hmartiniano/users.yml

## users.yml
---
- hosts: all
  user: root
  vars:
    users:
    - username: data
      groups: ""
      shell: /bin/true
    - username: "test"
      groups: sudo, data, docker
    - username: "test2"
      groups: sudo, data, docker
    - username: "test3"
      groups: data, docker
    remove_users:
    - "test_user"
  pre_tasks:
  - name: install python
    raw: test -e /usr/bin/python || (apt -qqy update && apt install -y python)
    register: output
    changed_when: output.stdout != ""
  handlers:
  - name: "Restart sshd"
    service:
      name: "sshd"
      state: "restarted"
  tasks:
  - name: "Create user accounts"
    user:
      name: "{{ item.username }}"
      groups: "{{ item.groups }}"
      state: "present"
    with_items: "{{ users }}"
  - name: "Remove old user accounts in remove_users"
    user:
      name: "{{ item }}"
      state: "absent"
    with_items: "{{ remove_users }}"
  - name: "Add authorized keys"
    authorized_key:
      user: "{{ item.username }}"
      state: present
      key: "{{ lookup('file', 'pub_keys/'+ item.username + '.pub') }}"
    with_items: "{{ users }}"
      - name: "Allow admin users to sudo without a password"
        lineinfile:
          dest: "/etc/sudoers" # path: in version 2.3
          state: "present"
          regexp: "^%admin"
          line: "%admin ALL=(ALL) NOPASSWD: ALL"
  - name: "Only SSH key-based root login via SSH"
    lineinfile:
      dest: "/etc/ssh/sshd_config"
      regexp: "^PermitRootLogin"
      line: "PermitRootLogin prohibit-password"
    notify: "Restart sshd"
	---
	- hosts: all
	user: root
	vars:
	users:
	- username: data
	groups: ""
	shell: /bin/true
	- username: "test"
	groups: sudo, data, docker
	- username: "test2"
	groups: sudo, data, docker
	- username: "test3"
	groups: data, docker
	remove_users:
	- "test_user"
	pre_tasks:
	- name: install python
	raw: test -e /usr/bin/python \|\| (apt -qqy update && apt install -y python)
	register: output
	changed_when: output.stdout != ""
	handlers:
	- name: "Restart sshd"
	service:
	name: "sshd"
	state: "restarted"
	tasks:
	- name: "Create user accounts"
	user:
	name: "{{ item.username }}"
	groups: "{{ item.groups }}"
	state: "present"
	with_items: "{{ users }}"
	- name: "Remove old user accounts in remove_users"
	user:
	name: "{{ item }}"
	state: "absent"
	with_items: "{{ remove_users }}"
	- name: "Add authorized keys"
	authorized_key:
	user: "{{ item.username }}"
	state: present
	key: "{{ lookup('file', 'pub_keys/'+ item.username + '.pub') }}"
	with_items: "{{ users }}"
	- name: "Allow admin users to sudo without a password"
	lineinfile:
	dest: "/etc/sudoers" # path: in version 2.3
	state: "present"
	regexp: "^%admin"
	line: "%admin ALL=(ALL) NOPASSWD: ALL"
	- name: "Only SSH key-based root login via SSH"
	lineinfile:
	dest: "/etc/ssh/sshd_config"
	regexp: "^PermitRootLogin"
	line: "PermitRootLogin prohibit-password"
	notify: "Restart sshd"