include · September 7, 2015 17:19
diff --git a/group_vars__users b/group_vars__users
 ---
 # file: group_vars/all_users

 mygroups:
  admins:
    state: present

 users:
  - name: include
    comment: [email protected]
    keys:
      - include_rsa.pub
    groups:
      - admins

 absent_users:
  - bugabundo
diff --git a/roles__support__tasks__sshd_config.yml b/roles__support__tasks__sshd_config.yml
 ---
 # file: roles/support/tasks/sshd_config.yml

 - name: SYSTEM | sshd_config check PermitUserEnvironment
  command: >
    egrep '^PermitUserEnvironment yes' /etc/ssh/sshd_config
  register: result
  ignore_errors: True
  tags: sshd

 - name: SYSTEM | sshd_config - RedHat
  lineinfile: >
    dest=/etc/ssh/sshd_config
    regexp='^#PermitUserEnvironment no'
    line='PermitUserEnvironment yes'
    backrefs=yes
  when: result|failed and ansible_distribution != 'Ubuntu'
  notify: restart sshd
  tags: sshd

 - name: SYSTEM | sshd_config - Ubuntu
  lineinfile: >
    dest=/etc/ssh/sshd_config
    line='PermitUserEnvironment yes'
    insertafter=EOF
  when: result|failed and ansible_distribution == 'Ubuntu'
  notify: restart sshd
  tags: sshd
diff --git a/roles__support__tasks__users.yml b/roles__support__tasks__users.yml
 ---
 # file: roles/support/tasks/users.yml

 - name: disable user
  user: >
    name={{ item }}
    shell=/sbin/nologin
  with_items: absent_users
  tags:
    - support-users-disable

 - name: groups
  group: >
    name={{ item.key }}
    state={{ item.value.state }}
  with_dict: mygroups
  tags:
    - support-users-groups

 - name: users
  user: >
    name={{ item.name }}
    shell=/bin/bash
    createhome=yes
  with_items: users
  tags:
    - support-users

 - name: add users to group
  user: >
    name={{ item.0.name }}
    groups={{ item.1 }}
    append=yes
  with_subelements:
    - users
    - groups
  tags:
    - support-users

 - name: authorized_keys
  authorized_key: >
    user={{ item.0.name }}
    key="{{ lookup('file', '../keys/ssh/' + item.1) }}"
    key_options='environment="KEYID={{ item.0.name }}"'
  with_subelements:
    - users
    - keys
  notify:
    - restart sshd
  tags:
    - support-users

 - name: sudoers
  template: >
    src=extra-sudoers.j2
    dest=/etc/sudoers.d/{{ item.0.name }}-extra-sudoers
    owner=root
    group=root
    mode=0400
    validate='visudo -cf %s'
  when: item.1 == "admins"
  with_subelements:
    - users
    - groups
  tags:
    - support-users
	---
	# file: group_vars/all_users

	mygroups:
	admins:
	state: present

	users:
	- name: include
	comment: [email protected]
	keys:
	- include_rsa.pub
	groups:
	- admins

	absent_users:
	- bugabundo
	---
	# file: roles/support/tasks/sshd_config.yml

	- name: SYSTEM \| sshd_config check PermitUserEnvironment
	command: >
	egrep '^PermitUserEnvironment yes' /etc/ssh/sshd_config
	register: result
	ignore_errors: True
	tags: sshd

	- name: SYSTEM \| sshd_config - RedHat
	lineinfile: >
	dest=/etc/ssh/sshd_config
	regexp='^#PermitUserEnvironment no'
	line='PermitUserEnvironment yes'
	backrefs=yes
	when: result\|failed and ansible_distribution != 'Ubuntu'
	notify: restart sshd
	tags: sshd

	- name: SYSTEM \| sshd_config - Ubuntu
	lineinfile: >
	dest=/etc/ssh/sshd_config
	line='PermitUserEnvironment yes'
	insertafter=EOF
	when: result\|failed and ansible_distribution == 'Ubuntu'
	notify: restart sshd
	tags: sshd
	---
	# file: roles/support/tasks/users.yml

	- name: disable user
	user: >
	name={{ item }}
	shell=/sbin/nologin
	with_items: absent_users
	tags:
	- support-users-disable

	- name: groups
	group: >
	name={{ item.key }}
	state={{ item.value.state }}
	with_dict: mygroups
	tags:
	- support-users-groups

	- name: users
	user: >
	name={{ item.name }}
	shell=/bin/bash
	createhome=yes
	with_items: users
	tags:
	- support-users

	- name: add users to group
	user: >
	name={{ item.0.name }}
	groups={{ item.1 }}
	append=yes
	with_subelements:
	- users
	- groups
	tags:
	- support-users

	- name: authorized_keys
	authorized_key: >
	user={{ item.0.name }}
	key="{{ lookup('file', '../keys/ssh/' + item.1) }}"
	key_options='environment="KEYID={{ item.0.name }}"'
	with_subelements:
	- users
	- keys
	notify:
	- restart sshd
	tags:
	- support-users

	- name: sudoers
	template: >
	src=extra-sudoers.j2
	dest=/etc/sudoers.d/{{ item.0.name }}-extra-sudoers
	owner=root
	group=root
	mode=0400
	validate='visudo -cf %s'
	when: item.1 == "admins"
	with_subelements:
	- users
	- groups
	tags:
	- support-users