include ssh and user management

1 year ago · 4b59380ed0
parent 492e996151
commit 4b59380ed0
5 changed files with 105 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -3,3 +3,7 @@
 debian_baseline_motd_enabled: true
 backports_uri: http://ftp.debian.org/debian
 backports_components: "{{ ansible_distribution_release }}-backports main contrib non-free"
+global__emergency_ssh_keys: []
+global__unattended_updates: false
+base__additional_packages: []
+global__users: {}
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -1,3 +1,9 @@
 ---
 - name: reconfigure unattended-upgrades
  command: dpkg-reconfigure -f noninteractive unattended-upgrades
+
+- name: reload ssh
+  become: yes
+  service:
+    name: ssh
+    state: reloaded
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -46,11 +46,13 @@
    vtype: 'boolean'
  notify: reconfigure unattended-upgrades

- name: Setup NTP
-  include_role:
-    name: ansible-debian-ntp
-
 - name: Ensure utf8 locale exists
  locale_gen:
    name: en_US.UTF-8
    state: present
+
+- name: Perform User Management
+  include_tasks: users.yml
+
+- name: Modify SSH Configuration
+  include_tasks: ssh.yml
--- a/tasks/ssh.yml
+++ b/tasks/ssh.yml
@ -0,0 +1,9 @@
+---
+
+- name: Ensure that SSH Password Auth is disabled
+  become: true
+  notify: reload ssh
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^#?PasswordAuthentication'
+    line: 'PasswordAuthentication no'
--- a/tasks/users.yml
+++ b/tasks/users.yml
@ -0,0 +1,80 @@
+---
+
+- name: create emergency users
+  become: true
+  user:
+    name: user
+    shell: '/bin/bash'
+    groups: [ sudo ]
+    state: present
+
+- name: ensure ssh keys for users
+  become: true
+  authorized_key:
+    user: user
+    state: present
+    exclusive: true
+    path: "/home/user/.ssh/authorized_keys"
+    key: "{{ global__emergency_ssh_keys | join('\n') }}"
+
+- name: Create ansible_managed group
+  become: true
+  group:
+    name: ansible_managed
+    state: present
+
+- name: collect existing user accounts
+  shell: 'grep ansible_managed /etc/group | cut -d: -f4 | tr "," "\n"'
+  changed_when: false
+  register: existing_users
+
+- name: collect users for server
+  set_fact:
+    allowed_users: "[{% for user,val in global__users.items() if val.access|d([]) in group_names or 'all' in val.access|d([]) %}\"{{ user }}\", {% endfor %}]"
+  changed_when: false
+
+- name: Identify removed users
+  set_fact:
+    removed_users: "{{ existing_users.stdout_lines|default([]) | difference(allowed_users) }}"
+
+- name: create users
+  become: true
+  user:
+    name: "{{ item }}"
+    shell: "{{ global__users[item]['shell']|d('/bin/bash') }}"
+    groups: [ sudo, ansible_managed ]
+    state: present
+  loop: "{{ allowed_users }}"
+
+- name: remove users
+  become: true
+  user:
+    name: "{{ item }}"
+    state: absent
+  loop: "{{ removed_users }}"
+
+- name: remove homes
+  become: true
+  file:
+    path: "/home/{{ item }}"
+    state: absent
+  loop: "{{ removed_users }}"
+
+- name: ensure ssh keys for users
+  become: true
+  authorized_key:
+    user: "{{ item }}"
+    state: present
+    exclusive: true
+    path: "/home/{{ item }}/.ssh/authorized_keys"
+    key: "{{ global__users[item]['ssh_keys'] | join('\n') }}"
+  loop: "{{ allowed_users }}"
+
+- name: enable passwordless sudo
+  become: true
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: "^%sudo"
+    line: "%sudo   ALL=(ALL:ALL) NOPASSWD: ALL"
+    state: present
+  notify: reload ssh