name }}" + key: "{{ lookup('file', 'keys/' + item.0.name + '/' + item.1.file + '.pub') }}" + state: "{{ item.1.state | default('present') }}" + with_subelements: + - "{{ users }}" + - keys + + +#- name: Check if user has ~/.ssh/config +# stat: +# path: "/home/{{ item.name }}/.ssh/config" +# with_items: "{{ users }}" +# register: sshconfig +# +# +#- name: Create ~/.ssh/config when absent +# file: +# path: "/home/{{ item.item.name }}/.ssh/config" +# owner: "{{ item.item.name }}" +# group: "{{ item.item.name }}" +# mode: 0600 +# state: touch +# when: item.stat.exists == False # with_items: # - "{{ sshconfig.results }}" +# no_log: True +# +#- name: Configure ~/.ssh/config +# blockinfile: +# path: "/home/{{ item.name }}/.ssh/config" +# owner: "{{ item.name }}" +# group: "{{ item.name }}" +# mode: 0600 +# marker: "# {mark} ANSIBLE MANAGED BLOCK" +# content: | +# host {{ ansible_hostname }} +# hostname {{ ansible_hostname }} +# User {{ item.name }} +# RemoteForward /home/{{ item.name }}/.gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent +# RemoteForward /home/{{ item.name }}/.gnupg/S.gpg-agent.ssh $HOME/.gnupg/S.gpg-agent.ssh +# ServerAliveInterval 10 +# with_items: +# - "{{ users }}" -- name: Create ~/.ssh/config when absent - file: - path: "/home/{{ item.item.name }}/.ssh/config" - owner: "{{ item.item.name }}" - mode: 0600 - state: touch - when: item.stat.exists == False - with_items: - - "{{ sshconfig.results }}" - no_log: True - -- name: Configure ~/.ssh/config - template: - src: ssh.config.j2 - dest: "/home/{{ item.name }}/.ssh/config" - owner: "{{ item.name }}" - with_items: - - "{{ users }}" diff --git a/roles/users/tasks/users.yml b/roles/users/tasks/users.yml index 0ec6149..c1ae595 100644 --- a/roles/users/tasks/users.yml +++ b/roles/users/tasks/users.yml @@ -3,83 +3,41 @@ group: name: "{{ item.name }}" gid: "{{ item.gid | default(omit) }}" - state: present + state: "{{ item.state | default('present') }}" with_items: "{{ user_groups }}" + - name: Ensure users exist user: name: "{{ item.name }}" - id: "{{ item.id | default(omit) }}" + state: "{{ item.state | default('present') }}" + password: "{{ item.password | default(omit) }}" groups: "{{ item.groups | default(omit) }}" + uid: "{{ item.uid | default(omit) }}" shell: "{{ item.shell | default(default_shell) }}" - state: present - no_log: True + append: yes + #no_log: True with_items: "{{ users }}" -- name: Configure authorized_keys - authorized_key: - user: "{{ item.0.name }}" - key: "{{ lookup('file', 'keys/' + item.0.name + '/' + item.1.file + '.pub') }}" - state: "{{ item.1.state | default(present) }}" - with_subelements: - - "{{ users }}" - - keys - -#- name: debug -# debug: -# msg: "{{ item.0 }} - {{ item.1 }}" -# with_nested: -# - "{{ users }}" -# - "{{ users | map(attribute='shell_lines') | list }}" -# when: ansible_os_family == 'Debian' and item.1 is defined - -- name: check vars - debug: - msg: "{{ item.0.name }} --- {{ item.1 }}" - with_subelements: - - "{{ users }}" - - shell_lines - - skip_missing: true - when: ansible_os_family == 'Debian' - -- name: Add Ansible comment in bashrc - lineinfile: - path: "/home/{{ item.name }}/.bashrc" - line: "## Ansible managed below this line ###########" - insertafter: EOF - state: present - with_items: - - "{{ users }}" - when: ansible_os_family == 'Debian' - name: Configure bashrc lineinfile: path: "/home/{{ item.0.name }}/.bashrc" line: "{{ item.1.line }}" - insertafter: "^## Ansible managed below this line" - state: "{{ item.1.state }}" + state: "{{ item.1.state | default('present') }}" + backup: yes with_subelements: - "{{ users }}" - shell_lines - skip_missing: true when: ansible_os_family == 'Debian' - -- name: Add Ansible comment in cshrc - lineinfile: - path: "/home/{{ item.0.name }}/.bashrc" - line: "## Ansible managed blow this line ###########" - insertafter: EOF - state: present - with_items: - - "{{ users }}" - when: ansible_os_family == 'FreeBSD' + - name: Configure cshrc lineinfile: path: "/home/{{ item.0.name }}/.cshrc" line: "{{ item.1.line }}" - insertafter: EOF - state: "{{ item.1.state }}" + state: "{{ item.1.state | default('present')}}" with_subelements: - "{{ users }}" - shell_lines diff --git a/roles/users/templates/ssh.config.j2 b/roles/users/templates/ssh.config.j2 deleted file mode 100644 index e770b37..0000000 --- a/roles/users/templates/ssh.config.j2 +++ /dev/null @@ -1,6 +0,0 @@ -host blabla - hostname {{ ansible_hostname }} - User {{ item.name }} - RemoteForward /home/{{ item.name }}/.gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent - RemoteForward /home/{{ item.name }}/.gnupg/S.gpg-agent.ssh $HOME/.gnupg/S.gpg-agent.ssh - ServerAliveInterval 10 diff --git a/roles/users/vars/main.yml b/roles/users/vars/main.yml index f30fee5..ce6a2f4 100644 --- a/roles/users/vars/main.yml +++ b/roles/users/vars/main.yml @@ -1,21 +1,33 @@ ---- -user_groups: - - name: remember - -users: - - name: remember - keys: - - file: key1 - state: present - shell_lines: - - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" - state: present - - line: "line2" - state: absent - - name: test - keys: - - file: key2 - state: absent - # shell_lines: - # - "line1" - # - "line2" +#--- +#user_groups: +# - name: mygroup +# gid: 700 +# - name: mysecondgroup +# gid: 702 +# state: absent +# +# +#users: +# - name: remember +# state: present +# password: "blabla" +# groups: +# - mygroup +# uid: 1100 +# keys: +# - file: key1 +# state: present +# shell_lines: +# - line: "testline" +# state: present +# - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" +# state: present +# - line: "alias ls='ls lah'" +# state: present +# - name: test +# keys: +# - file: key2 +# state: absent +# shell_lines: +# - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" +# state: present diff --git a/site.yaml b/site.yaml index 413203b..dfc1b26 100644 --- a/site.yaml +++ b/site.yaml @@ -4,4 +4,5 @@ remote_user: root roles: - users + - ssh-config -- 2.44.2 From 935d660a1d73f5e3bfb48bcf85f4907b2338616a Mon Sep 17 00:00:00 2001 From: "Vincent V.d Kussen" Date: Wed, 15 Aug 2018 20:37:02 +0200 Subject: [PATCH 5/9] markdown column --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 98b748c..f70f7f5 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,8 @@ Ansible role to create/configure users on Linux/FreeBSD ## Variables -| user_groups | -| --- | +| user_groups | | +| --- |---| | name | name of the group | | gid | group ID | | state | whether the group shoud be created or removed | -- 2.44.2 From c1ab857680f705bcebf9ecf36d69c3f5d802a2eb Mon Sep 17 00:00:00 2001 From: "Vincent V.d Kussen" Date: Fri, 17 Aug 2018 20:37:45 +0200 Subject: [PATCH 6/9] add docs --- README.md | 60 ++------------------ group_vars/all | 3 - roles/ssh-config/README.md | 89 +++++++++++++++++++++++++++++ roles/users/README.md | 109 ++++++++++++++++++++++++++++++++++++ roles/users/tasks/users.yml | 2 +- 5 files changed, 205 insertions(+), 58 deletions(-) create mode 100644 roles/ssh-config/README.md create mode 100644 roles/users/README.md diff --git a/README.md b/README.md index f70f7f5..a791366 100644 --- a/README.md +++ b/README.md @@ -1,57 +1,9 @@ -# Users -Ansible role to create/configure users on Linux/FreeBSD +# Users and ssh-configAnsible roles +This repo contains 2 roles: -## Variables -| user_groups | | -| --- |---| -| name | name of the group | -| gid | group ID | -| state | whether the group shoud be created or removed | -| users | +- **users**: Add users and configure `.bashrc` and `authorized_keys` +- **ssh-config**: Configures a user's `~/.ssh/config` -## Default variables -The default shells depending on the OS are: +Both roles make use of the same _users_ variable and are created to give users the freedom to add their own configuration outside of Ansible. -- Linux: `/bin/bash` -- FreeBSD: `/bin/cshrc` - -This is defined in the `defaults` section of the **users roles** - - -## Example Playbook - -``` -user_groups: - - name: mygroup - gid: 700 - - -users: - - name: remember - state: present - password: "blabla" - groups: - - mygroup - uid: 1100 - keys: - - file: key1 - state: present - shell_lines: - - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" - state: present - - line: "alias ls='ls lah'" - state: present - - name: test - keys: - - file: key2 - state: absent - shell_lines: - - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" - state: absent -``` -## Using the Role -### Adding user - -### Configure users' shell - -https://github.com/stationgroup/ansible-experiments/issues/9 +Detailed configuration can be found in the README files inside the role's folders. diff --git a/group_vars/all b/group_vars/all index cca3099..3271db4 100644 --- a/group_vars/all +++ b/group_vars/all @@ -33,6 +33,3 @@ users: shell_lines: - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" state: present -# ssh_config: -# - host: "{{ ansible_hostname }}" -# hostname: "{{ ansible_hostname }}" diff --git a/roles/ssh-config/README.md b/roles/ssh-config/README.md new file mode 100644 index 0000000..d071612 --- /dev/null +++ b/roles/ssh-config/README.md @@ -0,0 +1,89 @@ +# ssh-config +Ansible role to configure a user's `~/.ssh/config` file. This will add a +configuration in the ssh config file for each host in the inventory. + +**NOTE: this role works in conjunction with the _users_ variable** + +## Variables + +| _variable name_ | Description | +| ---: |--- | +| ssh_short_name | host identifier name in the ssh config.
This should be added to the _host variables_ | +| ssh_config | name of the key in the *users* variable. Contains a list of +key/value items| + +## Example: + +**Host inventory** +``` +10.106.116.157 ssh_short_name=host1 +10.106.116.139 ssh_short_name=host2 +``` + +**Variables** +populate the *ssh_config* key. +``` +users: + - name: remember + state: present + password: "blabla" + groups: + - mygroup + uid: 1100 + keys: + - file: key1 + state: present + shell_lines: + - line: "testline" + state: present + - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" + state: present + - line: "alias ls='ls lah'" + state: present + ssh_config: + - ServerAliveInterval: 10 +``` + +**Result:** +``` +# BEGIN ANSIBLE MANAGED BLOCK +Host host1 + Hostname 10.106.116.157 + RemoteForward /home/remember/.gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent + RemoteForward /home/remember/.gnupg/S.gpg-agent.ssh $HOME/.gnupg/S.gpg-agent.ssh + ServerAliveInterval 10 +Host host2 + Hostname 10.106.116.139 + RemoteForward /home/remember/.gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent + RemoteForward /home/remember/.gnupg/S.gpg-agent.ssh $HOME/.gnupg/S.gpg-agent.ssh + ServerAliveInterval 10 +# END ANSIBLE MANAGED BLOCK + +``` + +**Break down** + +The host identifier is populated with the `ssh_short_name` host variable. +``` +Host host1 +``` + +The `Hostname` is populated with the `inventory_hostname` variable +``` +Hostname 10.106.116.139 +``` + +These lines are added by default: +``` +RemoteForward /home/remember/.gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent +RemoteForward /home/remember/.gnupg/S.gpg-agent.ssh $HOME/.gnupg/S.gpg-agent.ssh +``` + +Everything below this is populated with the key/values defined in the +`ssh_config` list of the `users` variable + +``` +ServerAliveInterval 10 +``` + + diff --git a/roles/users/README.md b/roles/users/README.md new file mode 100644 index 0000000..48ddc36 --- /dev/null +++ b/roles/users/README.md @@ -0,0 +1,109 @@ +# Users +Ansible roles to create/configure users on Linux/FreeBSD. + +## Variables +| user_groups | | | +| ---: |--- |--- | +| name | name of the group | Data type | +| gid | Optionally set the group ID | int | +| state | whether the group shoud be created or removed | present/absent | + + +| users | | | +| ---: |---| ---| +| _variable name_ | Description | Data type | +| name | username | string | +| state | whether the user should be created or removed | present/absent | +| password | string of an