Refactor server roles into one that handles all OS physical or virtual
This commit is contained in:
96
functions/user.yml
Normal file
96
functions/user.yml
Normal file
@@ -0,0 +1,96 @@
|
||||
---
|
||||
# HELP
|
||||
# If you want NO password, set password: '*'
|
||||
# If you just want a group with the same users name, and no others, use group: []
|
||||
# If you don't want a home directory use create_home: no
|
||||
|
||||
# Optional
|
||||
# ssh_authorized: true|false (default true) - Adds users public key to authorized_keys on server
|
||||
# ssh_keys: true|false (default false) - Adds users public AND private key to server
|
||||
# create_home: yes|no (default yes) - Creates /home/user directory
|
||||
|
||||
|
||||
|
||||
- name: Registering {{ user }} home directory variable
|
||||
shell: >
|
||||
getent passwd {{ user }} | cut -d: -f6
|
||||
changed_when: false
|
||||
register: user_home
|
||||
|
||||
# Notice both group and user is {{id}}, so they are the same!
|
||||
- name: Creating group {{ user }}
|
||||
group:
|
||||
name: '{{ user }}'
|
||||
gid: '{{ id }}'
|
||||
|
||||
- name: Creating user {{ user }}
|
||||
user:
|
||||
name: '{{ user }}'
|
||||
uid: '{{ id }}'
|
||||
comment: '{{ user }}'
|
||||
group: '{{ user }}'
|
||||
groups: '{{ group }}'
|
||||
password: '{{ password }}'
|
||||
update_password: always
|
||||
create_home: '{{ create_home | default("yes") }}'
|
||||
shell: /bin/bash
|
||||
|
||||
#- name: Setting user {{ user }} password
|
||||
#user:
|
||||
#password: '{{ password }}'
|
||||
#when: password is defined
|
||||
|
||||
- name: Adding users sudoers.d file
|
||||
file:
|
||||
path: '/etc/sudoers.d/{{ user }}'
|
||||
state: touch
|
||||
mode: "0640" #-rw-r-----
|
||||
when: '"sudo" in group'
|
||||
|
||||
- name: Setting user to nopasswd sudo access
|
||||
lineinfile:
|
||||
path: '/etc/sudoers.d/{{ user }}'
|
||||
line: '{{ user }} ALL=(ALL) NOPASSWD:ALL'
|
||||
when: '"sudo" in group'
|
||||
|
||||
# Authorize users SSH keys
|
||||
# NOTE, when: ssh_authorize|bool == true
|
||||
# IS working, BUT even if ssh_authorize = false the
|
||||
# with_file: still errors if 'keys/{{ user }}.key.pub' does NOT exists
|
||||
# So you have to create at least a blank users/keys/user.key.pub file
|
||||
- name: Authorizing SSH keys for {{ user }}
|
||||
authorized_key:
|
||||
user: '{{ user }}'
|
||||
key: '{{ item }}'
|
||||
with_file:
|
||||
- 'keys/{{ user }}.key.pub'
|
||||
when: ssh_authorize|default(true)|bool
|
||||
|
||||
# Create users ~/.ssh directory
|
||||
- name: Creating {{ user }} ~/.ssh directory
|
||||
file:
|
||||
path: '{{ "~" + user | expanduser }}/.ssh'
|
||||
state: directory
|
||||
when: ssh_keys|default(false)|bool
|
||||
|
||||
# Create users public key
|
||||
- name: Copying {{ user }} SSH public key
|
||||
copy:
|
||||
src: 'keys/{{ user }}.key.pub'
|
||||
#dest: '{{ user_home }}/.ssh/id_rsa.pub'
|
||||
dest: '{{ "~" + user | expanduser }}/.ssh/id_rsa.pub'
|
||||
owner: '{{ user }}'
|
||||
group: '{{ user }}'
|
||||
mode: 0644
|
||||
when: ssh_keys|default(false)|bool
|
||||
|
||||
# Create users private key
|
||||
- name: Copying {{ user }} SSH private key
|
||||
copy:
|
||||
src: '../../../vault/{{ user }}.key'
|
||||
#dest: '{{ user_home }}/.ssh/id_rsa'
|
||||
dest: '{{ "~" + user | expanduser }}/.ssh/id_rsa'
|
||||
owner: '{{ user }}'
|
||||
group: '{{ user }}'
|
||||
mode: 0600
|
||||
when: ssh_keys|default(false)|bool
|
||||
Reference in New Issue
Block a user