ansible-ffibk/roles/users/tasks/main.yml

---
- name: ensure sudo is installed
  package:
    name: "sudo"
    state: present

- name: ensure system users are present
  user:
    name: "{{ item.name }}"
    comment: "{{ item.comment }}"
    shell: "{{ item.shell }}"
    home: "{{ item.home }}"
    generate_ssh_key: "{{ item.generate_ssh_key }}"
    ssh_key_type: "{{ item.ssh_key_type }}"
    state: "{{ item.state }}"
  loop: "{{ system_users }}"

- name: ensure ssh config directory is present
  file:
    path: "{{ item.home }}/.ssh"
    state: directory
    owner: "{{ item.name }}"
    group: "{{ item.name }}"
    mode: '0700'
  loop: "{{ system_users }}"

- name: configure ssh public keys
  template:
    src: "authorized_keys.j2"
    dest: "{{ item.home }}/.ssh/authorized_keys"
    owner: "{{ item.name }}"
    group: "{{ item.name }}"
    mode: '0600'
  loop: "{{ system_users }}"

- name: configure passwordless sudo access
  template:
    src: "sudoers.j2"
    dest: "/etc/sudoers.d/{{ item.name }}"
    owner: root
    group: root
    mode: '0440'
    validate: "/usr/sbin/visudo -cf %s"
  loop: "{{ system_users }}"

- name: remove admin lines from /etc/sudoers
  lineinfile:
    path: "/etc/sudoers"
    state: absent
    regexp: '^admin\s'
    validate: "/usr/sbin/visudo -cf %s"
Add role users 2018-02-28 06:03:28 +01:00			`---`
			`- name: ensure sudo is installed`
			`package:`
			`name: "sudo"`
			`state: present`

			`- name: ensure system users are present`
			`user:`
			`name: "{{ item.name }}"`
			`comment: "{{ item.comment }}"`
			`shell: "{{ item.shell }}"`
			`home: "{{ item.home }}"`
Move generation of ssh keys from role prerequisites to role users - let handle the user module this 2018-09-17 13:45:55 +02:00			`generate_ssh_key: "{{ item.generate_ssh_key }}"`
Introduce Kumpir, our new www server, add wordpress role (#26) * Introduce Kumpir, our new www server, add wordpress role * move kumpir to services group, use safer distinction for ssl_cert location, reduce www playbook * set server type to services * fix typo * rename service-wordpress to service-nginx-wordpress * Add service-nginx-etherpad role * Add ed25519 keypair for system_users when supported. * Revert "Add ed25519 keypair for system_users when supported." This reverts commit ffef991ca41185d19953b96439e80b1b9a6ba534. * Change generated keys format to ed25519 * fix indention of nginx templates, reduce amount of needed tasks by adding extra_opts to unarchive, remove not needed mysql db tasks, make new acme_server default * Change new default preference for acme servers, marking acme_server zuckerwatte deprecated soon. 2019-09-26 22:13:13 +02:00			`ssh_key_type: "{{ item.ssh_key_type }}"`
Add role users 2018-02-28 06:03:28 +01:00			`state: "{{ item.state }}"`
Migrate all with_* loops to new loop directive 2018-09-16 12:38:33 +02:00			`loop: "{{ system_users }}"`
Add role users 2018-02-28 06:03:28 +01:00
			`- name: ensure ssh config directory is present`
			`file:`
			`path: "{{ item.home }}/.ssh"`
			`state: directory`
			`owner: "{{ item.name }}"`
			`group: "{{ item.name }}"`
			`mode: '0700'`
Migrate all with_* loops to new loop directive 2018-09-16 12:38:33 +02:00			`loop: "{{ system_users }}"`
Add role users 2018-02-28 06:03:28 +01:00
			`- name: configure ssh public keys`
			`template:`
			`src: "authorized_keys.j2"`
			`dest: "{{ item.home }}/.ssh/authorized_keys"`
			`owner: "{{ item.name }}"`
			`group: "{{ item.name }}"`
			`mode: '0600'`
Migrate all with_* loops to new loop directive 2018-09-16 12:38:33 +02:00			`loop: "{{ system_users }}"`
Add role users 2018-02-28 06:03:28 +01:00
			`- name: configure passwordless sudo access`
			`template:`
			`src: "sudoers.j2"`
			`dest: "/etc/sudoers.d/{{ item.name }}"`
			`owner: root`
			`group: root`
			`mode: '0440'`
			`validate: "/usr/sbin/visudo -cf %s"`
Migrate all with_* loops to new loop directive 2018-09-16 12:38:33 +02:00			`loop: "{{ system_users }}"`
Add role users 2018-02-28 06:03:28 +01:00
			`- name: remove admin lines from /etc/sudoers`
			`lineinfile:`
			`path: "/etc/sudoers"`
			`state: absent`
			`regexp: '^admin\s'`
			`validate: "/usr/sbin/visudo -cf %s"`