5 changed files with 105 additions and 4 deletions
@ -1,3 +1,9 @@
|
||||
--- |
||||
- name: reconfigure unattended-upgrades |
||||
command: dpkg-reconfigure -f noninteractive unattended-upgrades |
||||
|
||||
- name: reload ssh |
||||
become: yes |
||||
service: |
||||
name: ssh |
||||
state: reloaded |
||||
|
@ -0,0 +1,9 @@
|
||||
--- |
||||
|
||||
- name: Ensure that SSH Password Auth is disabled |
||||
become: true |
||||
notify: reload ssh |
||||
lineinfile: |
||||
dest: /etc/ssh/sshd_config |
||||
regexp: '^#?PasswordAuthentication' |
||||
line: 'PasswordAuthentication no' |
@ -0,0 +1,80 @@
|
||||
--- |
||||
|
||||
- name: create emergency users |
||||
become: true |
||||
user: |
||||
name: user |
||||
shell: '/bin/bash' |
||||
groups: [ sudo ] |
||||
state: present |
||||
|
||||
- name: ensure ssh keys for users |
||||
become: true |
||||
authorized_key: |
||||
user: user |
||||
state: present |
||||
exclusive: true |
||||
path: "/home/user/.ssh/authorized_keys" |
||||
key: "{{ global__emergency_ssh_keys | join('\n') }}" |
||||
|
||||
- name: Create ansible_managed group |
||||
become: true |
||||
group: |
||||
name: ansible_managed |
||||
state: present |
||||
|
||||
- name: collect existing user accounts |
||||
shell: 'grep ansible_managed /etc/group | cut -d: -f4 | tr "," "\n"' |
||||
changed_when: false |
||||
register: existing_users |
||||
|
||||
- name: collect users for server |
||||
set_fact: |
||||
allowed_users: "[{% for user,val in global__users.items() if val.access|d([]) in group_names or 'all' in val.access|d([]) %}\"{{ user }}\", {% endfor %}]" |
||||
changed_when: false |
||||
|
||||
- name: Identify removed users |
||||
set_fact: |
||||
removed_users: "{{ existing_users.stdout_lines|default([]) | difference(allowed_users) }}" |
||||
|
||||
- name: create users |
||||
become: true |
||||
user: |
||||
name: "{{ item }}" |
||||
shell: "{{ global__users[item]['shell']|d('/bin/bash') }}" |
||||
groups: [ sudo, ansible_managed ] |
||||
state: present |
||||
loop: "{{ allowed_users }}" |
||||
|
||||
- name: remove users |
||||
become: true |
||||
user: |
||||
name: "{{ item }}" |
||||
state: absent |
||||
loop: "{{ removed_users }}" |
||||
|
||||
- name: remove homes |
||||
become: true |
||||
file: |
||||
path: "/home/{{ item }}" |
||||
state: absent |
||||
loop: "{{ removed_users }}" |
||||
|
||||
- name: ensure ssh keys for users |
||||
become: true |
||||
authorized_key: |
||||
user: "{{ item }}" |
||||
state: present |
||||
exclusive: true |
||||
path: "/home/{{ item }}/.ssh/authorized_keys" |
||||
key: "{{ global__users[item]['ssh_keys'] | join('\n') }}" |
||||
loop: "{{ allowed_users }}" |
||||
|
||||
- name: enable passwordless sudo |
||||
become: true |
||||
lineinfile: |
||||
dest: /etc/sudoers |
||||
regexp: "^%sudo" |
||||
line: "%sudo ALL=(ALL:ALL) NOPASSWD: ALL" |
||||
state: present |
||||
notify: reload ssh |
Loading…
Reference in new issue