include ssh and user management
parent
492e996151
commit
4b59380ed0
@ -1,3 +1,9 @@
|
||||
---
|
||||
- name: reconfigure unattended-upgrades
|
||||
command: dpkg-reconfigure -f noninteractive unattended-upgrades
|
||||
|
||||
- name: reload ssh
|
||||
become: yes
|
||||
service:
|
||||
name: ssh
|
||||
state: reloaded
|
||||
|
@ -0,0 +1,9 @@
|
||||
---
|
||||
|
||||
- name: Ensure that SSH Password Auth is disabled
|
||||
become: true
|
||||
notify: reload ssh
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^#?PasswordAuthentication'
|
||||
line: 'PasswordAuthentication no'
|
@ -0,0 +1,80 @@
|
||||
---
|
||||
|
||||
- name: create emergency users
|
||||
become: true
|
||||
user:
|
||||
name: user
|
||||
shell: '/bin/bash'
|
||||
groups: [ sudo ]
|
||||
state: present
|
||||
|
||||
- name: ensure ssh keys for users
|
||||
become: true
|
||||
authorized_key:
|
||||
user: user
|
||||
state: present
|
||||
exclusive: true
|
||||
path: "/home/user/.ssh/authorized_keys"
|
||||
key: "{{ global__emergency_ssh_keys | join('\n') }}"
|
||||
|
||||
- name: Create ansible_managed group
|
||||
become: true
|
||||
group:
|
||||
name: ansible_managed
|
||||
state: present
|
||||
|
||||
- name: collect existing user accounts
|
||||
shell: 'grep ansible_managed /etc/group | cut -d: -f4 | tr "," "\n"'
|
||||
changed_when: false
|
||||
register: existing_users
|
||||
|
||||
- name: collect users for server
|
||||
set_fact:
|
||||
allowed_users: "[{% for user,val in global__users.items() if val.access|d([]) in group_names or 'all' in val.access|d([]) %}\"{{ user }}\", {% endfor %}]"
|
||||
changed_when: false
|
||||
|
||||
- name: Identify removed users
|
||||
set_fact:
|
||||
removed_users: "{{ existing_users.stdout_lines|default([]) | difference(allowed_users) }}"
|
||||
|
||||
- name: create users
|
||||
become: true
|
||||
user:
|
||||
name: "{{ item }}"
|
||||
shell: "{{ global__users[item]['shell']|d('/bin/bash') }}"
|
||||
groups: [ sudo, ansible_managed ]
|
||||
state: present
|
||||
loop: "{{ allowed_users }}"
|
||||
|
||||
- name: remove users
|
||||
become: true
|
||||
user:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ removed_users }}"
|
||||
|
||||
- name: remove homes
|
||||
become: true
|
||||
file:
|
||||
path: "/home/{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ removed_users }}"
|
||||
|
||||
- name: ensure ssh keys for users
|
||||
become: true
|
||||
authorized_key:
|
||||
user: "{{ item }}"
|
||||
state: present
|
||||
exclusive: true
|
||||
path: "/home/{{ item }}/.ssh/authorized_keys"
|
||||
key: "{{ global__users[item]['ssh_keys'] | join('\n') }}"
|
||||
loop: "{{ allowed_users }}"
|
||||
|
||||
- name: enable passwordless sudo
|
||||
become: true
|
||||
lineinfile:
|
||||
dest: /etc/sudoers
|
||||
regexp: "^%sudo"
|
||||
line: "%sudo ALL=(ALL:ALL) NOPASSWD: ALL"
|
||||
state: present
|
||||
notify: reload ssh
|
Loading…
Reference in New Issue