first working version

dev 0.1.0
knoflook 7 months ago
parent f035a3bed7
commit f545e2bdad
Signed by: knoflook
GPG Key ID: D6A1D0E8FC4FEF1C
  1. 8
      molecule/default/converge.yml
  2. 43
      tasks/main.yml
  3. 40
      tasks/users.yml

@ -0,0 +1,8 @@
---
- name: Converge
hosts: all
vars:
add_users_user_accounts: files/members.yml
- name: Include resource variables
include_vars: "{{ add_users_user_accounts }}"

@ -13,6 +13,43 @@
- molecule-notest
# Note(d1): Done in this way because https://stackoverflow.com/a/39041069
- name: Include user addition tasks
include: users.yml user={{ item }}
with_items: "{{ members }}"
- name: "Expire an existing user account"
block:
- name: Show which user account is being handled
debug:
msg: "Attempting to expire account for {{ username }}..."
- name: Check if the user accounts already exists
getent:
database: passwd
key: "{{ username }}"
register: user_exists
ignore_errors: true
- name: Expire the account and blank the password
user:
name: "{{ username }}"
expires: 0
password: '!'
when: user_exists is succeeded
- name: Remove user's .ssh/authorized_keys file
file:
path: "/home/{{ username }}/.ssh/authorized_keys"
state: absent
- name: Remove password store entry
become: false
delegate_to: localhost
command: "pass rm -r users/{{ username }}/sudo/{{ inventory_hostname }}"
when: user_exists is succeeded
- name: "Remove username from the SSH AllowUsers configuration"
replace:
backup: true
dest: /etc/ssh/sshd_config
regexp: '{{ username }}'
after: 'AllowUsers'
replace: ''
notify: Restart SSH

@ -1,40 +0,0 @@
---
- name: "Expire an existing user account"
block:
- name: Show which user account is being handled
debug:
msg: "Attempting to expire account for {{ user.username }}..."
- name: Check if the user accounts already exists
getent:
database: passwd
key: "{{ user.username }}"
register: user_exists
ignore_errors: true
- name: Expire the account and blank the password
user:
name: "{{ user.username }}"
expires: 0
password: '!'
when: user_exists is succeeded
- name: Remove user's .ssh/authorized_keys file
file:
path: "/home/{{ user.username }}/.ssh/authorized_keys"
state: absent
- name: Remove password store entry
become: false
delegate_to: localhost
command: "pass rm -r users/{{ user.username }}/sudo/ {{ item.email }}"
when: user_exists is succeeded
#TODO: - name: "Remove username from the SSH AllowUsers configuration"
# replace:
# backup: true
# dest: /etc/ssh/sshd_config
# regexp: '^(AllowUsers(?!.*\b{{ user.username }}\b).*)$' # this is copied from autonomic.add-users, not correct
# replace: '\1 {{ user.username }}' # this is also in need of change
# notify: Restart SSH