From 6c6de5a9549f3c1dcae7709e5f00140bed504bfe Mon Sep 17 00:00:00 2001
From: "Ethan N. Paul" <epaul@starry.com>
Date: Tue, 11 Dec 2018 00:48:37 -0500
Subject: [PATCH] Update playbooks and finalize the update-users playbook

---
 playbooks/group_vars       |   1 +
 playbooks/host_vars        |   1 +
 playbooks/provision.yml    |  14 ++--
 playbooks/tasks            |   1 +
 playbooks/update-users.yml | 132 ++++++++++++++++++++++++++++++++++---
 5 files changed, 133 insertions(+), 16 deletions(-)
 create mode 120000 playbooks/group_vars
 create mode 120000 playbooks/host_vars
 create mode 120000 playbooks/tasks

diff --git a/playbooks/group_vars b/playbooks/group_vars
new file mode 120000
index 0000000..1a74008
--- /dev/null
+++ b/playbooks/group_vars
@@ -0,0 +1 @@
+../groups
\ No newline at end of file
diff --git a/playbooks/host_vars b/playbooks/host_vars
new file mode 120000
index 0000000..7d9147e
--- /dev/null
+++ b/playbooks/host_vars
@@ -0,0 +1 @@
+../hosts
\ No newline at end of file
diff --git a/playbooks/provision.yml b/playbooks/provision.yml
index ae42762..4dca9f1 100644
--- a/playbooks/provision.yml
+++ b/playbooks/provision.yml
@@ -6,7 +6,7 @@
       when: ansible_distribution != "CentOS" and ansible_distribution != "Red Hat Enterprise Linux" and ansible_distribution != "Fedora"
       meta: end_play
       debug:
-        msg: "Standard configuration deployment is only supported on Fedora 27/28, Centos 7.5, and RHEL"
+        msg: "Standard configuration deployment is only supported on Fedora 28/29, Centos 7.5, and RHEL"
 
     - name: Set hostname
       become: true
@@ -30,13 +30,13 @@
 - hosts: all
   name: System packages
   tasks:
-    - import_tasks: common/centos/repositories.yml
+    - import_tasks: tasks/centos/repositories.yml
       when: ansible_distribution == "CentOS"
-    - import_tasks: common/centos/packages.yml
+    - import_tasks: tasks/centos/packages.yml
       when: ansible_distribution == "CentOS"
-    - import_tasks: common/fedora/packages.yml
+    - import_tasks: tasks/fedora/packages.yml
       when: ansible_distribution == "Fedora"
-    # - import_tasks: common/debian/packages.yml
+    # - import_tasks: tasks/debian/packages.yml
     #   when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
 
