Browse Source

include ssh and user management

main
parent
commit
4b59380ed0
  1. 4
      defaults/main.yml
  2. 6
      handlers/main.yml
  3. 10
      tasks/main.yml
  4. 9
      tasks/ssh.yml
  5. 80
      tasks/users.yml

4
defaults/main.yml

@ -3,3 +3,7 @@
debian_baseline_motd_enabled: true
backports_uri: http://ftp.debian.org/debian
backports_components: "{{ ansible_distribution_release }}-backports main contrib non-free"
global__emergency_ssh_keys: []
global__unattended_updates: false
base__additional_packages: []
global__users: {}

6
handlers/main.yml

@ -1,3 +1,9 @@
---
- name: reconfigure unattended-upgrades
command: dpkg-reconfigure -f noninteractive unattended-upgrades
- name: reload ssh
become: yes
service:
name: ssh
state: reloaded

10
tasks/main.yml

@ -46,11 +46,13 @@
vtype: 'boolean'
notify: reconfigure unattended-upgrades
- name: Setup NTP
include_role:
name: ansible-debian-ntp
- name: Ensure utf8 locale exists
locale_gen:
name: en_US.UTF-8
state: present
- name: Perform User Management
include_tasks: users.yml
- name: Modify SSH Configuration
include_tasks: ssh.yml

9
tasks/ssh.yml

@ -0,0 +1,9 @@
---
- name: Ensure that SSH Password Auth is disabled
become: true
notify: reload ssh
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^#?PasswordAuthentication'
line: 'PasswordAuthentication no'

80
tasks/users.yml

@ -0,0 +1,80 @@
---
- name: create emergency users
become: true
user:
name: user
shell: '/bin/bash'
groups: [ sudo ]
state: present
- name: ensure ssh keys for users
become: true
authorized_key:
user: user
state: present
exclusive: true
path: "/home/user/.ssh/authorized_keys"
key: "{{ global__emergency_ssh_keys | join('\n') }}"
- name: Create ansible_managed group
become: true
group:
name: ansible_managed
state: present
- name: collect existing user accounts
shell: 'grep ansible_managed /etc/group | cut -d: -f4 | tr "," "\n"'
changed_when: false
register: existing_users
- name: collect users for server
set_fact:
allowed_users: "[{% for user,val in global__users.items() if val.access|d([]) in group_names or 'all' in val.access|d([]) %}\"{{ user }}\", {% endfor %}]"
changed_when: false
- name: Identify removed users
set_fact:
removed_users: "{{ existing_users.stdout_lines|default([]) | difference(allowed_users) }}"
- name: create users
become: true
user:
name: "{{ item }}"
shell: "{{ global__users[item]['shell']|d('/bin/bash') }}"
groups: [ sudo, ansible_managed ]
state: present
loop: "{{ allowed_users }}"
- name: remove users
become: true
user:
name: "{{ item }}"
state: absent
loop: "{{ removed_users }}"
- name: remove homes
become: true
file:
path: "/home/{{ item }}"
state: absent
loop: "{{ removed_users }}"
- name: ensure ssh keys for users
become: true
authorized_key:
user: "{{ item }}"
state: present
exclusive: true
path: "/home/{{ item }}/.ssh/authorized_keys"
key: "{{ global__users[item]['ssh_keys'] | join('\n') }}"
loop: "{{ allowed_users }}"
- name: enable passwordless sudo
become: true
lineinfile:
dest: /etc/sudoers
regexp: "^%sudo"
line: "%sudo ALL=(ALL:ALL) NOPASSWD: ALL"
state: present
notify: reload ssh
Loading…
Cancel
Save