Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save pm-hwks/932a1f9c4b9e52a9dea6a9177a79ebb8 to your computer and use it in GitHub Desktop.
Save pm-hwks/932a1f9c4b9e52a9dea6a9177a79ebb8 to your computer and use it in GitHub Desktop.
Ansible: Add/update/remove user
---
# -----------------------------------------------------------------------------------------
# Purpose: To manage system users:
# - create/upadate a user who is allowed accessing via ssh connection
# - add public ssh-key of user into its authorized_keys
# - allow user to use sudo by putting a config into /etc/sudoers.d/
# - remove authorized_keys of inactive users
# - remove inactive users
# - remove sudo permission by removing its config file in /etc/sudoers.d/ if any
# Maintanance: Nghia Le [at] INFOTECHVIET
# https://trongnghia203.github.io/
# https://www.linkedin.com/in/nghia-le
# Updated Date: 12 October 2019
# Status: OK, tested ok with Ubuntu, CentOS
# Usages:
# 1. Change the hostname
# 2. Review active users, inactive users
# 3. Turn check_mode off to run as real
# 3. Turn exclusive on if you want to
# remove all other non-specified keys from the authorized_keys file; default no
# =========================================================================================
- name: UPDATING SSH ACCESS RIGHTS
hosts: your_host_here
become: true
check_mode: yes
# ignore_unreachable: yes
# ignore_errors: yes
# serial: 1
vars:
default_users:
- username: ubuntu
home: /home/ubuntu
pub_key_file: ../files/authorized_keys/your_ssh_key.pub
sudoer_group: sudo # correct with Ubuntu, if you're using CentOS, please change it to "wheel" group.
active_users:
- username: your_username
home: /home/your_username
pub_key_file: ../files/authorized_keys/id_rsa.pub
remove_users:
- username: unwanted_user
pub_key_file: ../files/authorized_keys/unwanted_user.pub
tasks:
## 1. ADD/UPDATE USER WITH AUTHORIZED SSH KEYS
- name: Add/update active users
user:
name: "{{ item.username }}"
home: "{{ item.home }}"
move_home: yes
shell: /bin/bash
groups: "{{ sudoer_group }}"
append: yes
with_items:
- "{{ default_users }}"
- "{{ active_users }}"
- name: Add/update authorized_keys for active users
authorized_key:
user: "{{ item.username }}"
key: "{{ lookup('file', item.pub_key_file) }}"
state: present
exclusive: yes # Remove all other non-specified keys from the authorized_keys file; default no
with_items:
- "{{ default_users }}"
- "{{ active_users }}"
- name: Allow user to use sudo without password
lineinfile:
path: /etc/sudoers.d/{{ item.username }-allow-sudo
regexp: "^{{ item.username }}"
line: "{{ item.username }} ALL=(ALL) NOPASSWD:ALL"
create: yes
with_items: "{{ active_users }}" # BE CAREFUL, PLEASE DO NOT RUN WITH DEFAULT USER
## 2. REMOVE USER AND USER'S AUTHORIZED SSH KEYS, NOT REMOVE USER'S HOME DATA
- name: Removing the authorized_keys of inactive users if any
authorized_key:
user: "{{ item.username }}"
key: "{{ lookup('file', item.pub_key_file) }}"
state: absent
with_items: "{{ remove_users }}"
- name: Removing user inactive users
user:
name: "{{ item.username }}"
state: absent
remove: no # Remove home user if yes; default no
force: yes # works with remove is yes
with_items: "{{ remove_users }}"
- name: Removing from /etc/sudoers.d if existing
file:
path: /etc/sudoers.d/{{ item.username }}-allow-sudo
state: absent
with_items: "{{ remove_users }}"
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment