opendev/system-config
Code Issues Proposed changes
system-config/playbooks/roles/base/users/tasks/main.yaml
Jeremy Stanley 698bb3df21 Lower UID/GID range max to make way for containers 
In order to avoid unfortunate collisions with statically assigned
container account UIDs and GIDs, cap normal users at 9999. That way
we can set our containers to use IDs 10000 and above.

Make sure adduser/addgroup's adduser.conf gets adjusted to match the
values we set in the login.defs referenced by the lower-level
useradd/groupadd tools too. We're not using non-Debian-derivative
servers these days, so don't bother to try making this work on other
distributions for the time being.

Change-Id: I0068d5cea66e898c35b661cd559437dc4049e8f4
2021-11-05 18:06:55 +00:00

75 lines
1.7 KiB
YAML
Raw Blame History

- name: Add sudo group
group:
name: "sudo"
state: present
# NOTE(mordred): We replace the main file rather than dropping a file in to
# /etc/sudoers.d to deal with divergent base sudoers files from our distros.
# We also want to change some default behavior (we want nopassword sudo, for
# instance).
- name: Setup sudoers file
copy:
dest: /etc/sudoers
src: sudoers
owner: root
group: root
mode: 0440
- name: Setup adduser.conf file
copy:
dest: /etc/adduser.conf
src: '{{ ansible_facts.os_family }}/adduser.conf'
owner: root
group: root
mode: 0644
- name: Setup login.defs file
copy:
dest: /etc/login.defs
src: '{{ ansible_facts.os_family }}/login.defs'
owner: root
group: root
mode: 0644
- name: Delete old users
loop: "{{ disabled_users }}"
user:
name: "{{ item }}"
state: absent
remove: yes
- name: Add groups
loop: "{{ base_users + extra_users }}"
group:
name: "{{ item }}"
state: present
gid: "{{ all_users[item].gid|default(omit) }}"
when:
- item in all_users
- "'gid' in all_users[item]"
- name: Add users
loop: "{{ base_users + extra_users }}"
user:
name: "{{ item }}"
state: present
uid: "{{ all_users[item].uid }}"
group: "{{ item }}"
comment: "{{ all_users[item].comment }}"
groups: sudo
shell: /bin/bash
when:
- item in all_users
- "'uid' in all_users[item]"
- name: Add ssh keys to users
loop: "{{ base_users + extra_users }}"
authorized_key:
user: "{{ item }}"
state: present
key: "{{ all_users[item].key }}"
exclusive: yes
when:
- item in all_users
- "'key' in all_users[item]"
View Git Blame Copy Permalink