WIP

8 months ago · f035a3bed7
commit f035a3bed7
8 changed files with 102 additions and 0 deletions
--- a/15
+++ b/15
@ -0,0 +1,15 @@
+autonomic.expire-users: expire system user accounts
+Copyright (C) 2022  Autonomic Co-operative <helo@autonomic.zone>
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
--- a/README.md
+++ b/README.md
@ -0,0 +1,3 @@
+# autonomic.expire-users
+
+[![Build Status](https://drone.autonomic.zone/api/badges/autonomic-cooperative/autonomic.expire-users/status.svg?ref=refs/heads/main)](https://drone.autonomic.zone/autonomic-cooperative/autonomic.expire-users)
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,6 @@
+---
+- name: Restart SSH
+  become: true
+  service:
+    name: ssh
+    state: restarted
--- a/meta/.galaxy_install_info
+++ b/meta/.galaxy_install_info
@ -0,0 +1,2 @@
+install_date: Fri Jun 17 11:35:23 2022
+version: 0.1.1
--- a/meta/main.yml
+++ b/meta/main.yml
@ -0,0 +1,14 @@
+---
+dependencies: []
+galaxy_info:
+  role_name: expire
+  namespace: autonomic
+  author: autonomic
+  description: Disable (not remove) system user accounts)
+  company: Autonomic
+  license: GPLv3
+  min_ansible_version: 2.9
+  platforms:
+    - name: Debian
+      versions:
+        - buster
--- a/requirements.txt
+++ b/requirements.txt
@ -0,0 +1,4 @@
+ansible-lint==6.0.0
+ansible==5.4.0
+molecule-hetznercloud==1.3.0
+molecule==3.6.1
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,18 @@
+---
+- name: Ensure mandatory variables are configured
+  assert:
+    that: "{{ item }} is defined"
+    fail_msg: "You must define the '{{ item }}' variable"
+  with_items:
+    - add_users_user_accounts
+
+- name: Include resource variables
+  include_vars: "{{ add_users_user_accounts }}"
+  tags:
+    # Note(d1): we already load in converge.yml so skip here
+    - molecule-notest
+
+# Note(d1): Done in this way because https://stackoverflow.com/a/39041069
+- name: Include user addition tasks
+  include: users.yml user={{ item }}
+  with_items: "{{ members }}"
--- a/tasks/users.yml
+++ b/tasks/users.yml
@ -0,0 +1,40 @@
+---
+- name: "Expire an existing user account"
+  block:
+    - name: Show which user account is being handled
+      debug:
+        msg: "Attempting to expire account for {{ user.username }}..."
+
+    - name: Check if the user accounts already exists
+      getent:
+        database: passwd
+        key: "{{ user.username }}"
+      register: user_exists
+      ignore_errors: true
+
+
+    - name: Expire the account and blank the password
+      user:
+        name: "{{ user.username }}"
+        expires: 0
+        password: '!'
+      when: user_exists is succeeded
+
+    - name: Remove user's .ssh/authorized_keys file
+      file:
+        path: "/home/{{ user.username }}/.ssh/authorized_keys"
+        state: absent
+
+    - name: Remove password store entry
+       become: false
+       delegate_to: localhost
+       command: "pass rm -r users/{{ user.username }}/sudo/ {{ item.email }}"
+       when: user_exists is succeeded
+
+          #TODO:    - name: "Remove username from the SSH AllowUsers configuration"
+          #      replace:
+          #        backup: true
+          #        dest: /etc/ssh/sshd_config
+          #        regexp: '^(AllowUsers(?!.*\b{{ user.username }}\b).*)$' # this is copied from autonomic.add-users, not correct
+          #        replace: '\1 {{ user.username }}' # this is also in need of change
+          #      notify: Restart SSH