Last active
October 9, 2024 11:12
-
-
Save trongnghia203/2d720280d74085d2330776274ee2c887 to your computer and use it in GitHub Desktop.
Ansible: Add/update/remove user
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # ----------------------------------------------------------------------------------------- | |
| # Purpose: To manage system users: | |
| # - create/upadate a user who is allowed accessing via ssh connection | |
| # - add public ssh-key of user into its authorized_keys | |
| # - allow user to use sudo by putting a config into /etc/sudoers.d/ | |
| # - remove authorized_keys of inactive users | |
| # - remove inactive users | |
| # - remove sudo permission by removing its config file in /etc/sudoers.d/ if any | |
| # Maintanance: Nghia Le [at] INFOTECHVIET | |
| # https://trongnghia203.github.io/ | |
| # https://www.linkedin.com/in/nghia-le | |
| # Updated Date: 12 October 2019 | |
| # Status: OK, tested ok with Ubuntu, CentOS | |
| # Usages: | |
| # 1. Change the hostname | |
| # 2. Review active users, inactive users | |
| # 3. Turn check_mode off to run as real | |
| # 3. Turn exclusive on if you want to | |
| # remove all other non-specified keys from the authorized_keys file; default no | |
| # ========================================================================================= | |
| - name: UPDATING SSH ACCESS RIGHTS | |
| hosts: your_host_here | |
| become: true | |
| check_mode: yes | |
| # ignore_unreachable: yes | |
| # ignore_errors: yes | |
| # serial: 1 | |
| vars: | |
| default_users: | |
| - username: ubuntu | |
| home: /home/ubuntu | |
| pub_key_file: ../files/authorized_keys/your_ssh_key.pub | |
| sudoer_group: sudo # correct with Ubuntu, if you're using CentOS, please change it to "wheel" group. | |
| active_users: | |
| - username: your_username | |
| home: /home/your_username | |
| pub_key_file: ../files/authorized_keys/id_rsa.pub | |
| remove_users: | |
| - username: unwanted_user | |
| pub_key_file: ../files/authorized_keys/unwanted_user.pub | |
| tasks: | |
| ## 1. ADD/UPDATE USER WITH AUTHORIZED SSH KEYS | |
| - name: Add/update active users | |
| user: | |
| name: "{{ item.username }}" | |
| home: "{{ item.home }}" | |
| move_home: yes | |
| shell: /bin/bash | |
| groups: "{{ sudoer_group }}" | |
| append: yes | |
| with_items: | |
| - "{{ default_users }}" | |
| - "{{ active_users }}" | |
| - name: Add/update authorized_keys for active users | |
| authorized_key: | |
| user: "{{ item.username }}" | |
| key: "{{ lookup('file', item.pub_key_file) }}" | |
| state: present | |
| exclusive: yes # Remove all other non-specified keys from the authorized_keys file; default no | |
| with_items: | |
| - "{{ default_users }}" | |
| - "{{ active_users }}" | |
| - name: Allow user to use sudo without password | |
| lineinfile: | |
| path: /etc/sudoers.d/{{ item.username }-allow-sudo | |
| regexp: "^{{ item.username }}" | |
| line: "{{ item.username }} ALL=(ALL) NOPASSWD:ALL" | |
| create: yes | |
| with_items: "{{ active_users }}" # BE CAREFUL, PLEASE DO NOT RUN WITH DEFAULT USER | |
| ## 2. REMOVE USER AND USER'S AUTHORIZED SSH KEYS, NOT REMOVE USER'S HOME DATA | |
| - name: Removing the authorized_keys of inactive users if any | |
| authorized_key: | |
| user: "{{ item.username }}" | |
| key: "{{ lookup('file', item.pub_key_file) }}" | |
| state: absent | |
| with_items: "{{ remove_users }}" | |
| - name: Removing user inactive users | |
| user: | |
| name: "{{ item.username }}" | |
| state: absent | |
| remove: no # Remove home user if yes; default no | |
| force: yes # works with remove is yes | |
| with_items: "{{ remove_users }}" | |
| - name: Removing from /etc/sudoers.d if existing | |
| file: | |
| path: /etc/sudoers.d/{{ item.username }}-allow-sudo | |
| state: absent | |
| with_items: "{{ remove_users }}" | |
| ... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment