97 lines
2.4 KiB
YAML
97 lines
2.4 KiB
YAML
---
|
|
|
|
# Configure groups and users
|
|
# ==========================
|
|
|
|
- name: Ensure system security groups exists
|
|
ansible.builtin.group:
|
|
name: "{{ item }}"
|
|
state: present
|
|
system: true
|
|
loop:
|
|
- wheel
|
|
- sudo
|
|
|
|
- name: Create users
|
|
user:
|
|
name: "{{ item.name }}"
|
|
append: true
|
|
groups: "{{ item.groups | default([]) }}"
|
|
state: "{{ item.state | default('present') }}"
|
|
shell: "{{ item.shell | default('/bin/bash') }}"
|
|
system: "{{ item.system | default(False) }}"
|
|
comment: "{{ item.comment | default(omit) }}"
|
|
createhome: true
|
|
home: "{{ item.home | default('/home/' + item.name ) }}"
|
|
uid: "{{ item.uid | default(omit) }}"
|
|
loop: "{{ system_accounts }}"
|
|
|
|
- name: Deploy all ssh keys
|
|
ansible.posix.authorized_key:
|
|
user: "{{ user_name }}"
|
|
state: "{{ sshkey_state }}"
|
|
key: "{{ sshkey }}"
|
|
follow: true
|
|
path: "{{ home_dir }}/.ssh/authorized_keys"
|
|
loop: "{{ system_accounts|selectattr('sshkeys', 'defined') | subelements('sshkeys') }}"
|
|
vars:
|
|
user_name: "{{ item.0.name }}"
|
|
home_dir: "{{ item.0.home | default('/home/' + item.0.name ) }}"
|
|
sshkey_state: "{{ item.0.sshkey_state | default('present') }}"
|
|
sshkey: "{{ item.1 }}"
|
|
|
|
|
|
# Configure package manager
|
|
# ==========================
|
|
|
|
- name: Configure APT preferences
|
|
copy:
|
|
dest: "/etc/apt/apt.conf.d/{{ item.name }}"
|
|
content: "{{ item.content }}"
|
|
loop:
|
|
- name: 01-norecommend
|
|
content: |
|
|
APT::Install-Recommends "{{ system_packages_norecommend | bool | ternary(0, 1) }}";
|
|
- name: 02-suggest
|
|
content: |
|
|
APT::Install-Suggests "{{ system_packages_nosuggest | bool | ternary(0, 1) }}";
|
|
|
|
- name: Install base tools
|
|
package:
|
|
name: "{{ system_packages }}"
|
|
ignore_errors: "{{ ansible_check_mode }}"
|
|
|
|
|
|
# Configure sudo
|
|
# ==============
|
|
|
|
- name: Prepare sudo config for wheel group
|
|
copy:
|
|
dest: "/etc/sudoers.d/wheel"
|
|
mode: "0440"
|
|
content: |
|
|
Defaults:%wheel !requiretty
|
|
%wheel ALL=(ALL) NOPASSWD: ALL
|
|
|
|
- name: Add managed users to sudo with password
|
|
user:
|
|
name: "{{ item.name }}"
|
|
append: true
|
|
groups:
|
|
- sudo
|
|
with_items: "{{ system_accounts }}"
|
|
when: "'sudo' in perm"
|
|
vars:
|
|
perm: "{{ item.permissions | default([]) }}"
|
|
|
|
- name: Add managed users to sudo without password
|
|
user:
|
|
name: "{{ system_accounts[0].name }}"
|
|
append: true
|
|
groups:
|
|
- wheel
|
|
when: "'sudo_nopass' in perm"
|
|
vars:
|
|
perm: "{{ item.permissions | default([]) }}"
|
|
|