encrypted value(1) | string | +| groups | additional groups the user should belong to | list | +| uid | optionally specify a user id | int | +| keys | list of dictionaries | list | +| shell_lines | list of dictionaries | list | + +(1) https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module +## Default variables +The default shells depending on the OS are: + +- Linux: `/bin/bash` +- FreeBSD: `/bin/cshrc` + +This is defined in the `defaults` section of the **users** role + + +## Example inventory +``` +user_groups: + - name: mygroup + gid: 700 + + +users: + - name: remember + state: present + password: "blabla" + groups: + - mygroup + uid: 1100 + keys: + - file: key1 + state: present + shell_lines: + - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" + state: present + - line: "alias ls='ls lah'" + state: present + - name: test + keys: + - file: key2 + state: absent + shell_lines: + - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" + state: absent +``` +## Using the Role +### Example Playbook +``` +--- +- name: Manage user configuration + hosts: all + remote_user: root + roles: + - users +``` +### Configure a user's ssh keys +For every user a directory matching the username should be created under the _keys_ folder in the role's _files_ folder. In this folder the user's ssh keys can be stored. + +``` +├── files +│   └── keys +│   ├── remember +│   │   └── key1.pub +│   └── test +│   └── key2.pub +``` +The name of the file holding the key should match the name in the _users_ variable + +``` + keys: + - file: key1 + state: present +``` + +### Configure a user's shell +This role allows you to add or remove lines to a user's `.bashrc` or `cshrc` file. Since this is not based on a template that overwrites the complete file, users can still add their own configuration too. + +Add items to the **shell_lines** key in the **users** variable. Each item exists of a _line_ and _state_ key. + +Example: +``` +shell_lines: + - line: "testline" + state: absent + - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" + state: present + - line: "alias ls='ls lah'" + state: present +``` + + + diff --git a/roles/users/tasks/users.yml b/roles/users/tasks/users.yml index c1ae595..f2254b8 100644 --- a/roles/users/tasks/users.yml +++ b/roles/users/tasks/users.yml @@ -16,7 +16,7 @@ uid: "{{ item.uid | default(omit) }}" shell: "{{ item.shell | default(default_shell) }}" append: yes - #no_log: True + no_log: True with_items: "{{ users }}" -- 2.44.2 From caa1e1fa651756370190ae7bd1215191badc8b21 Mon Sep 17 00:00:00 2001 From: "Vincent V.d Kussen" Date: Sat, 18 Aug 2018 10:13:25 +0200 Subject: [PATCH 7/9] testing with FreeBSD on ec2 --- hosts | 5 +++-- roles/users/tasks/ssh_config.yml | 37 -------------------------------- roles/users/tasks/users.yml | 2 +- site.yaml | 2 +- 4 files changed, 5 insertions(+), 41 deletions(-) diff --git a/hosts b/hosts index 0d9fc62..17d4bc8 100644 --- a/hosts +++ b/hosts @@ -1,2 +1,3 @@ -10.106.116.157 ssh_short_name=host1 -10.106.116.139 ssh_short_name=host2 +10.106.116.157 ssh_short_name=host1 ansible_user=root +10.106.116.139 ssh_short_name=host2 ansible_user=root +34.242.108.38 ssh_short_name=freebsd1 ansible_user=ec2-user ansible_python_interpreter=/usr/local/bin/python2.7 diff --git a/roles/users/tasks/ssh_config.yml b/roles/users/tasks/ssh_config.yml index 78d6c85..a79ac71 100644 --- a/roles/users/tasks/ssh_config.yml +++ b/roles/users/tasks/ssh_config.yml @@ -18,40 +18,3 @@ - "{{ users }}" - keys - -#- name: Check if user has ~/.ssh/config -# stat: -# path: "/home/{{ item.name }}/.ssh/config" -# with_items: "{{ users }}" -# register: sshconfig -# -# -#- name: Create ~/.ssh/config when absent -# file: -# path: "/home/{{ item.item.name }}/.ssh/config" -# owner: "{{ item.item.name }}" -# group: "{{ item.item.name }}" -# mode: 0600 -# state: touch -# when: item.stat.exists == False -# with_items: -# - "{{ sshconfig.results }}" -# no_log: True -# -#- name: Configure ~/.ssh/config -# blockinfile: -# path: "/home/{{ item.name }}/.ssh/config" -# owner: "{{ item.name }}" -# group: "{{ item.name }}" -# mode: 0600 -# marker: "# {mark} ANSIBLE MANAGED BLOCK" -# content: | -# host {{ ansible_hostname }} -# hostname {{ ansible_hostname }} -# User {{ item.name }} -# RemoteForward /home/{{ item.name }}/.gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent -# RemoteForward /home/{{ item.name }}/.gnupg/S.gpg-agent.ssh $HOME/.gnupg/S.gpg-agent.ssh -# ServerAliveInterval 10 -# with_items: -# - "{{ users }}" - diff --git a/roles/users/tasks/users.yml b/roles/users/tasks/users.yml index f2254b8..72a7e9a 100644 --- a/roles/users/tasks/users.yml +++ b/roles/users/tasks/users.yml @@ -16,7 +16,7 @@ uid: "{{ item.uid | default(omit) }}" shell: "{{ item.shell | default(default_shell) }}" append: yes - no_log: True + no_log: True with_items: "{{ users }}" diff --git a/site.yaml b/site.yaml index dfc1b26..9fe41ea 100644 --- a/site.yaml +++ b/site.yaml @@ -1,7 +1,7 @@ --- - name: Manage user configuration hosts: all - remote_user: root + # remote_user: root roles: - users - ssh-config -- 2.44.2 From c53f50222089fd918ec901c4eba839eacc9de066 Mon Sep 17 00:00:00 2001 From: Vincent Van der Kussen Date: Sat, 18 Aug 2018 14:07:19 +0200 Subject: [PATCH 8/9] make distinction between bash and csh shell config --- .../group_vars/all | 6 +-- .../roles/users/README.md | 11 ++--- .../roles/users/defaults/main.yml | 40 ++++++++++++++++++- .../roles/users/tasks/users.yml | 4 +- 4 files changed, 49 insertions(+), 12 deletions(-) diff --git a/add-users-groups-authorized_keys-dot-files/group_vars/all b/add-users-groups-authorized_keys-dot-files/group_vars/all index 3271db4..e8d42db 100644 --- a/add-users-groups-authorized_keys-dot-files/group_vars/all +++ b/add-users-groups-authorized_keys-dot-files/group_vars/all @@ -17,7 +17,7 @@ users: keys: - file: key1 state: present - shell_lines: + bash_lines: - line: "testline" state: present - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" @@ -30,6 +30,6 @@ users: keys: - file: key2 state: absent - shell_lines: - - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" + csh_lines: + - line: "alias ls ls -lah" state: present diff --git a/add-users-groups-authorized_keys-dot-files/roles/users/README.md b/add-users-groups-authorized_keys-dot-files/roles/users/README.md index 48ddc36..5f4d964 100644 --- a/add-users-groups-authorized_keys-dot-files/roles/users/README.md +++ b/add-users-groups-authorized_keys-dot-files/roles/users/README.md @@ -11,14 +11,15 @@ Ansible roles to create/configure users on Linux/FreeBSD. | users | | | | ---: |---| ---| -| _variable name_ | Description | Data type | +| _variable name_ | Description | Data type | | name | username | string | | state | whether the user should be created or removed | present/absent | | password | string of an encrypted value(1) | string | | groups | additional groups the user should belong to | list | | uid | optionally specify a user id | int | | keys | list of dictionaries | list | -| shell_lines | list of dictionaries | list | +| bash_lines | configure lines in .bashrc | list | +| csh_lines | configure lines in .cshrc | list | (1) https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module ## Default variables @@ -47,7 +48,7 @@ users: keys: - file: key1 state: present - shell_lines: + bash_lines: - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" state: present - line: "alias ls='ls lah'" @@ -56,8 +57,8 @@ users: keys: - file: key2 state: absent - shell_lines: - - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" + csh_lines: + - line: "ls ls -lah" state: absent ``` ## Using the Role diff --git a/add-users-groups-authorized_keys-dot-files/roles/users/defaults/main.yml b/add-users-groups-authorized_keys-dot-files/roles/users/defaults/main.yml index 4389d95..6577b10 100644 --- a/add-users-groups-authorized_keys-dot-files/roles/users/defaults/main.yml +++ b/add-users-groups-authorized_keys-dot-files/roles/users/defaults/main.yml @@ -1,4 +1,40 @@ default_freebsd_shell: "/bin/csh" default_linux_shell: "/bin/bash" -default_shell_lines: - - SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh + + +# Example variables +#--- +#user_groups: +# - name: mygroup +# gid: 700 +# - name: mysecondgroup +# gid: 702 +# state: absent +# +# +#users: +# - name: remember +# state: present +# password: "blabla" +# groups: +# - mygroup +# uid: 1100 +# keys: +# - file: key1 +# state: present +# bash_lines: +# - line: "testline" +# state: present +# - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" +# state: present +# - line: "alias ls='ls lah'" +# state: present +# ssh_config: +# - ServerAliveInterval: 10 +# - name: test +# keys: +# - file: key2 +# state: absent +# csh_lines: +# - line: "alias ls ls -lah" +# state: present diff --git a/add-users-groups-authorized_keys-dot-files/roles/users/tasks/users.yml b/add-users-groups-authorized_keys-dot-files/roles/users/tasks/users.yml index 72a7e9a..2ebbfc3 100644 --- a/add-users-groups-authorized_keys-dot-files/roles/users/tasks/users.yml +++ b/add-users-groups-authorized_keys-dot-files/roles/users/tasks/users.yml @@ -28,7 +28,7 @@ backup: yes with_subelements: - "{{ users }}" - - shell_lines + - bash_lines - skip_missing: true when: ansible_os_family == 'Debian' @@ -40,7 +40,7 @@ state: "{{ item.1.state | default('present')}}" with_subelements: - "{{ users }}" - - shell_lines + - csh_lines - skip_missing: true when: ansible_os_family == 'FreeBSD' -- 2.44.2 From 59749462c0eb66f9dc53744d8e45fffcbd202a5e Mon Sep 17 00:00:00 2001 From: Vincent Van der Kussen Date: Sun, 26 Aug 2018 15:10:15 +0200 Subject: [PATCH 9/9] required varaibles / remove append group / blocks in shell --- .../ansible.cfg | 4 +- .../group_vars/all | 15 +++- .../roles/ssh-config/tasks/main.yml | 3 +- .../roles/users/README.md | 25 ++++++ .../roles/users/tasks/main.yml | 7 ++ .../roles/users/tasks/set_facts.yml | 18 ++++ .../roles/users/tasks/ssh_config.yml | 3 + .../roles/users/tasks/users.yml | 83 +++++++++++++++++-- 8 files changed, 145 insertions(+), 13 deletions(-) diff --git a/add-users-groups-authorized_keys-dot-files/ansible.cfg b/add-users-groups-authorized_keys-dot-files/ansible.cfg index 83a7ce4..6efa305 100644 --- a/add-users-groups-authorized_keys-dot-files/ansible.cfg +++ b/add-users-groups-authorized_keys-dot-files/ansible.cfg @@ -6,8 +6,8 @@ retry_files_save_path = /tmp/ inventory=./hosts host_key_checking=False gathering = smart -#stdout_callback=unixy -stdout_callback=debug +stdout_callback=unixy +#stdout_callback=debug [privilege_escalation] become=True diff --git a/add-users-groups-authorized_keys-dot-files/group_vars/all b/add-users-groups-authorized_keys-dot-files/group_vars/all index e8d42db..c8e37a5 100644 --- a/add-users-groups-authorized_keys-dot-files/group_vars/all +++ b/add-users-groups-authorized_keys-dot-files/group_vars/all @@ -5,28 +5,39 @@ user_groups: - name: mysecondgroup gid: 702 state: absent + - name: admin + gid: 703 + state: present users: - name: remember - state: present + state: present password: "blabla" groups: - mygroup + - admin uid: 1100 + enable_sudo: false keys: - file: key1 state: present bash_lines: - - line: "testline" + - line: "#testline" state: present - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" state: present - line: "alias ls='ls lah'" state: present + bash_blocks: + - content: | + #testing + #multiline + state: absent ssh_config: - ServerAliveInterval: 10 - name: test + state: present keys: - file: key2 state: absent diff --git a/add-users-groups-authorized_keys-dot-files/roles/ssh-config/tasks/main.yml b/add-users-groups-authorized_keys-dot-files/roles/ssh-config/tasks/main.yml index 0211c42..ef8a5bf 100644 --- a/add-users-groups-authorized_keys-dot-files/roles/ssh-config/tasks/main.yml +++ b/add-users-groups-authorized_keys-dot-files/roles/ssh-config/tasks/main.yml @@ -13,7 +13,7 @@ group: "{{ item.item.name }}" mode: 0600 state: touch - when: item.stat.exists == False + when: item.stat.exists == False and item.item.state == "present" with_items: - "{{ sshconfig.results }}" no_log: True @@ -42,3 +42,4 @@ - "{{ users }}" - ssh_config - skip_missing: true + when: item.0.state == "present" diff --git a/add-users-groups-authorized_keys-dot-files/roles/users/README.md b/add-users-groups-authorized_keys-dot-files/roles/users/README.md index 5f4d964..bf5f62f 100644 --- a/add-users-groups-authorized_keys-dot-files/roles/users/README.md +++ b/add-users-groups-authorized_keys-dot-files/roles/users/README.md @@ -17,11 +17,15 @@ Ansible roles to create/configure users on Linux/FreeBSD. | password | string of an encrypted value(1) | string | | groups | additional groups the user should belong to | list | | uid | optionally specify a user id | int | +| enable_sudo | Enable passwordless sudo for the given user | bool | | keys | list of dictionaries | list | | bash_lines | configure lines in .bashrc | list | +| bash_blocks | configure lines in .bashrc | list | | csh_lines | configure lines in .cshrc | list | +| csh__blocks | configure lines in .cshrc | list | (1) https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module + ## Default variables The default shells depending on the OS are: @@ -45,6 +49,7 @@ users: groups: - mygroup uid: 1100 + enable_sudo: true keys: - file: key1 state: present @@ -53,7 +58,13 @@ users: state: present - line: "alias ls='ls lah'" state: present + bash_blocks: + - content: | + #testing + #multiline + state: present - name: test + enable_sudo: false keys: - file: key2 state: absent @@ -95,6 +106,9 @@ This role allows you to add or remove lines to a user's `.bashrc` or `cshrc` fil Add items to the **shell_lines** key in the **users** variable. Each item exists of a _line_ and _state_ key. +**lines** + +Use _lines_ if you want to make sure a single line is present or not. Example: ``` shell_lines: @@ -106,5 +120,16 @@ shell_lines: state: present ``` +**blocks** +use blocks if you want to make sure a number of lines that belong together are +present or not. +Example: +``` +bash_blocks: + - content: | + if [ condition ]; then + do something + state: present +``` diff --git a/add-users-groups-authorized_keys-dot-files/roles/users/tasks/main.yml b/add-users-groups-authorized_keys-dot-files/roles/users/tasks/main.yml index 0904bb2..b3a54e4 100644 --- a/add-users-groups-authorized_keys-dot-files/roles/users/tasks/main.yml +++ b/add-users-groups-authorized_keys-dot-files/roles/users/tasks/main.yml @@ -1,4 +1,11 @@ --- +- name: Check for required variables + fail: + msg: "Variable: 'users.name' or 'users.state' NOT defined!" + with_items: "{{ users }}" + when: item.state is not defined or item.name is not defined + + - include_tasks: set_facts.yml - include_tasks: users.yml - include_tasks: ssh_config.yml diff --git a/add-users-groups-authorized_keys-dot-files/roles/users/tasks/set_facts.yml b/add-users-groups-authorized_keys-dot-files/roles/users/tasks/set_facts.yml index 4124706..9bc332f 100644 --- a/add-users-groups-authorized_keys-dot-files/roles/users/tasks/set_facts.yml +++ b/add-users-groups-authorized_keys-dot-files/roles/users/tasks/set_facts.yml @@ -1,3 +1,4 @@ +# Set default shell - set_fact: default_shell: "{{ default_freebsd_shell }}" when: ansible_os_family == 'FreeBSD' @@ -6,3 +7,20 @@ default_shell: "{{ default_linux_shell }}" when: ansible_os_family == 'Debian' +# Set sudoers path +- set_fact: + sudoers_path: /usr/local/etc/sudoers.d + when: ansible_os_family == 'FreeBSD' + +- set_fact: + sudoers_path: /etc/sudoers.d + when: ansible_os_family == 'Debian' + +# Set sudo config path +- set_fact: + sudo_config_path: /usr/local/etc/sudoers + when: ansible_os_family == 'FreeBSD' + +- set_fact: + sudo_config_path: /etc/sudoers + when: ansible_os_family == 'Debian' diff --git a/add-users-groups-authorized_keys-dot-files/roles/users/tasks/ssh_config.yml b/add-users-groups-authorized_keys-dot-files/roles/users/tasks/ssh_config.yml index a79ac71..52b1c81 100644 --- a/add-users-groups-authorized_keys-dot-files/roles/users/tasks/ssh_config.yml +++ b/add-users-groups-authorized_keys-dot-files/roles/users/tasks/ssh_config.yml @@ -1,3 +1,4 @@ + - name: Ensure .ssh folder is created file: path: "/home/{{item.name}}/.ssh" @@ -7,6 +8,7 @@ group: "{{ item.name }}" with_items: - "{{ users }}" + when: item.state == "present" - name: Configure authorized_keys @@ -17,4 +19,5 @@ with_subelements: - "{{ users }}" - keys + when: item.0.state is defined and item.0.state == "present" diff --git a/add-users-groups-authorized_keys-dot-files/roles/users/tasks/users.yml b/add-users-groups-authorized_keys-dot-files/roles/users/tasks/users.yml index 2ebbfc3..2df15e0 100644 --- a/add-users-groups-authorized_keys-dot-files/roles/users/tasks/users.yml +++ b/add-users-groups-authorized_keys-dot-files/roles/users/tasks/users.yml @@ -1,5 +1,5 @@ --- -- name: Ensure groups exist +- name: Add/Remove group group: name: "{{ item.name }}" gid: "{{ item.gid | default(omit) }}" @@ -7,7 +7,7 @@ with_items: "{{ user_groups }}" -- name: Ensure users exist +- name: Add/Remove user user: name: "{{ item.name }}" state: "{{ item.state | default('present') }}" @@ -15,12 +15,12 @@ groups: "{{ item.groups | default(omit) }}" uid: "{{ item.uid | default(omit) }}" shell: "{{ item.shell | default(default_shell) }}" - append: yes - no_log: True + remove: yes + no_log: False with_items: "{{ users }}" -- name: Configure bashrc +- name: Configure bashrc lines lineinfile: path: "/home/{{ item.0.name }}/.bashrc" line: "{{ item.1.line }}" @@ -30,17 +30,84 @@ - "{{ users }}" - bash_lines - skip_missing: true - when: ansible_os_family == 'Debian' + when: ansible_os_family == 'Debian' and item.0.state == "present" +- name: Configure bashrc blocks + blockinfile: + path: "/home/{{ item.0.name }}/.bashrc" + content: "{{ item.1.content }}" + marker: "# {mark} ANSIBLE managed content. Block item #{{ listitem }}" + state: "{{ item.1.state | default('present') }}" + backup: yes + with_subelements: + - "{{ users }}" + - bash_blocks + - skip_missing: true + when: ansible_os_family == 'Debian' and item.0.state == "present" + loop_control: + index_var: listitem -- name: Configure cshrc +- name: Configure cshrc lines lineinfile: path: "/home/{{ item.0.name }}/.cshrc" line: "{{ item.1.line }}" state: "{{ item.1.state | default('present')}}" + backup: yes with_subelements: - "{{ users }}" - csh_lines - skip_missing: true - when: ansible_os_family == 'FreeBSD' + when: ansible_os_family == 'FreeBSD' and item.0.state == "present" + +- name: Configure cshrc blocks + blockinfile: + path: "/home/{{ item.0.name }}/.cshrc" + content: "{{ item.1.conent }}" + marker: "# {mark} ANSIBLE managed content. Block item #{{ listitem }}" + state: "{{ item.1.state | default('present')}}" + backup: yes + with_subelements: + - "{{ users }}" + - csh_blocks + - skip_missing: true + when: ansible_os_family == 'FreeBSD' and item.0.state == "present" + loop_control: + index_var: listitem + +- name: Ensure sudo is installed (Debian) + apt: + name: sudo + update_cache: yes + cache_valid_time: "{{ apt_cache_valid | default('86400') }}" + when: ansible_os_family == "Debian" + +- name: Ensure sudo is installed (FreeBSD) + portinstall: + name: sudo + state: present + when: ansible_os_family == "FreeBSD" + +- name: Enable sudo for user + lineinfile: + path: "{{ sudoers_path }}/{{ item.name }}" + line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL" + state: present + create: true + when: item.enable_sudo is defined and item.enable_sudo == true + with_items: "{{ users }}" + +- name: Disable sudo for user + file: + path: "{{ sudoers_path }}/{{ item.name }}" + state: absent + when: item.enable_sudo is defined and item.enable_sudo == false + with_items: "{{ users }}" + +- name: Include sudoers.d + lineinfile: + dest: "{{ sudo_config_path }}" + state: present + regexp: '^\#includedir {{ sudoers_path }}' + line: '#includedir {{ sudoers_path }}' + validate: 'visudo -cf %s' -- 2.44.2