revamp: user/group handling

6 files changed, 78 insertions, 0 deletions

diff --git a/roles/core/users/tasks/Debian.yml b/roles/core/users/tasks/Debian.yml
new file mode 100644
index 00000000..a4827df9
--- /dev/null
+++ b/roles/core/users/tasks/Debian.yml
@@ -0,0 +1,6 @@
+---
+- name: install sudo
+  when: (admin_users | length) > 0
+  apt:
+    name: sudo
+    state: present
diff --git a/roles/core/users/tasks/OpenBSD.yml b/roles/core/users/tasks/OpenBSD.yml
new file mode 100644
index 00000000..d04d3d7a
--- /dev/null
+++ b/roles/core/users/tasks/OpenBSD.yml
@@ -0,0 +1,14 @@
+---
+- name: install sudo
+  when: (admin_users | length) > 0
+  openbsd_pkg:
+    name: sudo--
+    state: present
+
+- name: allow wheel group to use sudo
+  when: (admin_users | length) > 0
+  lineinfile:
+    regexp: '^#?\s*%wheel(\s+)ALL=\(ALL\) SETENV: ALL$'
+    line: '%wheel\1ALL=(ALL) SETENV: ALL'
+    backrefs: yes
+    dest: /etc/sudoers
diff --git a/roles/core/users/tasks/main.yml b/roles/core/users/tasks/main.yml
new file mode 100644
index 00000000..43fe92f4
--- /dev/null
+++ b/roles/core/users/tasks/main.yml
@@ -0,0 +1,46 @@
+---
+- name: load os/distrubtion/version specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - files:
+        - "{{ ansible_distribution_release }}.yml"
+        - "{{ ansible_distribution }}.yml"
+        - "{{ ansible_os_family }}.yml"
+
+- name: load os/distrubtion/version specific tasks
+  vars:
+    params:
+      files:
+      - "{{ ansible_distribution_release }}.yml"
+      - "{{ ansible_distribution }}.yml"
+      - "{{ ansible_os_family }}.yml"
+  loop: "{{ q('first_found', params) }}"
+  loop_control:
+    loop_var: tasks_file
+  include_tasks: "{{ tasks_file }}"
+
+- name: add normal users
+  loop: "{{ normal_users | difference(admin_users) }}"
+  user:
+    name: "{{ item }}"
+    state: present
+    password: "{{ hostvars[inventory_hostname]['vault_user_password_'+item] }}" ## TODO: find nicer way to do this
+    shell: "{{ users[item].shell | default(admin_users_default_shell) }}"
+
+- name: add admin users
+  loop: "{{ admin_users }}"
+  user:
+    name: "{{ item }}"
+    state: present
+    password: "{{ hostvars[inventory_hostname]['vault_user_password_'+item] }}" ## TODO: find nicer way to do this
+    groups: "{{ admin_users_groups }}"
+    append: yes
+    shell: "{{ users[item].shell | default(admin_users_default_shell) }}"
+
+- name: install ssh keys for users
+  loop: "{{ normal_users | union(admin_users) }}"
+  when: "'ssh' in users[item]"
+  authorized_key:
+    user: "{{ item }}"
+    key: "{{ users[item].ssh | join('\n') }}"
+    exclusive: yes
diff --git a/roles/core/users/vars/Debian.yml b/roles/core/users/vars/Debian.yml
new file mode 100644
index 00000000..af8d20ca
--- /dev/null
+++ b/roles/core/users/vars/Debian.yml
@@ -0,0 +1,5 @@
+---
+admin_users_default_shell: /bin/zsh
+admin_users_groups:
+  - sudo
+  - adm
diff --git a/roles/core/users/vars/OpenBSD.yml b/roles/core/users/vars/OpenBSD.yml
new file mode 100644
index 00000000..a1d958d6
--- /dev/null
+++ b/roles/core/users/vars/OpenBSD.yml
@@ -0,0 +1,4 @@
+---
+admin_users_default_shell: /usr/local/bin/zsh
+admin_users_groups:
+  - wheel
diff --git a/roles/core/users/vars/main.yml b/roles/core/users/vars/main.yml
new file mode 100644
index 00000000..7d34279b
--- /dev/null
+++ b/roles/core/users/vars/main.yml
@@ -0,0 +1,3 @@
+---
+normal_users: "{{ normal_users_group | union(normal_users_host) }}"
+admin_users: "{{ admin_users_group | union(admin_users_host) }}"