Added to git

Author: blackandred

README.md

@@ -0,0 +1,78 @@
+Role Name
+=========
+
+Multi-user management with focus on a project to which everybody has access via sudo.
+
+Example case:
+- There are multiple organizations managing their pages
+- We deploy a docker project that contains multiple websites
+- Each user can manage the docker project via `sudo ./make.sh ... something ...` instead of having access to global sudo
+
+
+Role Variables
+--------------
+
+```yamlex
+technical_entrypoint: "/project/make.sh"
+enable_technical_entrypoint: true
+
+technical_account: "tech.admin"
+technical_account_id: 1800
+technical_group: "technical"
+technical_group_id: 1161
+
+users:
+ accounts:
+ - login: iwa.somebody
+ section: "ZSP" # account description / organization name / etc.
+ password: 'some-password-hash-generated-by-mkpasswd'
+ global_sudo: no
+ gid: 1161
+ uid: 2050
+ disabled: no
+```
+
+Example Playbook
+----------------
+
+```yamlex
+ - hosts: servers
+ roles:
+ - { role: username.rolename, x: 42 }
+ vars:
+ # ...
+```
+
+Adding a new user account
+-------------------------
+
+1. Use the tool `./mkpasswd.sh` to generate a password
+2. Create an entry in the users.accounts variable (there are examples already)
+ - Paste the password into password section of your new account with single quotes
+ - Please do not enable `global_sudo` option unless you really have a reason for that
+ - Please fill in `section` field with the organization name
+ - Please use only a-z, numbers and dot characters for the user name, else it may not work
+3. Run deployment
+
+Blocking access for the user account
+------------------------------------
+
+1. Edit users.accounts variable
+2. For specified user account please set `disabled: yes` 
+ - NOTICE: Deleting whole user section from file will not have an effect, as the deployment will ignore that user and will not change it
+ so the user account deletion is not possible, only blocking is possible
+3. Run deployment
+
+License
+-------
+
+MIT
+
+Author Information
+------------------
+
+Krzysztof Wesołowski, anarchosyndicalist, backend-devops programmer, grassroot advocate
+
+Made especially for:
+https://iwa-ait.org
+https://zsp.net.pl

defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for users

handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for users

meta/main.yml

@@ -0,0 +1,14 @@
+galaxy_info:
+ author: Krzysztof Wesołowski
+ description: Sets the user accounts basing on the easy to understand yaml configuration
+ company: IWA-AIT.org / ZSP (non-profit organization)
+ license: MIT
+ min_ansible_version: 1.2
+
+ galaxy_tags:
+ - users
+ - access
+ - sudo
+ - multiple users
+
+dependencies: []

tasks/groups.yml

@@ -0,0 +1,31 @@
+- name: Create a group
+ become: yes
+ group:
+ name: "{{ technical_group|default('technical') }}"
+ state: present
+ gid: "{{ technical_group_id|default('1161') }}"
+ tags: user
+
+- name: "Create a technical account"
+ become: yes
+ tags: user
+ user:
+ name: "{{ technical_account|default('tech.admin') }}"
+ comment: "Technical account (deployment)"
+ generate_ssh_key: yes
+ ssh_key_bits: 2048
+ ssh_key_file: .ssh/id_rsa
+ shell: /bin/bash
+ password: "{{ technical_password }}"
+ update_password: on_create
+ createhome: yes
+ uid: "{{ technical_account_id|default('1800') }}"
+ groups: ["{{ technical_group|default('technical') }}", 'sudo']
+
+- name: Enable all members of technical group to execute given project file as root
+ become: yes
+ lineinfile:
+ dest: /etc/sudoers
+ line: "%{{ technical_group|default('technical') }} ALL=(root) NOPASSWD: {{ technical_entrypoint|default('/project/make.sh') }}"
+ tags: user
+ when: enable_technical_entrypoint == True

tasks/main.yml

@@ -0,0 +1,3 @@
+- include: preliminaries.yml
+- include: groups.yml
+- include: users.yml

tasks/preliminaries.yml

@@ -0,0 +1,8 @@
+- name: Install required packages
+ become: yes
+ apt:
+ name: "{{ item }}"
+ state: present
+ with_items:
+ - sudo
+ tags: user

tasks/user.yml

@@ -0,0 +1,59 @@
+
+- name: "Create user {{ user.login }}"
+ become: yes
+ tags: user
+ user:
+ name: "{{ user.login }}"
+ comment: "{{ user.section }}"
+ generate_ssh_key: yes
+ ssh_key_bits: 2048
+ ssh_key_file: .ssh/id_rsa
+ shell: /bin/zsh
+ password: "{{ user.password }}"
+ update_password: on_create
+ createhome: yes
+ uid: "{{ user.uid }}"
+ groups: "{{ technical_group|default('technical') }}"
+
+- name: Disable account if it was disabled in users.yml
+ become: yes
+ shell: "chage -E 2000-05-01 {{ user.login }}"
+ when: user.disabled == "yes" or user.disabled == "1" or user.disabled == True or user.disabled == "true" or user.disabled == 1
+
+- name: Enable account if it was not disabled in users.yml
+ become: yes
+ shell: "chage -E 2200-05-01 {{ user.login }}"
+ when: user.disabled == "no" or user.disabled == "0" or user.disabled == False or user.disabled == "false" or user.disabled == 0
+
+- name: Allow user to use sudo globally (if allowed)
+ become: yes
+ user:
+ name: '{{ user.login }}'
+ groups: sudo
+ append: yes
+ when: user.global_sudo == "yes" or user.global_sudo == "1" or user.global_sudo == True or user.global_sudo == "true" or user.global_sudo == 1
+
+- name: Disallow user to use sudo (if disallowed)
+ become: yes
+ shell: "gpasswd -d {{ user.login }} sudo || true"
+ when: user.global_sudo == "no" or user.global_sudo == "0" or user.global_sudo == False or user.global_sudo == "false" or user.global_sudo == 0
+
+- name: Check if the user has customized zshrc
+ stat: path="/home/{{ user.login }}/.zshrc"
+ register: zshrc_file
+
+- name: Creating a zshrc from template (if the user does not have already modified it)
+ become: yes
+ become_user: "{{ user.login }}"
+ template:
+ src: zshrc
+ dest: "/home/{{ user.login }}/.zshrc"
+ when: zshrc_file.stat.exists == False
+
+- name: Clone oh-my-zsh
+ become: yes
+ become_user: "{{ user.login }}"
+ git:
+ repo: https://github.com/robbyrussell/oh-my-zsh
+ dest: "/home/{{ user.login }}/.oh-my-zsh"
+

tasks/users.yml

@@ -0,0 +1,7 @@
+
+#
+# Iterate over all users and create/update each account one-by-one
+#
+
+- include: user.yml user={{ item }}
+ with_items: "{{ users.accounts }}"

templates/zshrc

@@ -0,0 +1,6 @@
+ZSH=$HOME/.oh-my-zsh
+ZSH_THEME="half-life"
+DISABLE_AUTO_UPDATE="true"
+plugins=(git symfony python vagrant ubuntu rsync composer systemd)
+source $ZSH/oh-my-zsh.sh
+export PATH=$HOME/bin:/usr/local/bin:$PATH