2023-04-13 11:02:04 +00:00
|
|
|
|
- hosts: demo
|
|
|
|
|
gather_facts: no
|
|
|
|
|
tasks:
|
2023-07-28 09:00:55 +00:00
|
|
|
|
- name: "Test privileged {{ jms_account.username }} account"
|
2023-04-13 11:02:04 +00:00
|
|
|
|
ansible.builtin.ping:
|
|
|
|
|
|
2023-07-28 09:00:55 +00:00
|
|
|
|
- name: "Check if {{ account.username }} user exists"
|
|
|
|
|
getent:
|
|
|
|
|
database: passwd
|
|
|
|
|
key: "{{ account.username }}"
|
|
|
|
|
register: user_info
|
|
|
|
|
ignore_errors: yes # 忽略错误,如果用户不存在时不会导致playbook失败
|
|
|
|
|
|
|
|
|
|
- name: "Add {{ account.username }} user"
|
2023-04-13 11:02:04 +00:00
|
|
|
|
ansible.builtin.user:
|
|
|
|
|
name: "{{ account.username }}"
|
|
|
|
|
shell: "{{ params.shell }}"
|
2023-05-24 09:35:14 +00:00
|
|
|
|
home: "{{ params.home | default('/home/' + account.username, true) }}"
|
2023-04-13 11:02:04 +00:00
|
|
|
|
groups: "{{ params.groups }}"
|
|
|
|
|
expires: -1
|
|
|
|
|
state: present
|
2023-07-28 09:00:55 +00:00
|
|
|
|
when: user_info.failed
|
2023-04-13 11:02:04 +00:00
|
|
|
|
|
|
|
|
|
- name: "Add {{ account.username }} group"
|
|
|
|
|
ansible.builtin.group:
|
|
|
|
|
name: "{{ account.username }}"
|
|
|
|
|
state: present
|
2023-07-28 09:00:55 +00:00
|
|
|
|
when: user_info.failed
|
2023-04-13 11:02:04 +00:00
|
|
|
|
|
2023-07-28 09:00:55 +00:00
|
|
|
|
- name: "Add {{ account.username }} user to group"
|
2023-04-13 11:02:04 +00:00
|
|
|
|
ansible.builtin.user:
|
|
|
|
|
name: "{{ account.username }}"
|
|
|
|
|
groups: "{{ params.groups }}"
|
2023-07-28 09:00:55 +00:00
|
|
|
|
when:
|
|
|
|
|
- user_info.failed
|
|
|
|
|
- params.groups
|
2023-04-13 11:02:04 +00:00
|
|
|
|
|
2023-07-28 09:00:55 +00:00
|
|
|
|
- name: "Change {{ account.username }} password"
|
2023-04-13 11:02:04 +00:00
|
|
|
|
ansible.builtin.user:
|
|
|
|
|
name: "{{ account.username }}"
|
|
|
|
|
password: "{{ account.secret | password_hash('sha512') }}"
|
|
|
|
|
update_password: always
|
2023-05-19 08:09:32 +00:00
|
|
|
|
ignore_errors: true
|
2023-04-13 11:02:04 +00:00
|
|
|
|
when: account.secret_type == "password"
|
|
|
|
|
|
|
|
|
|
- name: remove jumpserver ssh key
|
|
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
|
dest: "{{ ssh_params.dest }}"
|
|
|
|
|
regexp: "{{ ssh_params.regexp }}"
|
|
|
|
|
state: absent
|
|
|
|
|
when:
|
|
|
|
|
- account.secret_type == "ssh_key"
|
|
|
|
|
- ssh_params.strategy == "set_jms"
|
|
|
|
|
|
2023-07-28 09:00:55 +00:00
|
|
|
|
- name: "Change {{ account.username }} SSH key"
|
2023-04-13 11:02:04 +00:00
|
|
|
|
ansible.builtin.authorized_key:
|
|
|
|
|
user: "{{ account.username }}"
|
|
|
|
|
key: "{{ account.secret }}"
|
|
|
|
|
exclusive: "{{ ssh_params.exclusive }}"
|
|
|
|
|
when: account.secret_type == "ssh_key"
|
|
|
|
|
|
2023-07-28 09:00:55 +00:00
|
|
|
|
- name: "Set {{ account.username }} sudo setting"
|
2023-04-13 11:02:04 +00:00
|
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
|
dest: /etc/sudoers
|
|
|
|
|
state: present
|
|
|
|
|
regexp: "^{{ account.username }} ALL="
|
|
|
|
|
line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
|
|
|
|
|
validate: visudo -cf %s
|
|
|
|
|
when:
|
2023-07-28 09:00:55 +00:00
|
|
|
|
- user_info.failed
|
2023-04-13 11:02:04 +00:00
|
|
|
|
- params.sudo
|
|
|
|
|
|
|
|
|
|
- name: Refresh connection
|
|
|
|
|
ansible.builtin.meta: reset_connection
|
|
|
|
|
|
2023-08-08 09:26:29 +00:00
|
|
|
|
- name: "Verify {{ account.username }} password (paramiko)"
|
|
|
|
|
ssh_ping:
|
|
|
|
|
login_user: "{{ account.username }}"
|
|
|
|
|
login_password: "{{ account.secret }}"
|
|
|
|
|
login_host: "{{ jms_asset.address }}"
|
|
|
|
|
login_port: "{{ jms_asset.port }}"
|
|
|
|
|
gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
|
|
|
|
|
become: false
|
2023-04-13 11:02:04 +00:00
|
|
|
|
when: account.secret_type == "password"
|
2023-08-08 09:26:29 +00:00
|
|
|
|
delegate_to: localhost
|
2023-04-13 11:02:04 +00:00
|
|
|
|
|
2023-08-08 09:26:29 +00:00
|
|
|
|
- name: "Verify {{ account.username }} SSH KEY (paramiko)"
|
|
|
|
|
ssh_ping:
|
|
|
|
|
login_host: "{{ jms_asset.address }}"
|
|
|
|
|
login_port: "{{ jms_asset.port }}"
|
|
|
|
|
login_user: "{{ account.username }}"
|
|
|
|
|
login_private_key_path: "{{ account.private_key_path }}"
|
|
|
|
|
gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
|
|
|
|
|
become: false
|
2023-04-13 11:02:04 +00:00
|
|
|
|
when: account.secret_type == "ssh_key"
|
2023-08-08 09:26:29 +00:00
|
|
|
|
delegate_to: localhost
|
|
|
|
|
|