diff --git a/tasks/apt/cleanup.yaml b/tasks/apt/cleanup.yaml index cdfb20e..2e3f32e 100644 --- a/tasks/apt/cleanup.yaml +++ b/tasks/apt/cleanup.yaml @@ -1,18 +1,22 @@ --- -# clean apt cache -- name: "apt - clean cache" - ansible.builtin.apt: - clean: true - changed_when: false - failed_when: false - tags: "apt-cleanup" - when: 'ansible_os_family == "Debian"' +# apt cleanup +- name: "apt cleanup" + block: + + # clean apt cache + - name: "apt - clean cache" + ansible.builtin.apt: + clean: true + changed_when: false + failed_when: false + when: 'ansible_os_family == "Debian"' + + # run fstrim if target is a VM + - name: "fstrim" + ansible.builtin.command: "fstrim /" + changed_when: false + failed_when: false + when: 'type == "vm"' -# run fstrim if target is a VM -- name: "fstrim" - ansible.builtin.command: "fstrim /" - changed_when: false - failed_when: false tags: "apt-cleanup" - when: 'type == "vm"' diff --git a/tasks/apt/config.yaml b/tasks/apt/config.yaml index c08dd66..48281e6 100644 --- a/tasks/apt/config.yaml +++ b/tasks/apt/config.yaml @@ -1,24 +1,27 @@ --- -# configure apt auto update -- name: "apt - config - configure apt periodic" - ansible.builtin.template: - src: "templates/apt/conf.d/10periodic.j2" - dest: "/etc/apt/apt.conf.d/10periodic" - owner: "root" - group: "root" - mode: "0644" - when: 'ansible_os_family == "Debian"' - tags: - - "apt" +# apt config +- name: "apt config" + block: + + # configure apt auto update + - name: "apt - config - configure apt periodic" + ansible.builtin.template: + src: "templates/apt/conf.d/10periodic.j2" + dest: "/etc/apt/apt.conf.d/10periodic" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_os_family == "Debian"' + + - name: "apt - config - configure apt unatteded updates" + ansible.builtin.template: + src: "templates/apt/conf.d/50unattended-upgrades.{{ ansible_distribution }}.j2" + dest: "/etc/apt/apt.conf.d/50unattended-upgrades" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_os_family == "Debian"' -- name: "apt - config - configure apt unatteded updates" - ansible.builtin.template: - src: "templates/apt/conf.d/50unattended-upgrades.{{ ansible_distribution }}.j2" - dest: "/etc/apt/apt.conf.d/50unattended-upgrades" - owner: "root" - group: "root" - mode: "0644" - when: 'ansible_os_family == "Debian"' tags: - "apt" diff --git a/tasks/apt/packages.yaml b/tasks/apt/packages.yaml index a50445c..3ac8a87 100644 --- a/tasks/apt/packages.yaml +++ b/tasks/apt/packages.yaml @@ -1,27 +1,30 @@ --- -# install packages -- name: "apt - install - packages" - ansible.builtin.apt: - name: "{{ apt_default_install }}" - state: "present" - update_cache: true - when: 'ansible_os_family == "Debian"' - loop: "{{ apt_default_packages_install }}" - loop_control: - loop_var: "apt_default_install" - tags: - - "apt" +# apt packages +- name: "apt packages" + block: + + # install packages + - name: "apt - install - packages" + ansible.builtin.apt: + name: "{{ apt_default_install }}" + state: "present" + update_cache: true + when: 'ansible_os_family == "Debian"' + loop: "{{ apt_default_packages_install }}" + loop_control: + loop_var: "apt_default_install" + + # purge packages + - name: "apt - delete - packages" + ansible.builtin.apt: + name: "{{ apt_default_delete }}" + state: "absent" + purge: true + when: 'ansible_os_family == "Debian"' + loop: "{{ apt_default_packages_delete }}" + loop_control: + loop_var: "apt_default_delete" -# purge packages -- name: "apt - delete - packages" - ansible.builtin.apt: - name: "{{ apt_default_delete }}" - state: "absent" - purge: true - when: 'ansible_os_family == "Debian"' - loop: "{{ apt_default_packages_delete }}" - loop_control: - loop_var: "apt_default_delete" tags: - - "apt" + - "apt" diff --git a/tasks/apt/sources.yaml b/tasks/apt/sources.yaml index 6f26406..2fc4753 100644 --- a/tasks/apt/sources.yaml +++ b/tasks/apt/sources.yaml @@ -1,42 +1,43 @@ --- -# configure apt sources -- name: "apt - config - configure apt sources" - ansible.builtin.template: - src: "templates/apt/sources.d/sources.list.{{ ansible_distribution }}.j2" - dest: "/etc/apt/sources.list" - owner: "root" - group: "root" - mode: "0644" - when: - - 'ansible_os_family == "Debian"' - - 'ansible_distribution_major_version <= "23"' - notify: "apt force cache update" - tags: - - "apt" +# manage apt sources +- name: "manage apt sources" + block: -# configure apt sources -- name: "apt - config - configure apt sources" - ansible.builtin.template: - src: "templates/apt/sources.d/{{ ansible_distribution }}.sources.j2" - dest: "/etc/apt/sources.list.d/ubuntu.sources" - owner: "root" - group: "root" - mode: "0644" - when: - - 'ansible_distribution == "Ubuntu"' - - 'ansible_distribution_major_version >= "24"' - notify: "apt force cache update" - tags: - - "apt" + # configure apt sources + - name: "apt - config - configure apt sources" + ansible.builtin.template: + src: "templates/apt/sources.d/sources.list.{{ ansible_distribution }}.j2" + dest: "/etc/apt/sources.list" + owner: "root" + group: "root" + mode: "0644" + when: + - 'ansible_os_family == "Debian"' + - 'ansible_distribution_major_version <= "23"' + notify: "apt force cache update" + + # configure apt sources + - name: "apt - config - configure apt sources" + ansible.builtin.template: + src: "templates/apt/sources.d/{{ ansible_distribution }}.sources.j2" + dest: "/etc/apt/sources.list.d/ubuntu.sources" + owner: "root" + group: "root" + mode: "0644" + when: + - 'ansible_distribution == "Ubuntu"' + - 'ansible_distribution_major_version >= "24"' + notify: "apt force cache update" + + # delete unused sources.list + - name: "apt - config - remove old sources.list" + ansible.builtin.file: + path: "/etc/apt/sources.list" + state: "absent" + when: + - 'ansible_distribution == "Ubuntu"' + - 'ansible_distribution_major_version >= "24"' -# delete unused sources.list -- name: "apt - config - remove old sources.list" - ansible.builtin.file: - path: "/etc/apt/sources.list" - state: "absent" - when: - - 'ansible_distribution == "Ubuntu"' - - 'ansible_distribution_major_version >= "24"' tags: - "apt" diff --git a/tasks/firewall/firewall-rules-routed.yaml b/tasks/firewall/firewall-rules-routed.yaml index 8b863f0..b88a3d1 100644 --- a/tasks/firewall/firewall-rules-routed.yaml +++ b/tasks/firewall/firewall-rules-routed.yaml @@ -1,26 +1,29 @@ --- # basic firewall rules -- name: "firewall - allow incoming routed traffic" - community.general.ufw: - rule: "allow" - route: "yes" - src: "{{ item[0] }}" - dest: "{{ item[1] }}" - with_nested: - - "{{ __rule['source_nets'] }}" - - "{{ __rule['destination_nets'] }}" - tags: - - "firewall" +- name: "basic firewall rules" + block: -- name: "firewall - allow outgoing routed traffic" - community.general.ufw: - rule: "allow" - route: "yes" - src: "{{ item[1] }}" - dest: "{{ item[0] }}" - with_nested: - - "{{ __rule['source_nets'] }}" - - "{{ __rule['destination_nets'] }}" + # basic