WIP
This commit is contained in:
commit
f035a3bed7
15
LICENSE
Normal file
15
LICENSE
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
autonomic.expire-users: expire system user accounts
|
||||||
|
Copyright (C) 2022 Autonomic Co-operative <helo@autonomic.zone>
|
||||||
|
|
||||||
|
This program is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
3
README.md
Normal file
3
README.md
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
# autonomic.expire-users
|
||||||
|
|
||||||
|
[![Build Status](https://drone.autonomic.zone/api/badges/autonomic-cooperative/autonomic.expire-users/status.svg?ref=refs/heads/main)](https://drone.autonomic.zone/autonomic-cooperative/autonomic.expire-users)
|
6
handlers/main.yml
Normal file
6
handlers/main.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
- name: Restart SSH
|
||||||
|
become: true
|
||||||
|
service:
|
||||||
|
name: ssh
|
||||||
|
state: restarted
|
2
meta/.galaxy_install_info
Normal file
2
meta/.galaxy_install_info
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
install_date: Fri Jun 17 11:35:23 2022
|
||||||
|
version: 0.1.1
|
14
meta/main.yml
Normal file
14
meta/main.yml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
dependencies: []
|
||||||
|
galaxy_info:
|
||||||
|
role_name: expire
|
||||||
|
namespace: autonomic
|
||||||
|
author: autonomic
|
||||||
|
description: Disable (not remove) system user accounts)
|
||||||
|
company: Autonomic
|
||||||
|
license: GPLv3
|
||||||
|
min_ansible_version: 2.9
|
||||||
|
platforms:
|
||||||
|
- name: Debian
|
||||||
|
versions:
|
||||||
|
- buster
|
4
requirements.txt
Normal file
4
requirements.txt
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
ansible-lint==6.0.0
|
||||||
|
ansible==5.4.0
|
||||||
|
molecule-hetznercloud==1.3.0
|
||||||
|
molecule==3.6.1
|
18
tasks/main.yml
Normal file
18
tasks/main.yml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure mandatory variables are configured
|
||||||
|
assert:
|
||||||
|
that: "{{ item }} is defined"
|
||||||
|
fail_msg: "You must define the '{{ item }}' variable"
|
||||||
|
with_items:
|
||||||
|
- add_users_user_accounts
|
||||||
|
|
||||||
|
- name: Include resource variables
|
||||||
|
include_vars: "{{ add_users_user_accounts }}"
|
||||||
|
tags:
|
||||||
|
# Note(d1): we already load in converge.yml so skip here
|
||||||
|
- molecule-notest
|
||||||
|
|
||||||
|
# Note(d1): Done in this way because https://stackoverflow.com/a/39041069
|
||||||
|
- name: Include user addition tasks
|
||||||
|
include: users.yml user={{ item }}
|
||||||
|
with_items: "{{ members }}"
|
40
tasks/users.yml
Normal file
40
tasks/users.yml
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
---
|
||||||
|
- name: "Expire an existing user account"
|
||||||
|
block:
|
||||||
|
- name: Show which user account is being handled
|
||||||
|
debug:
|
||||||
|
msg: "Attempting to expire account for {{ user.username }}..."
|
||||||
|
|
||||||
|
- name: Check if the user accounts already exists
|
||||||
|
getent:
|
||||||
|
database: passwd
|
||||||
|
key: "{{ user.username }}"
|
||||||
|
register: user_exists
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
|
||||||
|
- name: Expire the account and blank the password
|
||||||
|
user:
|
||||||
|
name: "{{ user.username }}"
|
||||||
|
expires: 0
|
||||||
|
password: '!'
|
||||||
|
when: user_exists is succeeded
|
||||||
|
|
||||||
|
- name: Remove user's .ssh/authorized_keys file
|
||||||
|
file:
|
||||||
|
path: "/home/{{ user.username }}/.ssh/authorized_keys"
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: Remove password store entry
|
||||||
|
become: false
|
||||||
|
delegate_to: localhost
|
||||||
|
command: "pass rm -r users/{{ user.username }}/sudo/ {{ item.email }}"
|
||||||
|
when: user_exists is succeeded
|
||||||
|
|
||||||
|
#TODO: - name: "Remove username from the SSH AllowUsers configuration"
|
||||||
|
# replace:
|
||||||
|
# backup: true
|
||||||
|
# dest: /etc/ssh/sshd_config
|
||||||
|
# regexp: '^(AllowUsers(?!.*\b{{ user.username }}\b).*)$' # this is copied from autonomic.add-users, not correct
|
||||||
|
# replace: '\1 {{ user.username }}' # this is also in need of change
|
||||||
|
# notify: Restart SSH
|
Reference in New Issue
Block a user