From 63ebc2878c321ac30943e5568d5c1d4b23b3001d Mon Sep 17 00:00:00 2001 From: vincent Date: Sun, 6 Nov 2022 19:11:42 +0100 Subject: [PATCH] dedicated ansible user and put out sssd role --- defaults/main.yml | 1 - tasks/main.yml | 26 ++++++-------------------- 2 files changed, 6 insertions(+), 21 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index caf9286..4c3a295 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,4 +3,3 @@ user: name: vincent uid: 1024 -userPassword: $6$GX8Mnp13vKWc1rye$HnFNZ/9oUg8K1rkaHJ1DKKk6IvWP0NP8K/dPOtLOfWjoVmQtx8MiF6eMEVJqjLZvCckDkg9AHjQzwQZfFGzED0 diff --git a/tasks/main.yml b/tasks/main.yml index 0e76d86..83e6129 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -67,10 +67,6 @@ - 'ansible_distribution' - 'ansible_os_family' -- name: import sssd role for ldap support - import_role: - name: ansible-role-sssd - - name: zsh install package: state: present @@ -90,26 +86,16 @@ - name: create profil user: - name: "{{user.name}}" # required. Name of the user to create, remove or modify. + name: "ansible" # required. Name of the user to create, remove or modify. create_home: yes # not required. Unless set to C(no), a home directory will be made for the user when the account is created or if the home directory does not exist.,Changed from C(createhome) to C(create_home) in version 2.5. - password: "{{userPassword}}" # not required. Optionally set the user's password to this crypted value.,On macOS systems, this value has to be cleartext. Beware of security issues.,See U(https://docs.ansible.com/ansible/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module) for details on various ways to generate these password values. system: no # not required. When creating an account C(state=present), setting this to C(yes) makes the user a system account. This setting cannot be changed on existing users. state: present # not required. choices: absent;present. Whether the account should exist or not, taking action if the state is different from what is stated. ssh_key_file: .ssh/id_rsa # not required. Optionally specify the SSH key filename. If this is a relative filename then it will be relative to the user's home directory. - uid: "{{ user.uid }}" shell: /bin/bash - when: sssd_configure is not defined or sssd_configure == false - -- name: simulate login - stat: - path: "/home/{{user.name}}" - become: true - become_user: "{{user.name}}" - when: sssd_configure == true - name: set sudoers right lineinfile: - dest: "/etc/sudoers.d/{{user.name}}" + dest: "/etc/sudoers.d/ansible" regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: "present" @@ -119,8 +105,8 @@ mode: "0440" validate: 'visudo -cf "%s"' with_items: - - regexp: '^{{user.name}}\s' - line: "{{user.name}} ALL = (ALL) NOPASSWD:ALL" + - regexp: '^ansible\s' + line: "ansible ALL = (ALL) NOPASSWD:ALL" - name: Ensure /etc/sudoers includes /etc/sudoers.d lineinfile: @@ -132,6 +118,6 @@ - name: Set authorized key taken from file authorized_key: - user: "{{user.name}}" + user: "ansible" state: present - key: "{{ lookup('file', '/home/{{user.name}}/.ssh/id_rsa.pub') }}" + key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"