jumpserver/apps/accounts/automations/change_secret/host/posix/main.yml

97 lines
3.2 KiB
YAML
Raw Normal View History

2022-10-09 12:54:11 +00:00
- hosts: demo
2022-10-10 05:56:42 +00:00
gather_facts: no
2022-10-09 12:54:11 +00:00
tasks:
- name: "Test privileged {{ jms_account.username }} account"
2022-10-14 08:33:24 +00:00
ansible.builtin.ping:
2022-10-09 12:54:11 +00:00
- name: "Check if {{ account.username }} user exists"
getent:
database: passwd
key: "{{ account.username }}"
register: user_info
ignore_errors: yes # 忽略错误如果用户不存在时不会导致playbook失败
- name: "Add {{ account.username }} user"
ansible.builtin.user:
name: "{{ account.username }}"
shell: "{{ params.shell }}"
home: "{{ params.home | default('/home/' + account.username, true) }}"
groups: "{{ params.groups }}"
expires: -1
state: present
when: user_info.failed
- name: "Add {{ account.username }} group"
ansible.builtin.group:
name: "{{ account.username }}"
state: present
when: user_info.failed
- name: "Add {{ account.username }} user to group"
ansible.builtin.user:
name: "{{ account.username }}"
groups: "{{ params.groups }}"
when:
- user_info.failed
- params.groups
- name: "Change {{ account.username }} password"
2022-10-14 08:33:24 +00:00
ansible.builtin.user:
2022-10-09 12:54:11 +00:00
name: "{{ account.username }}"
2022-10-13 09:47:29 +00:00
password: "{{ account.secret | password_hash('sha512') }}"
2022-10-09 12:54:11 +00:00
update_password: always
2023-05-19 08:09:32 +00:00
ignore_errors: true
when: account.secret_type == "password"
2022-10-09 12:54:11 +00:00
2022-10-20 12:34:15 +00:00
- name: remove jumpserver ssh key
ansible.builtin.lineinfile:
dest: "{{ ssh_params.dest }}"
regexp: "{{ ssh_params.regexp }}"
2022-10-20 12:34:15 +00:00
state: absent
2022-10-27 10:53:10 +00:00
when:
- account.secret_type == "ssh_key"
- ssh_params.strategy == "set_jms"
2022-10-20 12:34:15 +00:00
- name: "Change {{ account.username }} SSH key"
2022-10-14 08:33:24 +00:00
ansible.builtin.authorized_key:
2022-10-09 12:54:11 +00:00
user: "{{ account.username }}"
2022-10-20 12:34:15 +00:00
key: "{{ account.secret }}"
exclusive: "{{ ssh_params.exclusive }}"
when: account.secret_type == "ssh_key"
2022-10-14 08:33:24 +00:00
- name: "Set {{ account.username }} sudo setting"
ansible.builtin.lineinfile:
dest: /etc/sudoers
state: present
regexp: "^{{ account.username }} ALL="
line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
validate: visudo -cf %s
when:
- user_info.failed
- params.sudo
2022-10-14 08:33:24 +00:00
- name: Refresh connection
ansible.builtin.meta: reset_connection
2022-10-09 12:54:11 +00:00
- name: "Verify {{ account.username }} password (paramiko)"
ssh_ping:
login_user: "{{ account.username }}"
login_password: "{{ account.secret }}"
login_host: "{{ jms_asset.address }}"
login_port: "{{ jms_asset.port }}"
gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
become: false
when: account.secret_type == "password"
delegate_to: localhost
2022-10-20 12:34:15 +00:00
- name: "Verify {{ account.username }} SSH KEY (paramiko)"
ssh_ping:
login_host: "{{ jms_asset.address }}"
login_port: "{{ jms_asset.port }}"
login_user: "{{ account.username }}"
login_private_key_path: "{{ account.private_key_path }}"
gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
become: false
when: account.secret_type == "ssh_key"
delegate_to: localhost