298 lines
7.3 KiB
YAML
298 lines
7.3 KiB
YAML
---
|
|
|
|
# ---
|
|
# - default user/groups
|
|
# ---
|
|
|
|
- name: (users.yml) Ensure default groups exists
|
|
group:
|
|
name: '{{ item.name }}'
|
|
state: present
|
|
gid: '{{ item.group_id | default(omit) }}'
|
|
loop: "{{ default_user }}"
|
|
loop_control:
|
|
label: '{{ item.name }}'
|
|
when: item.group_id is defined
|
|
tags:
|
|
- groups-exists
|
|
|
|
- name: (users.yml) Ensure default users exists
|
|
user:
|
|
name: '{{ item.name }}'
|
|
state: present
|
|
uid: '{{ item.user_id | default(omit) }}'
|
|
group: '{{ item.group | default(omit) }}'
|
|
#group: '{{ item.name | default(omit) }}'
|
|
home: '{{ item.home | default(omit) }}'
|
|
shell: '{{ item.shell|d("/bin/bash") }}'
|
|
password: "{{ item.password }}"
|
|
update_password: on_create
|
|
loop: "{{ default_user }}"
|
|
loop_control:
|
|
label: '{{ item.name }}'
|
|
tags:
|
|
- users-exists
|
|
|
|
- name: (users.yml) Ensure authorized_key files for default users are present
|
|
authorized_key:
|
|
user: "{{ item.0.name }}"
|
|
key: "{{ item.1 }}"
|
|
state: present
|
|
with_subelements:
|
|
- '{{ default_user }}'
|
|
- ssh_keys
|
|
loop_control:
|
|
label: "{{ item.0.name }}"
|
|
tags:
|
|
- authorized_key
|
|
|
|
# ---
|
|
# - extra user/groups
|
|
# ---
|
|
|
|
- name: (users.yml) Ensure extra groups exists
|
|
group:
|
|
name: '{{ item.name }}'
|
|
state: present
|
|
gid: '{{ item.group_id | default(omit) }}'
|
|
loop: "{{ extra_user }}"
|
|
loop_control:
|
|
label: '{{ item.name }}'
|
|
when:
|
|
- extra_user is defined and extra_user|length > 0
|
|
tags:
|
|
- groups-exists
|
|
|
|
- name: (users.yml) Ensure extra users exists
|
|
user:
|
|
name: '{{ item.name }}'
|
|
state: present
|
|
uid: '{{ item.user_id | default(omit) }}'
|
|
group: '{{ item.name | default(omit) }}'
|
|
home: '{{ item.home | default(omit) }}'
|
|
shell: '{{ item.shell|d("/bin/bash") }}'
|
|
password: "{{ item.password }}"
|
|
update_password: on_create
|
|
loop: "{{ extra_user }}"
|
|
loop_control:
|
|
label: '{{ item.name }}'
|
|
when: extra_user is defined and extra_user|length > 0
|
|
tags:
|
|
- users-exists
|
|
|
|
- name: (users.yml) Ensure authorized_key files for extra users are present
|
|
authorized_key:
|
|
user: "{{ item.0.name }}"
|
|
key: "{{ item.1 }}"
|
|
state: present
|
|
with_subelements:
|
|
- '{{ extra_user }}'
|
|
- ssh_keys
|
|
loop_control:
|
|
label: "{{ item.0.name }}"
|
|
when: extra_user is defined and extra_user|length > 0
|
|
tags:
|
|
- authorized_key
|
|
|
|
- name: (users.yml) other entries authorized_key files
|
|
authorized_key:
|
|
user: "{{ item.user }}"
|
|
key: "{{ item.key }}"
|
|
state: present
|
|
loop: "{{ entries_authorized_key }}"
|
|
loop_control:
|
|
label: "{{ item.user }}"
|
|
when:
|
|
- entries_authorized_key is defined
|
|
- entries_authorized_key|length > 0
|
|
|
|
|
|
# ---
|
|
# - extra system groups
|
|
# ---
|
|
|
|
- name: (users.yml) Extra system group sftp_users
|
|
group:
|
|
name: 'sftp_users'
|
|
state: present
|
|
system: yes
|
|
when:
|
|
- create_sftp_group is defined and create_sftp_group > 0
|
|
tags:
|
|
- groups-exists
|
|
|
|
# ---
|
|
# - extra system user
|
|
# ---
|
|
|
|
- name: (users.yml) extra system user exists?