firewall rules + - name: "firewall - allow incoming routed traffic" + community.general.ufw: + rule: "allow" + route: "yes" + src: "{{ item[0] }}" + dest: "{{ item[1] }}" + with_nested: + - "{{ __rule['source_nets'] }}" + - "{{ __rule['destination_nets'] }}" + + - name: "firewall - allow outgoing routed traffic" + community.general.ufw: + rule: "allow" + route: "yes" + src: "{{ item[1] }}" + dest: "{{ item[0] }}" + with_nested: + - "{{ __rule['source_nets'] }}" + - "{{ __rule['destination_nets'] }}" + tags: - "firewall" diff --git a/tasks/main.yaml b/tasks/main.yaml index 6a86651..637d850 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -1,35 +1,18 @@ --- -# check os support -- name: "check for os support" - ansible.builtin.import_tasks: "ossupport.yaml" - tags: - - "apt" - - "apt-cleanup" - - "cron" - - "environment-file" - - "hostname" - - "firewall" - - "journald" - - "locale" - - "lldp" - - "lxd" - - "motd" - - "ntp" - - "telemetry" - - "snap" - - "sshd" - - "swap" - - "sysctl" - - "systemctl" - - "syslog" - - "timezone" - - "usermanagement" +# import ossupport and load variables +- name: "import ossupport and load variables" + block: + + # check os support + - name: "check for os support" + ansible.builtin.import_tasks: "ossupport.yaml" + + # load os variables + - name: "include os specific vars" + ansible.builtin.include_vars: "{{ ansible_os_family }}.yaml" + when: "os_support" -# load os variables -- name: "include os specific vars" - ansible.builtin.include_vars: "{{ ansible_os_family }}.yaml" - when: "os_support" tags: - "apt" - "apt-cleanup" diff --git a/tasks/motd.yaml b/tasks/motd.yaml index 0b90a30..0d2c7b2 100644 --- a/tasks/motd.yaml +++ b/tasks/motd.yaml @@ -1,43 +1,41 @@ --- -# find old motd files -- name: "motd - find old scripts" - ansible.builtin.find: - paths: "/etc/update-motd.d/" - file_type: "file" - excludes: - - "10-custom-motd" - register: "old_motd" - tags: - - "motd" +- name: "manage motd" + block: -# remove old custom motd files -- name: "motd - cleanup directory" - ansible.builtin.file: - path: "{{ item.path }}" - state: "absent" - loop: "{{ old_motd.files }}" - when: "old_motd.files|length > 0" - tags: - - "motd" + # find old motd files + - name: "motd - find old scripts" + ansible.builtin.find: + paths: "/etc/update-motd.d/" + file_type: "file" + excludes: + - "10-custom-motd" + register: "old_motd" -# remove old motd files -- name: "motd - cleanup main file" - ansible.builtin.file: - path: "/etc/motd" - state: "absent" - when: "inventory_hostname != 'bastion.siempie.internal'" - tags: - - "motd" + # remove old custom motd files + - name: "motd - cleanup directory" + ansible.builtin.file: + path: "{{ item.path }}" + state: "absent" + loop: "{{ old_motd.files }}" + when: "old_motd.files|length > 0" + + # remove old motd files + - name: "motd - cleanup main file" + ansible.builtin.file: + path: "/etc/motd" + state: "absent" + when: "inventory_hostname != 'bastion.siempie.internal'" + + # configure motd + - name: "motd - siempie" + ansible.builtin.template: + src: "templates/motd/motd.sh.j2" + dest: "/etc/update-motd.d/10-custom-motd" + owner: "root" + group: "root" + mode: "0755" + when: 'ansible_os_family == "Debian"' -# configure motd -- name: "motd - siempie" - ansible.builtin.template: - src: "templates/motd/motd.sh.j2" - dest: "/etc/update-motd.d/10-custom-motd" - owner: "root" - group: "root" - mode: "0755" - when: 'ansible_os_family == "Debian"' tags: - "motd" diff --git a/tasks/ntp.yaml b/tasks/ntp.yaml index b88320d..85a01e4 100644 --- a/tasks/ntp.yaml +++ b/tasks/ntp.yaml @@ -1,23 +1,25 @@ --- -# install chrony -- name: "ntp - install - chrony debian" - ansible.builtin.apt: - name: "chrony" - state: "present" - when: 'ansible_os_family == "Debian"' - tags: - - "ntp" +- name: "manage ntp" + block: + + # install chrony + - name: "ntp - install - chrony debian" + ansible.builtin.apt: + name: "chrony" + state: "present" + when: 'ansible_os_family == "Debian"' + + # configure chrony + - name: "ntp - config - configure chrony" + ansible.builtin.template: + src: "templates/chrony/chrony.conf.j2" + dest: "/etc/chrony/chrony.conf" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_os_family == "Debian"' + notify: "restart chrony" -# configure chrony -- name: "ntp - config - configure chrony" - ansible.builtin.template: - src: "templates/chrony/chrony.conf.j2" - dest: "/etc/chrony/chrony.conf" - owner: "root" - group: "root" - mode: "0644" - when: 'ansible_os_family == "Debian"' - notify: "restart chrony" tags: - "ntp" diff --git a/tasks/snap/snap_daemon.yaml b/tasks/snap/snap_daemon.yaml index d270129..57af142 100644 --- a/tasks/snap/snap_daemon.yaml +++ b/tasks/snap/snap_daemon.yaml @@ -1,38 +1,37 @@ --- -# set defaults -- name: "set facts" - ansible.builtin.set_fact: - __snapd_service: "{{ snapd_service | default('false') }}" - tags: - - "snap" +# manage snapd +- name: "manage snapd" + block: -# purge snapd -- name: "snapd - purge - package" - ansible.builtin.apt: - name: "snapd" - state: "absent" - purge: "yes" - when: "not __snapd_service" - tags: - - "snap" + # set defaults + - name: "set facts" + ansible.builtin.set_fact: + __snapd_service: "{{ snapd_service | default('false') }}" -# install snapd -- name: "snapd - install - package" - ansible.builtin.apt: - name: "snapd" - state: "present" - cache_valid_time: "120" - when: "__snapd_service" - tags: - - "snap" + # purge snapd + - name: "snapd - purge - package" + ansible.builtin.apt: + name: "snapd" + state: "absent" + purge: "yes" + when: "not __snapd_service" + + # install snapd + - name: "snapd - install - package" + ansible.builtin.apt: + name: "snapd" + state: "present" + cache_valid_time: "120" + when: "__snapd_service" + + # enable snapd + - name: "snapd - enable snapd service" + ansible.builtin.service: + name: "snapd" + state: "started" + enabled: true + when: "__snapd_service" -# enable snapd -- name: "snapd - enable snapd service" - ansible.builtin.service: - name: "snapd" - state: "started" - enabled: true - when: "__snapd_service" tags: - "snap" diff --git a/tasks/swap.yaml b/tasks/swap.yaml index e50b33d..dc3f8ce 100644 --- a/tasks/swap.yaml +++ b/tasks/swap.yaml @@ -1,94 +1,81 @@ --- -# enable or disable swap -- name: "swap - set variable" - ansible.builtin.set_fact: - __swap: "{{ swap | default('true') }}" - tags: - - "swap" +# manage swap +- name: "manage swap" + block: -# verify swapfile -- name: "swap - verify swapfile" - ansible.builtin.stat: - path: "{{ swap_file_location | default('/swapfile') }}" - register: "swap_file_check" - tags: - - "swap" + # enable or disable swap + - name: "swap - set variable" + ansible.builtin.set_fact: + __swap: "{{ swap | default('true') }}" -## create swap -# create swap file -- name: "swap - create swap file" - ansible.builtin.command: "fallocate -l {{ swap_file_size }} {{ swap_file_location }}" - when: "not swap_file_check.stat.exists