129 lines
3.5 KiB
YAML
129 lines
3.5 KiB
YAML
---
|
|
|
|
- name: Display os_base role
|
|
ansible.builtin.debug:
|
|
var: role_config
|
|
verbosity: 1
|
|
vars:
|
|
role_config:
|
|
system_accounts: "{{ system_accounts }}"
|
|
system_packages: "{{ system_packages }}"
|
|
tasks:
|
|
- Ensure system security groups are present
|
|
- Create system users from system_accounts
|
|
- Ensure ssh keys are correctly deployed
|
|
- Configure APT preferences in minimal mode
|
|
- Install base packages
|
|
- Configure sudo, add wheel group, allow passwordless
|
|
tags:
|
|
- config_show
|
|
|
|
|
|
# Configure groups and users
|
|
# ==========================
|
|
|
|
- name: Ensure system security groups exists
|
|
ansible.builtin.group:
|
|
name: "{{ item }}"
|
|
state: present
|
|
system: true
|
|
loop:
|
|
- wheel
|
|
- sudo
|
|
loop_control:
|
|
label: "Install package: {{ item }}"
|
|
|
|
- name: Create users
|
|
user:
|
|
name: "{{ item.name }}"
|
|
append: true
|
|
groups: "{{ item.groups | default([]) }}"
|
|
state: "{{ item.state | default('present') }}"
|
|
shell: "{{ item.shell | default('/bin/bash') }}"
|
|
system: "{{ _system }}"
|
|
comment: "{{ item.comment | default(omit) }}"
|
|
createhome: true
|
|
home: "{{ item.home | default('/home/' + item.name ) }}"
|
|
uid: "{{ item.uid | default(omit) }}"
|
|
loop: "{{ system_accounts }}"
|
|
loop_control:
|
|
label: "Create {{ _system | ternary('system', 'regular') }} user: {{ item.name }} ({{ item.uid }}, {{item.comment|d('No comments')}}"
|
|
vars:
|
|
_system: "{{ item.system | default(False) }}"
|
|
|
|
- name: Deploy all ssh keys
|
|
ansible.posix.authorized_key:
|
|
user: "{{ _user_name }}"
|
|
state: "{{ _sshkey_state }}"
|
|
key: "{{ _sshkey }}"
|
|
follow: true
|
|
path: "{{ _home_dir }}/.ssh/authorized_keys"
|
|
loop: "{{ system_accounts|selectattr('sshkeys', 'defined') | subelements('sshkeys') }}"
|
|
loop_control:
|
|
label: "Deploy '{{ _user_name }}' public key: {{ _sshkey_comment }}"
|
|
vars:
|
|
_user_name: "{{ item.0.name }}"
|
|
_home_dir: "{{ item.0.home | default('/home/' + item.0.name ) }}"
|
|
_sshkey_state: "{{ item.0.sshkey_state | default('present') }}"
|
|
_sshkey: "{{ item.1 }}"
|
|
_sshkey_comment: "{{ _sshkey | split(' ') | last }}"
|
|
|
|
|
|
# Configure package manager
|
|
# ==========================
|
|
|
|
- name: Configure APT preferences
|
|
copy:
|
|
dest: "/etc/apt/apt.conf.d/{{ item.name }}"
|
|
content: "{{ item.content }}"
|
|
loop:
|
|
- name: 01-norecommend
|
|
content: |
|
|
APT::Install-Recommends "{{ system_packages_norecommend | bool | ternary(0, 1) }}";
|
|
- name: 02-suggest
|
|
content: |
|
|
APT::Install-Suggests "{{ system_packages_nosuggest | bool | ternary(0, 1) }}";
|
|
loop_control:
|
|
label: "Ensure APT preference: {{ item.content }}"
|
|
|
|
- name: Install base tools
|
|
package:
|
|
name: "{{ system_packages }}"
|
|
ignore_errors: "{{ ansible_check_mode }}"
|
|
|
|
|
|
# Configure sudo
|
|
# ==============
|
|
|
|
- name: Prepare sudo config for wheel group
|
|
copy:
|
|
dest: "/etc/sudoers.d/wheel"
|
|
mode: "0440"
|
|
content: |
|
|
Defaults:%wheel !requiretty
|
|
%wheel ALL=(ALL) NOPASSWD: ALL
|
|
|
|
- name: Add managed users to sudo with password
|
|
user:
|
|
name: "{{ item.name }}"
|
|
append: true
|
|
groups:
|
|
- sudo
|
|
with_items: "{{ system_accounts }}"
|
|
loop_control:
|
|
label: "Add user to sudo group: {{ item.name }}"
|
|
when: "'sudo' in perm"
|
|
vars:
|
|
perm: "{{ item.permissions | default([]) }}"
|
|
|
|
- name: Add managed users to sudo without password
|
|
user:
|
|
name: "{{ system_accounts[0].name }}"
|
|
append: true
|
|
groups:
|
|
- wheel
|
|
when: "'sudo_nopass' in perm"
|
|
vars:
|
|
perm: "{{ item.permissions | default([]) }}"
|
|
|