Skip to content
Snippets Groups Projects
Commit 13aec4cf authored by nimrod's avatar nimrod
Browse files

- A small refactor, moved SSH root lock and sudoers handling to seperate 

tasks files included only when enabled.
- Change lock_root to lock_root_ssh to be more explicit about what it
does (previous behavior was also local lock. The behavior changed but
the name remained).
- More assertions.
- Updated documentation.
parent 122e5999
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
README.rst
+ 11
11
View file @ 13aec4cf
......@@ -5,17 +5,17 @@ Users
:target: https://travis-ci.org/adarnimrod/users
An Ansible role to create users, groups, email aliases, configure sudo and lock
down root account. The intended use case is to replace setting up an LDAP or
NIS server. The role also installs sudo and creates a sudoers group that can use
sudo with a password. A password is also set if provided. For generating the
password hash needed, under Debian run: :code:`echo MyPassword | mkpasswd -m
sha-512 -s` and under OpenBSD run: :code:`echo MyPassword | encrypt`. If
provided, email alias and SSH authorized keys are set. If
:code:`users_lock_root` is set to :code:`True` (by default it is) then local and
SSH root login is disabled. Another use case is to manage system users, for
example to disable the local root login add root to the :code:`users` variable
with the password :code:`*************`, setting an email address will also
set mail forwarding.
down root account SSH access. The intended use case is to replace setting up
an LDAP or NIS server. The role also installs sudo and creates a sudoers group
that can use sudo with a password. A password is also set if provided. For
generating the password hash needed, under Debian run: :code:`echo MyPassword
| mkpasswd -m sha-512 -s` and under OpenBSD run: :code:`echo MyPassword |
encrypt`. If provided, email alias and SSH authorized keys are set. If
:code:`users_lock_root_ssh` is set to :code:`True` (by default it is) then SSH
root login is disabled. Another use case is to manage system users, for example
to disable the local root login add root to the :code:`users` variable with the
password :code:`*************`, setting an email address will also set mail
forwarding.
Requirements
------------
......
defaults/main.yml
+ 2
2
View file @ 13aec4cf
---
# defaults file for users
users_lock_root: True
users_lock_root_ssh: True
users_use_sudo: True
users:
- name: root
password: '*************'
......
tasks/lock_root_ssh.yml 0 → 100644
+ 18
0
View file @ 13aec4cf
---
# tasks file for locking root ssh
- name: Create ssh directory in case SSH isn't installed
file:
path: /etc/ssh
owner: root
group: 0
mode: 0o0755
state: directory
- name: Disable root login via SSH
lineinfile:
create: yes
dest: /etc/ssh/sshd_config
line: 'PermitRootLogin no'
regexp: '^PermitRootLogin '
notify:
- Restart ssh
tasks/main.yml
+ 15
59
View file @ 13aec4cf
......@@ -4,53 +4,25 @@
assert:
that:
- ansible_os_family in [ 'OpenBSD', 'Debian' ]
- users is defined
- name: APT install sudo
when: ansible_pkg_mgr == 'apt'
apt:
name: sudo
state: present
update_cache: yes
cache_valid_time: 3600
- name: Pkg install sudo
when: ansible_pkg_mgr == 'openbsd_pkg' and ansible_distribution_release | version_compare('5.8', '>=')
openbsd_pkg:
name: '{{ users_sudo_pkg[ansible_distribution_release] }}'
state: present
- users is iterable
- users_lock_root_ssh in [ True, False ]
- users_use_sudo in [ True, False ]
# OpenBSD 5.7 was the last version that came with sudo installed.
- >
ansible_os_family != 'OpenBSD' or
ansible_distribution_release|version_compare('5.7', '<=') or
ansible_distribution_release in users_sudo_pkg or
not users_use_sudo
- include: sudo.yml
when: users_use_sudo
- name: Create groups
with_items: '{{ users_unique_groups|union(["sudoers"]) }}'
with_items: '{{ users_unique_groups }}'
group:
name: '{{ item }}'
state: present
- name: Create sudoers.d directory
file:
path: /etc/sudoers.d
state: directory
owner: root
group: 0
mode: '0755'
- name: Include sudoers.d/*
lineinfile:
dest: /etc/sudoers
line: '#includedir /etc/sudoers.d'
state: present
- name: Allow sudo without password to sudoers
lineinfile:
dest: '/etc/sudoers.d/50_sudoers'
line: '%sudoers ALL=(ALL) NOPASSWD: ALL'
regexp: '^%sudoers'
state: present
create: yes
owner: root
group: 0
mode: 0o0440
- name: Create users
with_items: '{{ users }}'
user:
......@@ -82,21 +54,5 @@
notify:
- Update SMTPd database
- name: Create ssh directory in case SSH isn't installed
when: users_lock_root
file:
path: /etc/ssh
owner: root
group: 0
mode: 0o0755
state: directory
- name: Disable root login via SSH
when: users_lock_root
lineinfile:
create: yes
dest: /etc/ssh/sshd_config
line: 'PermitRootLogin no'
regexp: '^PermitRootLogin '
notify:
- Restart ssh
- include: lock_root_ssh.yml
when: users_lock_root_ssh
tasks/sudo.yml 0 → 100644
+ 45
0
View file @ 13aec4cf
---
# tasks file for sudoers
- name: APT install sudo
when: ansible_pkg_mgr == 'apt'
apt:
name: sudo
state: present
update_cache: yes
cache_valid_time: 3600
- name: pkg install sudo
when: ansible_pkg_mgr == 'openbsd_pkg' and ansible_distribution_release|version_compare('5.7', '>')
openbsd_pkg:
name: '{{ users_sudo_pkg[ansible_distribution_release] }}'
state: present
- name: Create sudoers.d directory
file:
path: /etc/sudoers.d
state: directory
owner: root
group: 0
mode: 0o0755
- name: Include sudoers.d/*
lineinfile:
dest: /etc/sudoers
line: '#includedir /etc/sudoers.d'
state: present
- name: Allow sudo without password to the sudoers group
lineinfile:
dest: '/etc/sudoers.d/50_sudoers'
line: '%sudoers ALL=(ALL) NOPASSWD: ALL'
regexp: '^%sudoers'
state: present
create: yes
owner: root
group: 0
mode: 0o0440
- name: Create sudoers group
group:
name: sudoers
state: present
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment