From 5df713fefd62a8ef392944a39f35c4324a73b910 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Wed, 12 Apr 2017 18:11:07 +0300
Subject: Add a role to create Unix system users

Including setting authorized_keys, and passwordless sudo access.
---
 roles/unix_users/README            |  3 +++
 roles/unix_users/defaults/main.yml | 21 +++++++++++++++++++++
 roles/unix_users/tasks/main.yml    | 23 +++++++++++++++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 roles/unix_users/README
 create mode 100644 roles/unix_users/defaults/main.yml
 create mode 100644 roles/unix_users/tasks/main.yml

(limited to 'roles')

diff --git a/roles/unix_users/README b/roles/unix_users/README
new file mode 100644
index 0000000..f16f873
--- /dev/null
+++ b/roles/unix_users/README
@@ -0,0 +1,3 @@
+This role creates Unix system users (i.e., ones listed in
+`/etc/passwd`, traditionally). To use this role, define a variable
+`system_users`, see `defaults/main.yml` for details.
diff --git a/roles/unix_users/defaults/main.yml b/roles/unix_users/defaults/main.yml
new file mode 100644
index 0000000..d79958e
--- /dev/null
+++ b/roles/unix_users/defaults/main.yml
@@ -0,0 +1,21 @@
+# List of system users to create. Value a list of dicts with keys:
+#
+#       username -- the username of the new user
+#       comment -- the GECOS/realname of the new user
+#       shell -- the shell to use (defaults to /bin/bash)
+#       system -- yes/no, is user a system user (default no)
+#       sudo -- yes/no, should user have sudo access? (without password)
+#
+
+unix_users: []
+
+
+# Specify directory where per-user authorized_keys files are stored.
+# Each user has their own file in the directory, named after their
+# username. You MUST specify this variable. You may put more than one
+# key in each user's file.
+#
+# You MUST create a file for each user in unix_users. An empty file
+# will do.
+
+authkeys_dir: /
diff --git a/roles/unix_users/tasks/main.yml b/roles/unix_users/tasks/main.yml
new file mode 100644
index 0000000..ad9095f
--- /dev/null
+++ b/roles/unix_users/tasks/main.yml
@@ -0,0 +1,23 @@
+- name: create system users
+  with_items: "{{ unix_users }}"
+  user:
+    name: "{{ item.username }}"
+    comment: "{{ item.comment|default('unnamed user') }}"
+    shell: "{{ item.shell|default('/bin/bash') }}"
+    system: "{{ item.system|default('no') }}"
+
+- name: add keys to authorized_keys
+  with_items: "{{ unix_users }}"
+  authorized_key:
+    user: "{{ item.username }}"
+    key: "{{ lookup('file', authkeys_dir + '/' + item.username) }}"
+
+- name: give sudo access
+  with_items: "{{ unix_users }}"
+  when: "{{ item.sudo|default(False) }}"
+  copy:
+    content: "{{ item.username }} ALL=(ALL:ALL) NOPASSWD: ALL"
+    dest: "/etc/sudoers.d/{{ item.username }}"
+    owner: root
+    group: root
+    mode: 0600
-- 
cgit v1.2.1