From bbced59f27d07563734cd0b3cb3da5e4e77634ae Mon Sep 17 00:00:00 2001
From: Emil Renner Berthing <esmil@labitat.dk>
Date: Sun, 13 Jan 2019 20:07:50 +0100
Subject: users: add more flexible user management

Now user data is in roles/users/defaults/main.yml
and each server should have a hash like this

users:
  'foo': sudo
  'bar': true
  'baz': false
  #'qux': false

This means the user foo will be created with sudo
access, the user bar will be created without sudo
access, while baz and qux will be removed.
---
 roles/users/tasks/main.yml | 71 ++++++++++++++++++++++++++++++++--------------
 1 file changed, 49 insertions(+), 22 deletions(-)

(limited to 'roles/users/tasks/main.yml')

diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
index cf21626..23a4945 100644
--- a/roles/users/tasks/main.yml
+++ b/roles/users/tasks/main.yml
@@ -3,37 +3,64 @@
   tags:
   - users
   - root
-- import_tasks: esmil.yml
-  tags:
-  - users
-  - esmil
-- import_tasks: ast.yml
-  tags:
-  - users
-  - ast
-- import_tasks: flummer.yml
-  tags:
-  - users
-  - flummer
-- import_tasks: riiiis.yml
+
+- name: Create users
+  user:
+    name: '{{ item }}'
+    state: present
+    comment: '{{ userdata[item].name }}'
+    shell: "{{ ('shell' in userdata[item])|ternary(userdata[item].shell,'/bin/bash') }}"
+    uid: '{{ userdata[item].uid }}'
+    group: users
+    groups: "{{ (users[item] == 'sudo')|ternary([sudo_group],[]) }}"
+  with_items: '{{ users|dictsort()|selectattr(1)|map(attribute=0)|list }}'
   tags:
   - users
-  - riiiis
-- import_tasks: knielsen.yml
+
+- name: Create .ssh directories
+  file:
+    path: '~{{ item }}/.ssh'
+    state: directory
+    owner: '{{ item }}'
+    group: users
+    mode: 0700
+  with_items: '{{ users|dictsort()|selectattr(1)|map(attribute=0)|list }}'
+  when: "'authorized_keys' in userdata[item]"
   tags:
   - users
-  - knielsen
-- import_tasks: k2OS.yml
+
+- name: Create authorized_keys
+  template:
+    dest: '~{{ item }}/.ssh/authorized_keys'
+    src: authorized_keys.j2
+    owner: '{{ item }}'
+    group: users
+    mode: 0600
+  with_items: '{{ users|dictsort()|selectattr(1)|map(attribute=0)|list }}'
+  when: "'authorized_keys' in userdata[item]"
   tags:
   - users
-  - k2OS
-- import_tasks: signout.yml
+
+- name: Include user tasks
+  include_tasks:
+    file: '{{ user }}.yml'
+    apply:
+      tags:
+      - users
+  with_items: '{{ users|dictsort()|selectattr(1)|map(attribute=0)|list }}'
+  loop_control:
+    loop_var: user
+  when: "'tasks' in userdata[user] and userdata[user].tasks"
   tags:
   - users
-  - signout
-- import_tasks: semi.yml
+
+- name: Remove users
+  user:
+    name: '{{ item }}'
+    state: absent
+    remove: yes
+  with_items: '{{ userdata|dictsort()|map(attribute=0)|difference(users|dictsort()|selectattr(1)|map(attribute=0))|list }}'
   tags:
   - users
-  - semi
 
 # vim: set ts=2 sw=2 et:
-- 
cgit v1.2.1