From f545e2bdad9ec1bdf07d192431a1c01df1d582b5 Mon Sep 17 00:00:00 2001 From: knoflook Date: Sat, 25 Jun 2022 17:33:46 +0200 Subject: [PATCH] first working version --- molecule/default/converge.yml | 8 +++++++ tasks/main.yml | 43 ++++++++++++++++++++++++++++++++--- tasks/users.yml | 40 -------------------------------- 3 files changed, 48 insertions(+), 43 deletions(-) create mode 100644 molecule/default/converge.yml delete mode 100644 tasks/users.yml diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 0000000..7a40a2b --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,8 @@ +--- +- name: Converge + hosts: all + vars: + add_users_user_accounts: files/members.yml + - name: Include resource variables + include_vars: "{{ add_users_user_accounts }}" + diff --git a/tasks/main.yml b/tasks/main.yml index c21b730..b8b1229 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -13,6 +13,43 @@ - molecule-notest # Note(d1): Done in this way because https://stackoverflow.com/a/39041069 -- name: Include user addition tasks - include: users.yml user={{ item }} - with_items: "{{ members }}" +- name: "Expire an existing user account" + block: + - name: Show which user account is being handled + debug: + msg: "Attempting to expire account for {{ username }}..." + + - name: Check if the user accounts already exists + getent: + database: passwd + key: "{{ username }}" + register: user_exists + ignore_errors: true + + + - name: Expire the account and blank the password + user: + name: "{{ username }}" + expires: 0 + password: '!' + when: user_exists is succeeded + + - name: Remove user's .ssh/authorized_keys file + file: + path: "/home/{{ username }}/.ssh/authorized_keys" + state: absent + + - name: Remove password store entry + become: false + delegate_to: localhost + command: "pass rm -r users/{{ username }}/sudo/{{ inventory_hostname }}" + when: user_exists is succeeded + + - name: "Remove username from the SSH AllowUsers configuration" + replace: + backup: true + dest: /etc/ssh/sshd_config + regexp: '{{ username }}' + after: 'AllowUsers' + replace: '' + notify: Restart SSH diff --git a/tasks/users.yml b/tasks/users.yml deleted file mode 100644 index cbb4f5c..0000000 --- a/tasks/users.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -- name: "Expire an existing user account" - block: - - name: Show which user account is being handled - debug: - msg: "Attempting to expire account for {{ user.username }}..." - - - name: Check if the user accounts already exists - getent: - database: passwd - key: "{{ user.username }}" - register: user_exists - ignore_errors: true - - - - name: Expire the account and blank the password - user: - name: "{{ user.username }}" - expires: 0 - password: '!' - when: user_exists is succeeded - - - name: Remove user's .ssh/authorized_keys file - file: - path: "/home/{{ user.username }}/.ssh/authorized_keys" - state: absent - - - name: Remove password store entry - become: false - delegate_to: localhost - command: "pass rm -r users/{{ user.username }}/sudo/ {{ item.email }}" - when: user_exists is succeeded - - #TODO: - name: "Remove username from the SSH AllowUsers configuration" - # replace: - # backup: true - # dest: /etc/ssh/sshd_config - # regexp: '^(AllowUsers(?!.*\b{{ user.username }}\b).*)$' # this is copied from autonomic.add-users, not correct - # replace: '\1 {{ user.username }}' # this is also in need of change - # notify: Restart SSH