From 50c3e0f94e07e6ae985989c0e722038f4a9b6be5 Mon Sep 17 00:00:00 2001 From: Kristian Klausen Date: Thu, 24 Jun 2021 20:44:03 +0200 Subject: [PATCH] archusers: Support restricting users to specific hosts --- roles/archusers/tasks/main.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/roles/archusers/tasks/main.yml b/roles/archusers/tasks/main.yml index dc069496..595e2b2e 100644 --- a/roles/archusers/tasks/main.yml +++ b/roles/archusers/tasks/main.yml @@ -4,6 +4,11 @@ group: name="{{ item }}" state=present system=no with_items: "{{ arch_groups }}" +- name: filter arch_users for users with non-matching hosts + set_fact: arch_users_filtered="{{ (arch_users_filtered | default([])) + [ item ] }}" + when: item.value.hosts is not defined or inventory_hostname in item.value.hosts + with_dict: "{{ arch_users }}" + - name: create Arch Linux-specific users user: name: "{{ item.key }}" @@ -14,21 +19,21 @@ password: "" update_password: on_create state: present - with_dict: "{{ arch_users }}" + loop: "{{ arch_users_filtered }}" - name: create .ssh directory file: path=/home/{{ item.key }}/.ssh state=directory owner={{ item.key }} group=users mode=0700 - with_dict: "{{ arch_users }}" + loop: "{{ arch_users_filtered }}" - name: configure ssh keys template: src=authorized_keys.j2 dest=/home/{{ item.key }}/.ssh/authorized_keys owner={{ item.key }} group=users mode=0600 when: item.value.ssh_key is defined - with_dict: "{{ arch_users }}" + loop: "{{ arch_users_filtered }}" - name: remove ssh keys if undefined file: path=/home/{{ item.key }}/.ssh/authorized_keys state=absent when: item.value.ssh_key is not defined - with_dict: "{{ arch_users }}" + loop: "{{ arch_users_filtered }}" - name: get list of remote users find: paths="/home" file_type="directory" @@ -37,5 +42,5 @@ # TODO: this removes the keys of svn-packages and svn-community on gemini temporarily. add some form of whitelist for those users? - name: disable ssh keys of disabled users file: path="/home/{{ item }}/.ssh/authorized_keys" state=absent - when: item not in arch_users + when: item not in (arch_users_filtered | map(attribute='key')) with_items: "{{ all_users.files | map(attribute='path') | map('basename') | list }}"