and __swap" - tags: - - "swap" + # verify swapfile + - name: "swap - verify swapfile" + ansible.builtin.stat: + path: "{{ swap_file_location | default('/swapfile') }}" + register: "swap_file_check" -# set swap file permissions -- name: "swap - set permissions " - ansible.builtin.file: - path: "{{ swap_file_location }}" - owner: "root" - group: "root" - mode: "0600" - when: "__swap" - tags: - - "swap" + ## create swap + # create swap file + - name: "swap - create swap file" + ansible.builtin.command: "fallocate -l {{ swap_file_size }} {{ swap_file_location }}" + when: "not swap_file_check.stat.exists and __swap" -# 'format' swapfile -- name: "swap - format swap file" - ansible.builtin.command: "mkswap {{ swap_file_location }}" - when: "not swap_file_check.stat.exists and __swap" - tags: - - "swap" + # set swap file permissions + - name: "swap - set permissions " + ansible.builtin.file: + path: "{{ swap_file_location }}" + owner: "root" + group: "root" + mode: "0600" + when: "__swap" -# configure fstab -- name: "swap - configure fstab" - ansible.posix.mount: - name: "swapfile" - src: "{{ swap_file_location | default('/swapfile') }}" - fstype: "swap" - opts: "sw" - passno: "0" - dump: "0" - state: "present" - when: "__swap" - tags: - - "swap" + # 'format' swapfile + - name: "swap - format swap file" + ansible.builtin.command: "mkswap {{ swap_file_location }}" + when: "not swap_file_check.stat.exists and __swap" -# enable swap -- name: "swap - enable swap" - ansible.builtin.command: "swapon -a" - when: "not swap_file_check.stat.exists and __swap" - tags: - - "swap" + # configure fstab + - name: "swap - configure fstab" + ansible.posix.mount: + name: "swapfile" + src: "{{ swap_file_location | default('/swapfile') }}" + fstype: "swap" + opts: "sw" + passno: "0" + dump: "0" + state: "present" + when: "__swap" -## delete swap -# disable swap -- name: "swap - disable swap" - ansible.builtin.command: "swapoff -a" - when: "swap_file_check.stat.exists and not __swap" - tags: - - "swap" + # enable swap + - name: "swap - enable swap" + ansible.builtin.command: "swapon -a" + when: "not swap_file_check.stat.exists and __swap" -# delete swap file -- name: "swap - delete swap file" - ansible.builtin.file: - path: "{{ swap_file_location }}" - state: "absent" - when: "swap_file_check.stat.exists and not __swap" - tags: - - "swap" + ## delete swap + # disable swap + - name: "swap - disable swap" + ansible.builtin.command: "swapoff -a" + when: "swap_file_check.stat.exists and not __swap" + + # delete swap file + - name: "swap - delete swap file" + ansible.builtin.file: + path: "{{ swap_file_location }}" + state: "absent" + when: "swap_file_check.stat.exists and not __swap" + + # configure fstab + - name: "swap - configure fstab" + ansible.posix.mount: + name: "swapfile" + src: "{{ swap_file_location | default('/swapfile') }}" + fstype: "swap" + opts: "sw" + passno: "0" + dump: "0" + state: "absent" + when: "not __swap" -# configure fstab -- name: "swap - configure fstab" - ansible.posix.mount: - name: "swapfile" - src: "{{ swap_file_location | default('/swapfile') }}" - fstype: "swap" - opts: "sw" - passno: "0" - dump: "0" - state: "absent" - when: "not __swap" tags: - "swap" diff --git a/tasks/syslog/config.yaml b/tasks/syslog/config.yaml index a74146a..80e44aa 100644 --- a/tasks/syslog/config.yaml +++ b/tasks/syslog/config.yaml @@ -1,53 +1,52 @@ --- -# configure rsyslogd - debian -- name: "syslog - config - rsyslog - debian" - ansible.builtin.template: - src: "templates/syslog/rsyslog/rsyslog.debian.conf.j2" - dest: "/etc/rsyslog.conf" - owner: "root" - group: "root" - mode: "0644" - when: 'ansible_distribution == "Debian"' - notify: "restart rsyslog" - tags: - - "syslog" +# manage syslog +- name: "manage syslog" + block: -# configure rsyslogd - ubuntu -- name: "syslog - config - rsyslog - ubuntu" - ansible.builtin.template: - src: "templates/syslog/rsyslog/rsyslog.ubuntu.conf.j2" - dest: "/etc/rsyslog.conf" - owner: "root" - group: "root" - mode: "0644" - when: 'ansible_distribution == "Ubuntu"' - notify: "restart rsyslog" - tags: - - "syslog" + # configure rsyslogd - debian + - name: "syslog - config - rsyslog - debian" + ansible.builtin.template: + src: "templates/syslog/rsyslog/rsyslog.debian.conf.j2" + dest: "/etc/rsyslog.conf" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_distribution == "Debian"' + notify: "restart rsyslog" -# configure rsyslogd - apt -- name: "syslog - config - apt" - ansible.builtin.template: - src: "templates/syslog/rsyslog.d/apt.conf.j2" - dest: "/etc/rsyslog.d/apt.conf" - owner: "root" - group: "root" - mode: "0644" - when: 'ansible_os_family == "Debian"' - notify: "restart rsyslog" - tags: - - "syslog" + # configure rsyslogd - ubuntu + - name: "syslog - config - rsyslog - ubuntu" + ansible.builtin.template: + src: "templates/syslog/rsyslog/rsyslog.ubuntu.conf.j2" + dest: "/etc/rsyslog.conf" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_distribution == "Ubuntu"' + notify: "restart rsyslog" + + # configure rsyslogd - apt + - name: "syslog - config - apt" + ansible.builtin.template: + src: "templates/syslog/rsyslog.d/apt.conf.j2" + dest: "/etc/rsyslog.d/apt.conf" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_os_family == "Debian"' + notify: "restart rsyslog" + + # configure rsyslogd - observium + - name: "syslog - config - remote-logging" + ansible.builtin.template: + src: "templates/syslog/rsyslog.d/remote-logging.j2" + dest: "/etc/rsyslog.d/remote-logging.conf" + owner: "root" + group: "root" + mode: "0644" + when: 'ansible_os_family == "Debian"' + notify: "restart rsyslog" -# configure rsyslogd - observium -- name: "syslog - config - remote-logging" - ansible.builtin.template: - src: "templates/syslog/rsyslog.d/remote-logging.j2" - dest: "/etc/rsyslog.d/remote-logging.conf" - owner: "root" - group: "root" - mode: "0644" - when: 'ansible_os_family == "Debian"' - notify: "restart rsyslog" tags: - "syslog" diff --git a/tasks/user.yaml b/tasks/user.yaml index 5ee790a..7b26af6 100644 --- a/tasks/user.yaml +++ b/tasks/user.yaml @@ -1,81 +1,74 @@ --- -# manage facts -- name: "user - set default facts for {{ __user['username'] }}" - ansible.builtin.set_fact: - sudo_hosts: "{{ __user['hosts'] | default('all') }}" - sudo_file: "{{ __user['sudo'] | default('False') }}" - sudo_pwless: "{{ __user['sudo_passwordless'] | default('False') }}" - user_state: "{{ __user['state'] | default('present') }}" - tags: - - "usermanagement" +# manage users +- name: "manage users" + block: -# create users -- name: "user - create users with password - {{ __user['username'] }}" - ansible.builtin.user: - name: "{{ __user['username'] }}" - comment: "{{ __user['name'] }}" - password: "{{ __user['password'] }}" - shell: "{{ __user['shell'] | default('/bin/bash') }}" - state: "present" - when: - - "__user['password'] is defined" - - "user_state == 'present'" - tags: - - "usermanagement" + # manage facts + - name: "user - set default facts for {{ __user['username'] }}" + ansible.builtin.set_fact: + sudo_hosts: "{{ __user['hosts'] | default('all') }}" + sudo_file: "{{ __user['sudo'] | default('False') }}" + sudo_pwless: "{{ __user['sudo_passwordless'] | default('False') }}" + user_state: "{{ __user['state'] | default('present') }}" -- name: "user - create users withouth password - {{ __user['username'] }}" - ansible.builtin.user: - name: "{{ __user['username'] }}" - comment: "{{ __user['name'] }}" - shell: "{{ __user['shell'] | default('/bin/bash') }}" - state: "state" - when: - - "__user['password'] is not defined" - - "user_state == 'present'" - tags: - - "usermanagement" + # create users + - name: "user - create users with password - {{ __user['username'] }}" + ansible.builtin.user: + name: "{{ __user['username'] }}" + comment: "{{ __user['name'] }}" + password: "{{ __user['password'] }}" + shell: "{{ __user['shell'] | default('/bin/bash') }}" + state: "present" + when: + - "__user['password'] is defined" + - "user_state == 'present'" -# manage authorized_keys -- name: "user - manage authorized_keys - {{ __user['username'] }}" - ansible.posix.authorized_key: - user: "{{ __user['username'] }}" - key: "{{ __user['publickey'] }}" - state: "present" - manage_dir: "true" - when: - - "__user['publickey'] is defined" - tags: - - "usermanagement" + - name: "user - create users withouth password - {{ __user['username'] }}" + ansible.builtin.user: + name: "{{ __user['username'] }}" + comment: "{{ __user['name'] }}" + shell: "{{ __user['shell'] | default('/bin/bash') }}" + state: "state" + when: + - "__user['password'] is not defined" + - "user_state == 'present'" -# delete users -- name: "user - delete users - {{ __user['username'] }}" - ansible.builtin.user: - name: "{{ __user['username'] }}" - state: "absent" - remove: "yes" - when: "user_state == 'absent'" - tags: - - "usermanagement" + # manage authorized_keys + - name: "user - manage authorized_keys - {{ __user['username'] }}" + ansible.posix.authorized_key: + user: "{{ __user['username'] }}" + key: "{{ __user['publickey'] }}" + state: "present" + manage_dir: "true" + when: + - "__user['publickey'] is defined" -# manage sudoers file -- name: "user - create sudoers file - {{ __user['username'] }}" - ansible.builtin.template: - src: "templates/usermanagement/sudoers.d/sudoers.j2" - dest: "/etc/sudoers.d/{{ __user['username'] }}" - owner: "root" - group: "root" - mode: "0644" - when: - - "sudo_file" - tags: - - "usermanagement" + # delete users + - name: "user - delete users - {{ __user['username'] }}" + ansible.builtin.user: + name: "{{ __user['username'] }}" + state: "absent" + remove: "yes" + when: "user_state == 'absent'" + + # manage sudoers file + - name: "user - create sudoers file - {{ __user['username'] }}" + ansible.builtin.template: + src: "templates/usermanagement/sudoers.d/sudoers.j2" + dest: "/etc/sudoers.d/{{ __user['username'] }}" + owner: "root" + group: "root" + mode: "0644" + when: + - "sudo_file" + + - name: "user - delete sudoers file - {{ __user['username'] }}" + ansible.builtin.file: + state: "absent" + path: "/etc/sudoers.d/{{ __user['username'] }}" + when: + - "not sudo_file" -- name: "user - delete sudoers file - {{ __user['username'] }}" - ansible.builtin.file: - state: "absent" - path: "/etc/sudoers.d/{{ __user['username'] }}" - when: - - "not sudo_file" tags: - "usermanagement"