Skip to content

Instantly share code, notes, and snippets.

@pm-hwks

pm-hwks/ansible_update_user.yml

Forked from trongnghia203/ansible_update_user.yml
Created May 24, 2021 00:08
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save pm-hwks/932a1f9c4b9e52a9dea6a9177a79ebb8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save pm-hwks/932a1f9c4b9e52a9dea6a9177a79ebb8 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @trongnghia203 trongnghia203 revised this gist Jun 26, 2020. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion ansible_update_user.yml
    View file
    Original file line number Diff line number Diff line change
    @@ -7,7 +7,7 @@
    # - remove authorized_keys of inactive users
    # - remove inactive users
    # - remove sudo permission by removing its config file in /etc/sudoers.d/ if any
    # Maintanance: @Nghia Le [at] INFOTECHVIET
    # Maintanance: Nghia Le [at] INFOTECHVIET
    # https://trongnghia203.github.io/
    # https://www.linkedin.com/in/nghia-le
    # Updated Date: 12 October 2019
  2. @trongnghia203 trongnghia203 revised this gist Jun 26, 2020. No changes.
  3. @trongnghia203 trongnghia203 revised this gist Jun 26, 2020. No changes.
  4. @trongnghia203 trongnghia203 revised this gist Jun 26, 2020. No changes.
  5. @trongnghia203 trongnghia203 revised this gist Oct 12, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion ansible_update_user.yml
    View file
    Original file line number Diff line number Diff line change
    @@ -19,7 +19,7 @@
    # 3. Turn exclusive on if you want to
    # remove all other non-specified keys from the authorized_keys file; default no
    # =========================================================================================
    - name: UPDATING FLO SSH ACCESS RIGHTS
    - name: UPDATING SSH ACCESS RIGHTS
    hosts: your_host_here
    become: true
    check_mode: yes
  6. @trongnghia203 trongnghia203 created this gist Oct 12, 2019.
    100 changes: 100 additions & 0 deletions ansible_update_user.yml
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,100 @@
    ---
    # -----------------------------------------------------------------------------------------
    # Purpose: To manage system users:
    # - create/upadate a user who is allowed accessing via ssh connection
    # - add public ssh-key of user into its authorized_keys
    # - allow user to use sudo by putting a config into /etc/sudoers.d/
    # - remove authorized_keys of inactive users
    # - remove inactive users
    # - remove sudo permission by removing its config file in /etc/sudoers.d/ if any
    # Maintanance: @Nghia Le [at] INFOTECHVIET
    # https://trongnghia203.github.io/
    # https://www.linkedin.com/in/nghia-le
    # Updated Date: 12 October 2019
    # Status: OK, tested ok with Ubuntu, CentOS
    # Usages:
    # 1. Change the hostname
    # 2. Review active users, inactive users
    # 3. Turn check_mode off to run as real
    # 3. Turn exclusive on if you want to
    # remove all other non-specified keys from the authorized_keys file; default no
    # =========================================================================================
    - name: UPDATING FLO SSH ACCESS RIGHTS
    hosts: your_host_here
    become: true
    check_mode: yes
    # ignore_unreachable: yes
    # ignore_errors: yes
    # serial: 1

    vars:
    default_users:
    - username: ubuntu
    home: /home/ubuntu
    pub_key_file: ../files/authorized_keys/your_ssh_key.pub

    sudoer_group: sudo # correct with Ubuntu, if you're using CentOS, please change it to "wheel" group.

    active_users:
    - username: your_username
    home: /home/your_username
    pub_key_file: ../files/authorized_keys/id_rsa.pub

    remove_users:
    - username: unwanted_user
    pub_key_file: ../files/authorized_keys/unwanted_user.pub

    tasks:
    ## 1. ADD/UPDATE USER WITH AUTHORIZED SSH KEYS
    - name: Add/update active users
    user:
    name: "{{ item.username }}"
    home: "{{ item.home }}"
    move_home: yes
    shell: /bin/bash
    groups: "{{ sudoer_group }}"
    append: yes
    with_items:
    - "{{ default_users }}"
    - "{{ active_users }}"

    - name: Add/update authorized_keys for active users
    authorized_key:
    user: "{{ item.username }}"
    key: "{{ lookup('file', item.pub_key_file) }}"
    state: present
    exclusive: yes # Remove all other non-specified keys from the authorized_keys file; default no
    with_items:
    - "{{ default_users }}"
    - "{{ active_users }}"

    - name: Allow user to use sudo without password
    lineinfile:
    path: /etc/sudoers.d/{{ item.username }-allow-sudo
    regexp: "^{{ item.username }}"
    line: "{{ item.username }} ALL=(ALL) NOPASSWD:ALL"
    create: yes
    with_items: "{{ active_users }}" # BE CAREFUL, PLEASE DO NOT RUN WITH DEFAULT USER

    ## 2. REMOVE USER AND USER'S AUTHORIZED SSH KEYS, NOT REMOVE USER'S HOME DATA
    - name: Removing the authorized_keys of inactive users if any
    authorized_key:
    user: "{{ item.username }}"
    key: "{{ lookup('file', item.pub_key_file) }}"
    state: absent
    with_items: "{{ remove_users }}"

    - name: Removing user inactive users
    user:
    name: "{{ item.username }}"
    state: absent
    remove: no # Remove home user if yes; default no
    force: yes # works with remove is yes
    with_items: "{{ remove_users }}"

    - name: Removing from /etc/sudoers.d if existing
    file:
    path: /etc/sudoers.d/{{ item.username }}-allow-sudo
    state: absent
    with_items: "{{ remove_users }}"
    ...