From 0c95df30668ae9a2d80dca535855f15b718b23fb Mon Sep 17 00:00:00 2001 From: Ethan Paul Date: Mon, 15 Nov 2021 19:53:19 -0500 Subject: [PATCH] Update access targets to be optional parameter Add server role to iridium --- inventory.yaml | 2 + playbooks/update.yaml | 89 +++++++++++++++++++------------- roles/swarm/tasks/configure.yaml | 2 +- 3 files changed, 55 insertions(+), 38 deletions(-) diff --git a/inventory.yaml b/inventory.yaml index 95464ca..3f31df3 100644 --- a/inventory.yaml +++ b/inventory.yaml @@ -24,6 +24,8 @@ en1: ansible_host: 10.42.101.200 skylab_description: Local Monitor Node skylab_targets: [network] + skylab_roles: + - server children: diff --git a/playbooks/update.yaml b/playbooks/update.yaml index 66c83ea..9d45144 100644 --- a/playbooks/update.yaml +++ b/playbooks/update.yaml @@ -47,6 +47,7 @@ state: present update_cache: true + - name: Update unix accounts hosts: linux tags: @@ -75,38 +76,55 @@ cmd: 'grep "{{ skylab_group.name }}:" /etc/group | cut --delimiter : --fields 4 | tr "," "\n"' register: _existing_skylab_accounts - - name: Delete removed user accounts - become: true + - name: Determine deleted skylab users + vars: + _deleted_accounts: [] when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid')) - ansible.builtin.user: - name: "{{ item }}" - state: absent + ansible.builtin.set_fact: + _deleted_accounts: "{{ _deleted_accounts + [item] }}" loop: "{{ _existing_skylab_accounts.stdout_lines }}" - - name: Delete removed user groups - become: true - when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid')) - ansible.builtin.group: - name: "{{ item }}" - state: absent - loop: "{{ _existing_skylab_accounts.stdout_lines }}" + - name: Delete accounts + when: _deleted_accounts | default(false) + block: + - name: Delete removed user accounts + become: true + ansible.builtin.user: + name: "{{ item }}" + state: absent + loop: "{{ _deleted_accounts }}" - - name: Delete removed user home directories - become: true - when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid')) - ansible.builtin.file: - path: "/home/{{ item }}" - state: absent - loop: "{{ _existing_skylab_accounts.stdout_lines }}" + - name: Delete removed user groups + become: true + ansible.builtin.group: + name: "{{ item }}" + state: absent + loop: "{{ _deleted_accounts }}" + + - name: Delete removed user home directories + become: true + ansible.builtin.file: + path: "/home/{{ item }}" + state: absent + loop: "{{ _deleted_accounts }}" + + - name: Determine active users + when: item.targets | default([]) | intersect(skylab_targets) + vars: + _active_accounts: [] + ansible.builtin.set_fact: + _active_accounts: "{{ _active_accounts + [item] }}" + loop: "{{ skylab_accounts }}" + loop_control: + label: "{{ item.uid }},{{ item.name }}" - name: Create account groups - when: item.targets | intersect(skylab_targets) become: true ansible.builtin.group: name: "{{ item.name }}" gid: "{{ item.uid }}" state: present - loop: "{{ skylab_accounts }}" + loop: "{{ _active_accounts }}" loop_control: label: "{{ item.uid }},{{ item.name }}" @@ -119,12 +137,11 @@ skylab_group_admin.name if item.admin | default(false) else '', skylab_group_automation.name if item.service | default(false) else '', ]}) }}" - loop: "{{ skylab_accounts }}" + loop: "{{ _active_accounts }}" loop_control: label: "{{ item.uid }},{{ item.name }}" - name: Create accounts - when: item.targets | intersect(skylab_targets) become: true ansible.builtin.user: name: "{{ item.name }}" @@ -136,7 +153,7 @@ system: "{{ item.service | default(false) }}" generate_ssh_key: false password: "{{ item.password }}" - loop: "{{ skylab_accounts }}" + loop: "{{ _active_accounts }}" loop_control: label: "{{ item.uid }},{{ item.name }}" @@ -148,17 +165,10 @@ group: "{{ item.name }}" owner: "{{ item.name }}" mode: 0700 - loop: "{{ skylab_accounts }}" + loop: "{{ _active_accounts }}" loop_control: label: "{{ item.uid }},{{ item.name }}" - - name: Enforce root password - become: true - ansible.builtin.user: - name: root - password: "{{ skylab_root_password }}" - state: present - - name: Create SSH directory become: true ansible.builtin.file: @@ -167,31 +177,36 @@ group: "{{ item.name }}" state: directory mode: 0700 - loop: "{{ skylab_accounts }}" + loop: "{{ _active_accounts }}" loop_control: label: "{{ item.uid }},{{ item.name }}" - name: Update authorized keys become: true - when: item.targets | intersect(skylab_targets) ansible.builtin.authorized_key: user: "{{ item.name }}" key: "{{ skylab_ssh_keys[item.name] | join('\n') }}" state: present exclusive: true - loop: "{{ skylab_accounts }}" + loop: "{{ _active_accounts }}" loop_control: label: "{{ item.uid }},{{ item.name }}" - name: Enforce ownership of authorized keys become: true - when: item.targets | intersect(skylab_targets) ansible.builtin.file: path: /home/{{ item.name }}/.ssh/authorized_keys state: file owner: "{{ item.name }}" group: "{{ item.name }}" mode: 0400 - loop: "{{ skylab_accounts }}" + loop: "{{ _active_accounts }}" loop_control: label: "{{ item.uid }},{{ item.name }}" + + - name: Enforce root password + become: true + ansible.builtin.user: + name: root + password: "{{ skylab_root_password }}" + state: present diff --git a/roles/swarm/tasks/configure.yaml b/roles/swarm/tasks/configure.yaml index 3e63ce9..2861b31 100644 --- a/roles/swarm/tasks/configure.yaml +++ b/roles/swarm/tasks/configure.yaml @@ -39,7 +39,7 @@ - name: Add administrators to docker group become: true - when: item.admin | default(false) and 'cluster' in item.targets + when: item.admin | default(false) and 'cluster' in (item.targets | default([])) ansible.builtin.user: name: "{{ item.name }}" group: "{{ item.name }}"