Update access targets to be optional parameter
Add server role to iridium
This commit is contained in:
@@ -47,6 +47,7 @@
|
||||
state: present
|
||||
update_cache: true
|
||||
|
||||
|
||||
- name: Update unix accounts
|
||||
hosts: linux
|
||||
tags:
|
||||
@@ -75,38 +76,55 @@
|
||||
cmd: 'grep "{{ skylab_group.name }}:" /etc/group | cut --delimiter : --fields 4 | tr "," "\n"'
|
||||
register: _existing_skylab_accounts
|
||||
|
||||
- name: Delete removed user accounts
|
||||
become: true
|
||||
- name: Determine deleted skylab users
|
||||
vars:
|
||||
_deleted_accounts: []
|
||||
when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid'))
|
||||
ansible.builtin.user:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
ansible.builtin.set_fact:
|
||||
_deleted_accounts: "{{ _deleted_accounts + [item] }}"
|
||||
loop: "{{ _existing_skylab_accounts.stdout_lines }}"
|
||||
|
||||
- name: Delete removed user groups
|
||||
become: true
|
||||
when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid'))
|
||||
ansible.builtin.group:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ _existing_skylab_accounts.stdout_lines }}"
|
||||
- name: Delete accounts
|
||||
when: _deleted_accounts | default(false)
|
||||
block:
|
||||
- name: Delete removed user accounts
|
||||
become: true
|
||||
ansible.builtin.user:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ _deleted_accounts }}"
|
||||
|
||||
- name: Delete removed user home directories
|
||||
become: true
|
||||
when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid'))
|
||||
ansible.builtin.file:
|
||||
path: "/home/{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ _existing_skylab_accounts.stdout_lines }}"
|
||||
- name: Delete removed user groups
|
||||
become: true
|
||||
ansible.builtin.group:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ _deleted_accounts }}"
|
||||
|
||||
- name: Delete removed user home directories
|
||||
become: true
|
||||
ansible.builtin.file:
|
||||
path: "/home/{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ _deleted_accounts }}"
|
||||
|
||||
- name: Determine active users
|
||||
when: item.targets | default([]) | intersect(skylab_targets)
|
||||
vars:
|
||||
_active_accounts: []
|
||||
ansible.builtin.set_fact:
|
||||
_active_accounts: "{{ _active_accounts + [item] }}"
|
||||
loop: "{{ skylab_accounts }}"
|
||||
loop_control:
|
||||
label: "{{ item.uid }},{{ item.name }}"
|
||||
|
||||
- name: Create account groups
|
||||
when: item.targets | intersect(skylab_targets)
|
||||
become: true
|
||||
ansible.builtin.group:
|
||||
name: "{{ item.name }}"
|
||||
gid: "{{ item.uid }}"
|
||||
state: present
|
||||
loop: "{{ skylab_accounts }}"
|
||||
loop: "{{ _active_accounts }}"
|
||||
loop_control:
|
||||
label: "{{ item.uid }},{{ item.name }}"
|
||||
|
||||
@@ -119,12 +137,11 @@
|
||||
skylab_group_admin.name if item.admin | default(false) else '',
|
||||
skylab_group_automation.name if item.service | default(false) else '',
|
||||
]}) }}"
|
||||
loop: "{{ skylab_accounts }}"
|
||||
loop: "{{ _active_accounts }}"
|
||||
loop_control:
|
||||
label: "{{ item.uid }},{{ item.name }}"
|
||||
|
||||
- name: Create accounts
|
||||
when: item.targets | intersect(skylab_targets)
|
||||
become: true
|
||||
ansible.builtin.user:
|
||||
name: "{{ item.name }}"
|
||||
@@ -136,7 +153,7 @@
|
||||
system: "{{ item.service | default(false) }}"
|
||||
generate_ssh_key: false
|
||||
password: "{{ item.password }}"
|
||||
loop: "{{ skylab_accounts }}"
|
||||
loop: "{{ _active_accounts }}"
|
||||
loop_control:
|
||||
label: "{{ item.uid }},{{ item.name }}"
|
||||
|
||||
@@ -148,17 +165,10 @@
|
||||
group: "{{ item.name }}"
|
||||
owner: "{{ item.name }}"
|
||||
mode: 0700
|
||||
loop: "{{ skylab_accounts }}"
|
||||
loop: "{{ _active_accounts }}"
|
||||
loop_control:
|
||||
label: "{{ item.uid }},{{ item.name }}"
|
||||
|
||||
- name: Enforce root password
|
||||
become: true
|
||||
ansible.builtin.user:
|
||||
name: root
|
||||
password: "{{ skylab_root_password }}"
|
||||
state: present
|
||||
|
||||
- name: Create SSH directory
|
||||
become: true
|
||||
ansible.builtin.file:
|
||||
@@ -167,31 +177,36 @@
|
||||
group: "{{ item.name }}"
|
||||
state: directory
|
||||
mode: 0700
|
||||
loop: "{{ skylab_accounts }}"
|
||||
loop: "{{ _active_accounts }}"
|
||||
loop_control:
|
||||
label: "{{ item.uid }},{{ item.name }}"
|
||||
|
||||
- name: Update authorized keys
|
||||
become: true
|
||||
when: item.targets | intersect(skylab_targets)
|
||||
ansible.builtin.authorized_key:
|
||||
user: "{{ item.name }}"
|
||||
key: "{{ skylab_ssh_keys[item.name] | join('\n') }}"
|
||||
state: present
|
||||
exclusive: true
|
||||
loop: "{{ skylab_accounts }}"
|
||||
loop: "{{ _active_accounts }}"
|
||||
loop_control:
|
||||
label: "{{ item.uid }},{{ item.name }}"
|
||||
|
||||
- name: Enforce ownership of authorized keys
|
||||
become: true
|
||||
when: item.targets | intersect(skylab_targets)
|
||||
ansible.builtin.file:
|
||||
path: /home/{{ item.name }}/.ssh/authorized_keys
|
||||
state: file
|
||||
owner: "{{ item.name }}"
|
||||
group: "{{ item.name }}"
|
||||
mode: 0400
|
||||
loop: "{{ skylab_accounts }}"
|
||||
loop: "{{ _active_accounts }}"
|
||||
loop_control:
|
||||
label: "{{ item.uid }},{{ item.name }}"
|
||||
|
||||
- name: Enforce root password
|
||||
become: true
|
||||
ansible.builtin.user:
|
||||
name: root
|
||||
password: "{{ skylab_root_password }}"
|
||||
state: present
|
||||
|
||||
Reference in New Issue
Block a user