windmill-ops/playbooks/bootstrap/roles/users/tasks/main.yaml

# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
---
- name: Include OS-specific variables
  include_vars: "{{ ansible_os_family | lower }}.yaml"

- name: Set minimum range for user IDs
  become: true
  lineinfile:
    path: /etc/login.defs
    regexp: "^UID_MIN"
    line: 'UID_MIN 3000'

- name: Set minimum range for group IDs
  become: true
  lineinfile:
    path: /etc/login.defs
    regexp: "^GID_MIN"
    line: 'GID_MIN 3000'

- name: Create windmill_users group
  become: true
  group:
    name: "{{ item }}"
    gid: "{{ windmill_users[item].gid }}"
    state: present
  with_items: "{{ windmill_root_users }}"

- name: Create windmill_users user
  become: true
  user:
    name: "{{ item }}"
    group: "{{ windmill_users[item].gid }}"
    groups: "{{ __windmill_users_sudo_group }}"
    shell: /bin/bash
    uid: "{{ windmill_users[item].uid }}"
  with_items: "{{ windmill_root_users }}"

- name: Add SSH public key
  become: true
  authorized_key:
    exclusive: true
    key: "{{ windmill_users[item].key }}"
    state: present
    user: "{{ item }}"
  with_items: "{{ windmill_root_users }}"

- name: Disable password for sudo users
  become: true
  copy:
    content: "%{{ __windmill_users_sudo_group }} ALL=(ALL) NOPASSWD: ALL"
    dest: /etc/sudoers.d/sudo

- name: Setup root user forward file
  become: true
  template:
    dest: /root/.forward
    group: root
    mode: 0644
    owner: root
    src: root/.forward.j2