cchurch / ansible-role-admin-users Goto Github PK

View Code? Open in Web Editor NEW

20.0 4.0 8.0 81 KB

Ansible role to manage admin users, authorized keys and sudo access.

License: Other

Makefile 48.39% Python 47.31% HTML 4.30%

ansible-role sudo wheel authorized-keys

ansible-role-admin-users's Introduction

Admin Users

Manage admin users, authorized keys and sudo access.

Support for Ansible versions < 2.8 was dropped as of version 0.9.0.

Requirements

The sudo package will be installed if not already installed. Amazon Linux also requires the shadow-utils package to be installed prior to running this role.

Role Variables

The following variables may be defined to customize this role:

admin_users: List of admin users to create or update; default is []. Each item in this list should be a hash with the following keys:
- username: Username of the admin user (required).
- fullname: Full name for the admin user (optional).
- shell: Default shell for this user; admin_users_default_shell will be used if this key is omitted.
- pubkey: The public key to associate with the given user. This value can be a string containing the content of the user's public key, a string containing a URL to a list of keys (e.g https://github.com/username.keys), or a list of multiple strings containing either public key content or URLs. Support for lists of keys was added in 0.7.0.
- pubkey_options: Additional options to pass to the authorized_key module (optional).
- exclusive: Boolean indicating whether to remove all other public keys (optional).
admin_user_groups: : Boolean indicating whether to create/remove; default is true.
admin_users_sudo_nopasswd: Boolean indicating whether to enable sudo with the NOPASSWD option for admin users; default is true.
admin_users_default_shell: Default shell for admin users; default is "/bin/bash".
admin_users_to_remove: List of usernames to remove from the remote system; default is []. If admin_user_groups is true, groups with these usernames will also be removed.

Dependencies

None.

Example Playbook

The following playbook updates admin users on dev and prod servers with different options:

- hosts: dev-servers
  vars:
    dev_admin_users:
      - username: joe
        fullname: "Joe Dev"
        pubkey:
          - "ssh-rsa ..."
          - "ssh-dsa ..."
      - username: jim
        fullname: "Jim Dev"
        shell: "/bin/sh"
        pubkey: "https://github.com/jim.keys"
        exclusive: true
  roles:
    - role: cchurch.admin-users
      admin_users: dev_admin_users
- hosts: prod-servers
  vars:
    prod_admin_users:
      - username: jon
        fullname: "Jon Admin"
        pubkey: "ssh-rsa ..."
  roles:
    - role: cchurch.admin-users
      admin_users: prod_admin_users
      admin_users_sudo_nopasswd: false

License

BSD

Author Information

Chris Church (cchurch)

ansible-role-admin-users's People

Contributors

Stargazers

Watchers

Forkers

adherzog anadea haimo918 ntreeinc mil0dv digitalzen2021 yasir2000 sd-1987

ansible-role-admin-users's Issues

Multiple SSH keys possible

Hi Chris, I like the role, helpful with my new ansible environment, I was wondering how I would easily add multiple SSH keys to a user? Thanks

Task "create admin user groups" fails

Hello, I am new to Ansible so forgive if I lack info that you may need

The role fails at the create admin user groups with the message 'unicode object' has no attribute 'username', I tried also to use admin_user_groups: false in the hope that the task would be skipped or something, but to no avail.

The target machines are 2x Ubuntu 16.04, 1x Debian 9, 1x ArchLinux (and one linux mint, but I know it is not supported)

ansible 2.4.3.0 on MacOS 10.12.6, role version latest 0.7.1

Let me know if you need more info or if I just did a n00b mistake, google didn't help me much!

Bare vars deprecation warning in Ansible 2

Getting a few of these when using the role on Ansible 2:

[DEPRECATION WARNING]: Using bare variables is deprecated. Update your playbooks so that the environment value uses the full 
variable syntax ('{{admin_users}}').
This feature will be removed in a future release. Deprecation warnings can be disabled by
 setting deprecation_warnings=False in ansible.cfg.

Easy fix - will be submitting a PR shortly.

exclusive + pubkey list results in only last key being added

When you specify a list of pubkeys for a single user:

      - username: admin
        exclusive: true
        pubkey:
          - "ssh-rsa ..."
          - "ssh-dsa ..."

only the final key is kept, the others are discarded.

As per the authorized_key docs

Multiple keys can be specified in a single key string value by separating them by newlines.
This option is not loop aware, so if you use with_ , it will be exclusive per iteration of the loop.
If you want multiple keys in the file you need to pass them all to key in a single batch as mentioned above.

(emphasis added)

Locked myself out of a couple of dev machines 😢

Create per-user primary groups.

Implement changes from adherzog@efcd6db

Create admin group if needed.

Implement changes from Anadea@76f2f7b