jumpserver/apps/accounts/automations/push_account/host/aix/main.yml

- hosts: demo
  gather_facts: no
  tasks:
    - name: "Test privileged {{ jms_account.username }} account"
      ansible.builtin.ping:

    - name: "Check if {{ account.username }} user exists"
      getent:
        database: passwd
        key: "{{ account.username }}"
      register: user_info
      ignore_errors: yes  # 忽略错误，如果用户不存在时不会导致playbook失败

    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
        shell: "{{ params.shell }}"
        home: "{{ params.home | default('/home/' + account.username, true) }}"
        groups: "{{ params.groups }}"
        expires: -1
        state: present
      when: user_info.failed

    - name: "Add {{ account.username }} group"
      ansible.builtin.group:
        name: "{{ account.username }}"
        state: present
      when: user_info.failed

    - name: "Add {{ account.username }} user to group"
      ansible.builtin.user:
        name: "{{ account.username }}"
        groups: "{{ params.groups }}"
      when:
        - user_info.failed
        - params.groups

    - name: "Change {{ account.username }} password"
      ansible.builtin.user:
        name: "{{ account.username }}"
        password: "{{ account.secret | password_hash('des') }}"
        update_password: always
      ignore_errors: true
      when: account.secret_type == "password"

    - name: remove jumpserver ssh key
      ansible.builtin.lineinfile:
        dest: "{{ ssh_params.dest }}"
        regexp: "{{ ssh_params.regexp }}"
        state: absent
      when:
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"

    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"

    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
        state: present
        regexp: "^{{ account.username }} ALL="
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
        - user_info.failed
        - params.sudo

    - name: Refresh connection
      ansible.builtin.meta: reset_connection

    - name: "Verify {{ account.username }} password (paramiko)"
      ssh_ping:
        login_user: "{{ account.username }}"
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: su
        become_user: "{{ account.become.ansible_user | default('') }}"
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
      when: account.secret_type == "password"
      delegate_to: localhost

    - name: "Verify {{ account.username }} SSH KEY (paramiko)"
      ssh_ping:
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_user: "{{ account.username }}"
        login_private_key_path: "{{ account.private_key_path  }}"
        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
      when: account.secret_type == "ssh_key"
      delegate_to: localhost