# # Add users expected by tests to an OS X machine. Assumes passwordless sudo to # root. # # WARNING: this creates non-privilged accounts with pre-set passwords! # - hosts: test-targets gather_facts: true become: true tasks: - name: Disable non-localhost SSH for Mitogen users blockinfile: path: /etc/ssh/sshd_config block: | Match User mitogen__* Address !127.0.0.1 DenyUsers * # # Hashed passwords. # - name: Create Mitogen test users user: name: "mitogen__{{item}}" shell: /bin/bash password: "{{ (item + '_password') | password_hash('sha256') }}" with_items: - require_tty - pw_required - require_tty_pw_required when: ansible_system != 'Darwin' - name: Create Mitogen test users user: name: "mitogen__user{{item}}" shell: /bin/bash password: "{{ ('user' + item + '_password') | password_hash('sha256') }}" with_sequence: start=1 end=21 when: ansible_system != 'Darwin' # # Plaintext passwords # - name: Create Mitogen test users user: name: "mitogen__{{item}}" shell: /bin/bash password: "{{item}}_password" with_items: - require_tty - pw_required - require_tty_pw_required when: ansible_system == 'Darwin' - name: Create Mitogen test users user: name: "mitogen__user{{item}}" shell: /bin/bash password: "user{{item}}_password" with_sequence: start=1 end=21 when: ansible_system == 'Darwin' - name: Hide test users from login window. shell: > defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add '{{item}}' with_items: - mitogen__require_tty - mitogen__pw_required - mitogen__require_tty_pw_required when: ansible_system == 'Darwin' - name: Hide test users from login window. shell: > defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add 'mitogen__user{{item}}' with_sequence: start=1 end=21 when: ansible_distribution == 'MacOSX' - name: Require a TTY for two accounts lineinfile: path: /etc/sudoers line: "{{item}}" with_items: - Defaults>mitogen__pw_required targetpw - Defaults>mitogen__require_tty requiretty - Defaults>mitogen__require_tty_pw_required requiretty,targetpw - name: Require password for two accounts lineinfile: path: /etc/sudoers line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}) ALL" with_items: - mitogen__pw_required - mitogen__require_tty_pw_required - name: Allow passwordless for one account lineinfile: path: /etc/sudoers line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}) NOPASSWD:ALL" with_items: - mitogen__require_tty - name: Allow passwordless for many accounts lineinfile: path: /etc/sudoers line: "{{lookup('pipe', 'whoami')}} ALL = (mitogen__user{{item}}) NOPASSWD:ALL" with_sequence: start=1 end=21