Files
a13labs.infra/ansible/roles/login/tasks/main.yml
T
alexandre.pires b692627317 Add configuration and playbook for virtualization host setup
- Create host variable file for vh-01.alexpires.dev with user, SSH, firewall, and VM configurations.
- Update playbook_duo_security.yml to target the 2fa group.
- Introduce playbook_virt_host.yml for setting up GPU passthrough on Fedora with QEMU/KVM.
- Add required collections to requirements.yml for Podman and Libvirt.
- Modify ctrlaltdel.yml to remove existing symlink for ctrl-alt-del.target before masking it.
- Enhance users.yml to show warnings for users that could not be removed.
- Update Duo Security role to use the correct repository and package names.
- Improve login role to handle user UID and group assignments.
- Create udev rules template for NVMe devices.
- Add blacklist template for VFIO drivers.
- Implement domain XML template for virtual machines with detailed configurations.
- Update inventory to include vh-01.alexpires.dev in relevant groups.
- Refactor cpu_power_monitor.py for improved error handling and modularity.
2025-05-31 00:28:04 +02:00

63 lines
2.1 KiB
YAML

---
- name: Read salt from environment
ansible.builtin.set_fact:
user_password_salt: "{{ lookup('env', 'USER_PASSWORD_SALT') | default('') }}"
- name: Adding ssh users
become: true
ansible.builtin.user:
name: "{{ item.username }}"
comment: "{{ item.comment }} ( Managed by ansible )"
password: "{{ lookup('env', 'USER_PASSWORD_' + (item.username | upper)) | password_hash('sha512', user_password_salt) }}"
state: "{{ 'absent' if item.enabled is defined and not item.enabled else 'present' }}"
shell: "{{ item.shell if item.shell is defined else '/bin/bash' }}"
groups: "{{ item.groups | default(omit) }}"
uid: "{{ item.uid | default(omit) }}"
loop: "{{ login_users }}"
- name: Disable password expiration
ansible.builtin.command: chage -M -1 "{{ item.username }}"
become: true
when: item.password_expiration is defined and not item.password_expiration
loop: "{{ login_users }}"
- name: Disable password login
ansible.builtin.command: passwd -d "{{ item.username }}"
become: true
when: item.password_disabled is defined and item.password_disabled
loop: "{{ login_users }}"
- name: "Add SSH Authorized key"
become: true
ansible.posix.authorized_key:
user: "{{ item.username }}"
key: "{{ item.pubkey }}"
state: "{{ 'present' if item.pubkey is defined else 'absent' }}"
when: item.pubkey is defined
loop: "{{ login_users }}"
- name: Create sudoers.d entry if user allowed
become: true
ansible.builtin.copy:
dest: "/etc/sudoers.d/{{ item.username }}"
content: |
{{ item.username }} ALL=({{ 'root' if item.sudoer_root_only is defined and item.sudoer_root_only else 'ALL' }}) {{ 'NOPASSWD:' if item.sudoer_no_password is defined and item.sudoer_no_password else '' }}ALL
owner: root
group: root
mode: "0600"
when: item.sudoer is defined and item.sudoer
loop: "{{ login_users }}"
- name: Disable user history
become: true
ansible.builtin.copy:
dest: "/etc/profile.d/disable_history.sh"
content: |
#!/bin/bash
readonly PROMPT_COMMAND='history -a'
readonly HISTFILE=/dev/null
owner: root
group: root
mode: "0755"