Add playbook for updating existing settings

playbooks/provision.yaml

@@ -49,6 +49,7 @@
         requirements: "{{ skylab_ansible_venv }}/requirements.txt"
         state: present
 
+
 - name: Configure common server settings
   hosts: all
   vars_files:
@@ -101,6 +102,7 @@
         name: "{{ skylab_packages_global + skylab_packages_rocky }}"
         state: present
 
+
 - name: Configure SSH
   hosts: all
   handlers:
@@ -162,3 +164,6 @@
         src: motd.j2
         dest: /etc/motd
         mode: 0644
+
+
+- import_playbook: update.yaml

playbooks/update.yaml

@@ -0,0 +1,161 @@
+---
+- name: Update system
+  hosts: all
+  tags:
+    - packages
+  vars_files:
+    - vars/packages.yaml
+  tasks:
+    - name: Update system packages via DNF
+      when: ansible_distribution == "Rocky"
+      become: true
+      ansible.builtin.dnf:
+        name: "*"
+        state: latest
+
+- name: Update unix accounts
+  hosts: all
+  tags:
+    - accounts
+    - access
+  vars_files:
+    - vars/access.yaml
+    - vars/sshkeys.yaml
+  tasks:
+    - name: Create management groups
+      become: true
+      ansible.builtin.group:
+        name: "{{ item.name }}"
+        gid: "{{ item.gid }}"
+        state: present
+      loop:
+        - "{{ skylab_group }}"
+        - "{{ skylab_group_admin }}"
+        - "{{ skylab_group_automation }}"
+
+    - name: Determine existing skylab users
+      changed_when: false
+      ansible.builtin.shell:
+        cmd: 'grep {{ skylab_group.name }} /etc/group | cut --delimiter : --fields 4 | tr "," "\n"'
+      register: _existing_skylab_accounts
+
+    - name: Delete removed user accounts
+      become: true
+      when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid'))
+      ansible.builtin.user:
+        name: "{{ item }}"
+        state: absent
+      loop: "{{ _existing_skylab_accounts.stdout_lines }}"
+
+    - name: Delete removed user groups
+      become: true
+      when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid'))
+      ansible.builtin.group:
+        name: "{{ item }}"
+        state: absent
+      loop: "{{ _existing_skylab_accounts.stdout_lines }}"
+
+    - name: Delete removed user home directories
+      become: true
+      when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid'))
+      ansible.builtin.file:
+        path: "/home/{{ item }}"
+        state: absent
+      loop: "{{ _existing_skylab_accounts.stdout_lines }}"
+
+    - name: Create account groups
+      when: item.targets | intersect(skylab_targets)
+      become: true
+      ansible.builtin.group:
+        name: "{{ item.name }}"
+        gid: "{{ item.uid }}"
+        state: present
+      loop: "{{ skylab_accounts }}"
+      loop_control:
+        label: "{{ item.uid }},{{ item.name }}"
+
+    - name: Determine account groups
+      ansible.builtin.set_fact:
+        _determined_member_groups: "{{ _determined_member_groups | default({}) | combine({item.name: [
+          skylab_group.name,
+          'wheel' if (item.admin | default(false) and ansible_distribution == 'Rocky') else '',
+          'sudo' if (item.admin | default(false) and ansible_os_family == 'Debian') else '',
+          skylab_group_admin.name if item.admin | default(false) else '',
+          skylab_group_automation.name if item.service | default(false) else '',
+        ]}) }}"
+      loop: "{{ skylab_accounts }}"
+      loop_control:
+        label: "{{ item.uid }},{{ item.name }}"
+
+    - name: Create accounts
+      when: item.targets | intersect(skylab_targets)
+      become: true
+      ansible.builtin.user:
+        name: "{{ item.name }}"
+        state: present
+        uid: "{{ item.uid }}"
+        group: "{{ item.name }}"
+        groups: "{{ _determined_member_groups[item.name] }}"
+        comment: "{{ item.fullname | default('') }}"
+        system: "{{ item.service | default(false) }}"
+        generate_ssh_key: false
+        password: "{{ item.password }}"
+      loop: "{{ skylab_accounts }}"
+      loop_control:
+        label: "{{ item.uid }},{{ item.name }}"
+
+    - name: Ensure proper ownership of user home directories
+      become: true
+      ansible.builtin.file:
+        path: /home/{{ item.name }}
+        state: directory
+        group: "{{ item.name }}"
+        owner: "{{ item.name }}"
+        mode: 0700
+      loop: "{{ skylab_accounts }}"
+      loop_control:
+        label: "{{ item.uid }},{{ item.name }}"
+
+    - name: Enforce root password
+      become: true
+      ansible.builtin.user:
+        name: root
+        password: "{{ skylab_root_password }}"
+        state: present
+
+    - name: Create SSH directory
+      become: true
+      ansible.builtin.file:
+        path: /home/{{ item.name }}/.ssh
+        owner: "{{ item.name }}"
+        group: "{{ item.name }}"
+        state: directory
+        mode: 0700
+      loop: "{{ skylab_accounts }}"
+      loop_control:
+        label: "{{ item.uid }},{{ item.name }}"
+
+    - name: Update authorized keys
+      become: true
+      when: item.targets | intersect(skylab_targets)
+      ansible.builtin.authorized_key:
+        user: "{{ item.name }}"
+        key: "{{ skylab_ssh_keys[item.name] | join('\n') }}"
+        state: present
+        exclusive: true
+      loop: "{{ skylab_accounts }}"
+      loop_control:
+        label: "{{ item.uid }},{{ item.name }}"
+
+    - name: Enforce ownership of authorized keys
+      become: true
+      when: item.targets | intersect(skylab_targets)
+      ansible.builtin.file:
+        path: /home/{{ item.name }}/.ssh/authorized_keys
+        state: file
+        owner: "{{ item.name }}"
+        group: "{{ item.name }}"
+        mode: 0400
+      loop: "{{ skylab_accounts }}"
+      loop_control:
+        label: "{{ item.uid }},{{ item.name }}"

playbooks/vars

@@ -0,0 +1 @@
+../vars/