|
|
user:
|
|
name: '{{ item.name }}'
|
|
state: present
|
|
system: yes
|
|
home: '{{ item.home }}'
|
|
shell: '{{ item.shell|d("/usr/sbin/nologin") }}'
|
|
groups: '{{ item.groups | default(omit) }}'
|
|
loop: "{{ extra_system_user }}"
|
|
loop_control:
|
|
label: '{{ item.name }}'
|
|
when: extra_system_user is defined and extra_system_user|length > 0
|
|
tags:
|
|
- user-exists
|
|
|
|
|
|
# ---
|
|
# - Take care backup host has rsa key to connect via ssh to the other hosts
|
|
# ---
|
|
|
|
- name: (users.yml) Copy ssh rsa private key to user root on backup server
|
|
copy:
|
|
src: '{{ item.priv_key_src }}'
|
|
dest: '{{ item.priv_key_dest }}'
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
loop: "{{ ssh_keypair_backup_server }}"
|
|
loop_control:
|
|
label: '{{ item.priv_key_dest }}'
|
|
when:
|
|
- insert_ssh_keypair_backup_server|bool
|
|
- ssh_keypair_backup_server is defined
|
|
- ssh_keypair_backup_server|length > 0
|
|
tags:
|
|
- insert-ssh-keypair-backup-server
|
|
- keypair-backup-server
|
|
|
|
|
|
- name: (users.yml) Copy ssh rsa public key to user root on backup server
|
|
copy:
|
|
src: '{{ item.pub_key_src }}'
|
|
dest: '{{ item.pub_key_dest }}'
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
loop: "{{ ssh_keypair_backup_server }}"
|
|
loop_control:
|
|
label: '{{ item.pub_key_dest }}'
|
|
when:
|
|
- insert_ssh_keypair_backup_server|bool
|
|
- ssh_keypair_backup_server is defined
|
|
- ssh_keypair_backup_server|length > 0
|
|
tags:
|
|
- insert-ssh-keypair-backup-server
|
|
- keypair-backup-server
|
|
|
|
|
|
- name: (users.yml) Ensure user back has public rsa key of backup server
|
|
authorized_key:
|
|
user: "{{ item.backup_user }}"
|
|
key: "{{ lookup('file', item.pub_key_src) }}"
|
|
state: present
|
|
loop: "{{ ssh_keypair_backup_server }}"
|
|
loop_control:
|
|
label: 'authorized_keys - user: {{ item.backup_user }}'
|
|
when:
|
|
- ssh_keypair_backup_server is defined
|
|
- ssh_keypair_backup_server|length > 0
|
|
tags:
|
|
- authorized_key
|
|
- keypair-backup-server
|
|
|
|
|
|
# ---
|
|
# - Allow connection via ssh to backup host
|
|
# ---
|
|
|
|
- name: Ensure root's .ssh directory exists
|
|
file:
|
|
path: /root/.ssh
|
|
state: directory
|
|
|
|
- name: (users.yml) Copy (backup) ed25519 ssh private key to user root
|
|
copy:
|
|
src: '{{ item.priv_key_src }}'
|
|
dest: '{{ item.priv_key_dest }}'
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
when:
|
|
- insert_keypair_backup_client|bool
|
|
- ssh_keypair_backup_client is defined
|
|
- ssh_keypair_backup_client|length > 0
|
|
loop: "{{ ssh_keypair_backup_client }}"
|
|
loop_control:
|
|
label: 'dest: {{ item.priv_key_dest }}'
|
|
tags:
|
|
- insert_ssh_keypair_backup_server
|
|
|
|
- name: (users.yml) Copy (backup) ed25519 ssh public key to user root
|
|
copy:
|
|
src: '{{ item.pub_key_src }}'
|
|
dest: '{{ item.pub_key_dest }}'
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
when:
|
|
- insert_keypair_backup_client|bool
|
|
- ssh_keypair_backup_client is defined
|
|
- ssh_keypair_backup_client|length > 0
|
|
loop: "{{ ssh_keypair_backup_client }}"
|
|
loop_control:
|
|
label: 'dest: {{ item.pub_key_dest }}'
|
|
tags:
|
|
- insert_ssh_keypair_backup_server
|
|
|
|
- name: (users.yml) Ensure authorized_key (root) on backup hosts contains public key
|
|
authorized_key:
|
|
user: root
|
|
key: "{{ lookup('file', item.pub_key_src) }}"
|
|
state: present
|
|
loop: "{{ ssh_keypair_backup_client }}"
|
|
loop_control:
|
|
label: 'authorized_keys - user: root'
|
|
when:
|
|
- inventory_hostname == item.target
|
|
- ssh_keypair_backup_client is defined
|
|
- ssh_keypair_backup_client|length > 0
|
|
tags:
|
|
- authorized_key
|
|
- ssh-keypair-backup-server
|
|
|
|
|
|
- name: (users.yml) Copy further ssh private key(s) to user root
|
|
copy:
|
|
src: '{{ item.priv_key_src }}'
|
|
dest: '{{ item.priv_key_dest }}'
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
loop: "{{ root_ssh_keypair }}"
|
|
loop_control:
|
|
label: 'dest: {{ item.priv_key_dest }}'
|
|
when:
|
|
- insert_root_ssh_keypair|bool
|
|
- root_ssh_keypair is defined
|
|
- root_ssh_keypair|length > 0
|
|
tags:
|
|
- insert_root_ssh_keypair
|
|
- root-defaut-ssh-keypair
|
|
|
|
- name: (users.yml) Copy further ssh public key(s) to user root
|
|
copy:
|
|
src: '{{ item.pub_key_src }}'
|
|
dest: '{{ item.pub_key_dest }}'
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
loop: "{{ root_ssh_keypair }}"
|
|
loop_control:
|
|
label: 'dest: {{ item.pub_key_dest }}'
|
|
when:
|
|
- insert_root_ssh_keypair|bool
|
|
- root_ssh_keypair is defined
|
|
- root_ssh_keypair|length > 0
|
|
tags:
|
|
- insert_root_ssh_keypair
|
|
- root-defaut-ssh-keypair
|
|
|