From f035a3bed7654810fa5f2fe91787172e3b79e628 Mon Sep 17 00:00:00 2001
From: knoflook <knoflook@disroot.org>
Date: Fri, 17 Jun 2022 14:20:51 +0200
Subject: [PATCH] WIP

---
 LICENSE                   | 15 +++++++++++++++
 README.md                 |  3 +++
 handlers/main.yml         |  6 ++++++
 meta/.galaxy_install_info |  2 ++
 meta/main.yml             | 14 ++++++++++++++
 requirements.txt          |  4 ++++
 tasks/main.yml            | 18 ++++++++++++++++++
 tasks/users.yml           | 40 +++++++++++++++++++++++++++++++++++++++
 8 files changed, 102 insertions(+)
 create mode 100644 LICENSE
 create mode 100644 README.md
 create mode 100644 handlers/main.yml
 create mode 100644 meta/.galaxy_install_info
 create mode 100644 meta/main.yml
 create mode 100644 requirements.txt
 create mode 100644 tasks/main.yml
 create mode 100644 tasks/users.yml

diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..8af077f
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,15 @@
+autonomic.expire-users: expire system user accounts
+Copyright (C) 2022  Autonomic Co-operative <helo@autonomic.zone>
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..e08e5f7
--- /dev/null
+++ b/README.md
@@ -0,0 +1,3 @@
+# autonomic.expire-users
+
+[![Build Status](https://drone.autonomic.zone/api/badges/autonomic-cooperative/autonomic.expire-users/status.svg?ref=refs/heads/main)](https://drone.autonomic.zone/autonomic-cooperative/autonomic.expire-users)
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..1135e07
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart SSH
+  become: true
+  service:
+    name: ssh
+    state: restarted
diff --git a/meta/.galaxy_install_info b/meta/.galaxy_install_info
new file mode 100644
index 0000000..9660396
--- /dev/null
+++ b/meta/.galaxy_install_info
@@ -0,0 +1,2 @@
+install_date: Fri Jun 17 11:35:23 2022
+version: 0.1.1
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..e956827
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,14 @@
+---
+dependencies: []
+galaxy_info:
+  role_name: expire
+  namespace: autonomic
+  author: autonomic
+  description: Disable (not remove) system user accounts)
+  company: Autonomic
+  license: GPLv3
+  min_ansible_version: 2.9
+  platforms:
+    - name: Debian
+      versions:
+        - buster
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..7d6c96a
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,4 @@
+ansible-lint==6.0.0
+ansible==5.4.0
+molecule-hetznercloud==1.3.0
+molecule==3.6.1
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..c21b730
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+- name: Ensure mandatory variables are configured
+  assert:
+    that: "{{ item }} is defined"
+    fail_msg: "You must define the '{{ item }}' variable"
+  with_items:
+    - add_users_user_accounts
+
+- name: Include resource variables
+  include_vars: "{{ add_users_user_accounts }}"
+  tags:
+    # Note(d1): we already load in converge.yml so skip here
+    - molecule-notest
+
+# Note(d1): Done in this way because https://stackoverflow.com/a/39041069
+- name: Include user addition tasks
+  include: users.yml user={{ item }}
+  with_items: "{{ members }}"
diff --git a/tasks/users.yml b/tasks/users.yml
new file mode 100644
index 0000000..cbb4f5c
--- /dev/null
+++ b/tasks/users.yml
@@ -0,0 +1,40 @@
+---
+- name: "Expire an existing user account"
+  block:
+    - name: Show which user account is being handled
+      debug:
+        msg: "Attempting to expire account for {{ user.username }}..."
+
+    - name: Check if the user accounts already exists
+      getent:
+        database: passwd
+        key: "{{ user.username }}"
+      register: user_exists
+      ignore_errors: true
+
+
+    - name: Expire the account and blank the password
+      user:
+        name: "{{ user.username }}"
+        expires: 0
+        password: '!'
+      when: user_exists is succeeded
+
+    - name: Remove user's .ssh/authorized_keys file
+      file:
+        path: "/home/{{ user.username }}/.ssh/authorized_keys"
+        state: absent
+
+    - name: Remove password store entry
+       become: false
+       delegate_to: localhost
+       command: "pass rm -r users/{{ user.username }}/sudo/ {{ item.email }}"
+       when: user_exists is succeeded
+
+          #TODO:    - name: "Remove username from the SSH AllowUsers configuration"
+          #      replace:
+          #        backup: true
+          #        dest: /etc/ssh/sshd_config
+          #        regexp: '^(AllowUsers(?!.*\b{{ user.username }}\b).*)$' # this is copied from autonomic.add-users, not correct
+          #        replace: '\1 {{ user.username }}' # this is also in need of change
+          #      notify: Restart SSH