 
@@ -49,9 +49,9 @@
     - name: Install systemd-networkd
       when: enable_networkd == true
       block:
-        - import_tasks: common/centos/networkd.yml
+        - import_tasks: tasks/centos/networkd.yml
           when: ansible_distribution == "CentOS"
-        - import_tasks: common/fedora/networkd.yml
+        - import_tasks: tasks/fedora/networkd.yml
           when: ansible_distribution == "Fedora"
         # - import_tasks: common/debian/networkd.yml
         #   when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
diff --git a/playbooks/tasks b/playbooks/tasks
new file mode 120000
index 0000000..f82457b
--- /dev/null
+++ b/playbooks/tasks
@@ -0,0 +1 @@
+../tasks
\ No newline at end of file
diff --git a/playbooks/update-users.yml b/playbooks/update-users.yml
index e4b3c07..1d8fc6c 100644
--- a/playbooks/update-users.yml
+++ b/playbooks/update-users.yml
@@ -1,11 +1,4 @@
 ---
-- hosts: all
-  name: Load variables
-  tasks:
-    - name: Load user variables
-      include_vars:
-        file: users.yml
-
 - hosts: all
   name: Prompt for variables
   vars_prompt:
@@ -13,13 +6,134 @@
       prompt: "Generate SSH keypair for new users?"
       default: yes
       when: generate_keys is not defined
-
     - name: "enable_sudo_password"
       prompt: "Require user password when running sudo commands?"
       default: yes
       when: enable_sudo_password is not defined
-
     - name: "disable_gnome_user_list"
       prompt: "Disable the GNOME user list?"
       default: yes
       when: disable_gnome_user_list is not defined
+
+  tasks:
+    - name: Load user variables
+      include_vars:
+        file: users.yml
+
+    - name: Create local user accounts
+      block:
+        - name: Reconcile user targets with host targets to get host users
+          set_fact:
+            local_users: "{{ local_users | default([]) + [item if item.targets | intersect(targets) else None] }}"
+          with_items: "{{ users }}"
+
+        - name: Create groups
+          become: true
+          group:
+            name: "{{ item }}"
+            state: present
+          with_items:
+            - "{{ targets }}"
+            - omni
+
+        - name: Create users
+          become: true
+          user:
+            name: "{{ item.name }}"
+            comment: "{{ item.fullname | default('') }}"
+            shell: /bin/bash
+            groups: "{{ item.targets | intersect(targets) }} + {{ [ 'omni' ] if item.name != 'root' else [] }}"
+            system: "{{ item.svc | default('no') }}"
+            state: present
+            generate_ssh_key: "{{ generate_keys }}"
+            password: "{{ item.password }}"
+          with_items:
+            - "{{ local_users | difference([None]) }}"
+
+    - name: Delete users that have been removed
+      block:
+        - name: Determine existing users
+          shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"'
+          changed_when: false
+          register: existing_users
+
+        - name: Coallate user names
+          set_fact:
+            user_names: "{{ user_names | default([]) + [item.name] }}"
+          with_items: "{{ users }}"
+
+        - name: Determine removed users
+          set_fact:
+            removed_users: "{{ existing_users.stdout_lines | difference(user_names) }}"
+
+        - name: Delete removed user accounts
+          become: true
+          user:
+            name: "{{ item }}"
+            state: absent
+          with_items: "{{ removed_users }}"
+
+    - name: Grant sudo permissions
+      block:
+        - name: Get administrative users
+          set_fact:
+            local_admin_users: "{{ local_admin_users | default([]) + [item.name if item.admin else None] }}"
+          with_items: "{{ local_users | difference([None]) }}"
+
+        - name: Add users to sudo group on Fedora/CentOS/RHEL
+          when: ansible_distribution == "Fedora" or ansible_distribution == "Red Hat Enterprise Linux" or ansible_distribution == "CentOS"
+          become: true
+          user:
+            name: "{{ item.name }}"
+            groups: wheel
+            state: present
+          with_items:
+            - "{{ local_users | difference([None]) }}"
+
+        - name: Disable sudo password for ansible
+          become: true
+          lineinfile:
+            create: yes
+            path: /etc/sudoers/30-ansible
+            line: "ansible ALL=(ALL) NOPASSWD:ALL"
+            mode: 0644
+
+        - name: Disable sudo password for admin users
+          when: enable_sudo_password is False
+          become: true
+          lineinfile:
+            create: yes
+            path: /etc/sudoers/30-ansible
+            line: "{{ item }} ALL=(ALL) NOPASSWD:ALL"
+            mode: 0644
+          with_items:
+            - "{{ local_admin_users | difference([None] )}}"
+
+    - name: Configure GNOME
+      when: ansible_distribution == "Fedora" and disable_gnome_user_list is True
+      block:
+        - name: Configure GDM profile
+          become: true
+          blockinfile:
+            path: /etc/ssh/sshd_config
+            block: |
+              user-db:user
+              system-db:gdm
+              file-db:/usr/share/gdm/greeter-dconf-defaults
+
+        - name: Configure GDM keyfile
+          become: true
+          blockinfile:
+            path: /etc/dconf/db/gdm.d/00-login-screen
+            block: |
+              [org/gnome/login-screen]
+              # Do not show the user list
+              disable-user-list=true
+
+        - name: Delete existing user database
+          become: true
+          shell: "mv /var/lib/gdm/.config/dconf/user /var/lib/gdm/.config/user.bkup"
+
+        - name: Restart dconf database
+          become: true
+          shell: dconf update