make some stuff distro-agnostic

2023-08-30 20:26:20 -05:00 · 2023-08-30 20:26:20 -05:00 · 46c14b88b7
commit 46c14b88b7
parent dc0781b13b
13 changed files with 41 additions and 173 deletions
--- a/roles/create-user/defaults/main.yml
+++ b/roles/create-user/defaults/main.yml
@ -1,3 +1,13 @@
 ---
 create_username: "{{ lookup('env','USER') }}"
 create_pwgen: "{{ lookup('password', '/dev/null chars=ascii_letters,digits,hexdigits,punctuation length=32') }}"
+sudo_group_by_fam:
+  Debian: sudo
+  RedHat: wheel
+created_users_groups: # sorted by os_family
+  Debian:
+    - "{{ sudo_group_by_fam[ansible_os_family] }}"
+  RedHat:
+    - "{{ sudo_group_by_fam[ansible_os_family] }}"
+    - adm
+    - disk
--- a/roles/create-user/handlers/main.yml
+++ b/roles/create-user/handlers/main.yml
@ -0,0 +1,3 @@
+- name: print generated password
+  debug:
+    var: create_pwgen
--- a/roles/create-user/tasks/deb.yml
+++ b/roles/create-user/tasks/deb.yml
@ -1,23 +0,0 @@
---
-
- name: creating user {{ create_username }} in sudo group (Debian/Ubuntu)
-  user:
-    name: "{{ create_username }}"
-    password: "{{ create_pwgen | password_hash('sha512') }}"
-    state: present
-    shell: /bin/bash
-    groups: sudo
-    append: yes
-    generate_ssh_key: yes
-    ssh_key_bits: 2048
-    ssh_key_file: .ssh/id_rsa
-    update_password: on_create
-  register: user_created
-
- name: enable nopasswd sudo (Debian/Ubuntu)
-  lineinfile:
-    dest: /etc/sudoers
-    regexp: '^%sudo'
-    line: "%sudo   ALL=(ALL:ALL) NOPASSWD:ALL"
-    state: present
-    validate: 'visudo -cf %s'
--- a/roles/create-user/tasks/el.yml
+++ b/roles/create-user/tasks/el.yml
@ -1,23 +0,0 @@
---
-
- name: creating user {{ create_username }} in wheel group (RHEL/CentOS/Fedora)
-  user:
-    name: "{{ create_username }}"
-    password: "{{ create_pwgen | password_hash('sha512') }}"
-    state: present
-    shell: /bin/bash
-    groups: wheel
-    append: yes
-    generate_ssh_key: yes
-    ssh_key_bits: 2048
-    ssh_key_file: .ssh/id_rsa
-    update_password: on_create
-  register: user_created
-
- name: enable nopasswd sudo (RHEL/CentOS/Fedora)
-  lineinfile:
-    dest: /etc/sudoers
-    regexp: '^%wheel'
-    line: "%wheel       ALL=(ALL)       NOPASSWD: ALL"
-    state: present
-    validate: 'visudo -cf %s'
--- a/roles/create-user/tasks/main.yml
+++ b/roles/create-user/tasks/main.yml
@ -1,21 +1,39 @@
 ---

- include_tasks: deb.yml
-  when: ansible_distribution in ["Debian", "Ubuntu"]
+- name: Create user {{ create_username }}
+  become: true
+  user:
+    name: "{{ create_username }}"
+    password: "{{ create_pwgen | password_hash('sha512') }}"
+    state: present
+    shell: /bin/bash
+    groups: "{{ created_users_groups[ansible_os_family] }}"
+    append: true
+    generate_ssh_key: false
+    ssh_key_bits: 2048
+    ssh_key_file: .ssh/id_rsa
+    update_password: on_create
+  register: user_created
+  notify: print generated password

- include_tasks: el.yml
-  when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "RedHat", "Fedora"]
-
- name: print generated password for {{ create_username }} on each host
-  debug: var=create_pwgen
-  when: user_created is changed 
+- name: enable nopasswd sudo
+  become: true
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: '^{{ create_username }}'
+    line: "{{ create_username }}   ALL=(ALL:ALL) NOPASSWD:ALL"
+    insertafter: '^%{{ sudo_group_by_fam[ansible_os_family] }}.*$'
+    state: present
+    validate: 'visudo -cf %s'

 - name: copy current pubkeys to ~{{ create_username }}/.ssh/authorized_keys
  authorized_key:
    user: "{{ create_username }}"
    state: present
    key: "{{ item }}"
+#    key: "{{ URL_PUBKEYS }}"
+  ignore_errors: true # doesn't support sk-ecdsa-sha2-nistp256 keys
  with_items:
-    - "{{ lookup('file','~/.ssh/id_ed25519.pub') }}"
-    - "{{ lookup('file','~/.ssh/id_rsa.pub') }}"
    - "{{ lookup('file','~/.ssh/id_ecdsa.pub') }}"
+#    - "{{ lookup('file','~/.ssh/id_ecdsa_sk.pub') }}"
+#    - "{{ lookup('file','~/.ssh/id_ed25519.pub') }}"