# # Add users expected by tests. Assumes passwordless sudo to root. # # WARNING: this creates non-privilged accounts with pre-set passwords! # - hosts: all vars_files: - shared_vars.yml gather_facts: true strategy: mitogen_free become: true vars: distro: "{{ansible_distribution}}" ver: "{{ansible_distribution_major_version}}" special_users: - has_sudo - has_sudo_nopw - has_sudo_pubkey - pw_required - readonly_homedir - require_tty - require_tty_pw_required - permdenied - slow_user - webapp - sudo1 - sudo2 - sudo3 - sudo4 user_groups: has_sudo: ['mitogen__group', '{{sudo_group[distro]}}'] has_sudo_pubkey: ['mitogen__group', '{{sudo_group[distro]}}'] has_sudo_nopw: ['mitogen__group', 'mitogen__sudo_nopw'] sudo1: ['mitogen__group', 'mitogen__sudo_nopw'] sudo2: ['mitogen__group', '{{sudo_group[distro]}}'] sudo3: ['mitogen__group', '{{sudo_group[distro]}}'] sudo4: ['mitogen__group', '{{sudo_group[distro]}}'] normal_users: "{{ lookup('sequence', 'start=1 end=5 format=user%d', wantlist=True) }}" all_users: "{{ special_users + normal_users }}" tasks: - name: Disable non-localhost SSH for Mitogen users when: false blockinfile: path: /etc/ssh/sshd_config block: | Match User mitogen__* Address !127.0.0.1 DenyUsers * - name: Create Mitogen test groups group: name: "mitogen__{{item}}" with_items: - group - sudo_nopw - name: Create user accounts block: - user: name: "mitogen__{{item}}" shell: /bin/bash groups: "{{user_groups[item]|default(['mitogen__group'])}}" password: "{{ (item + '_password') | password_hash('sha256') }}" with_items: "{{all_users}}" when: ansible_system != 'Darwin' - user: name: "mitogen__{{item}}" shell: /bin/bash groups: | {{ ['com.apple.access_ssh'] + (user_groups[item] | default(['mitogen__group'])) }} password: "{{item}}_password" with_items: "{{all_users}}" when: ansible_system == 'Darwin' - name: Hide users from login window (Darwin). when: ansible_system == 'Darwin' with_items: "{{all_users}}" osx_defaults: array_add: true domain: /Library/Preferences/com.apple.loginwindow type: array key: HiddenUsersList value: ['mitogen_{{item}}'] - name: Check if AccountsService is used stat: path: /var/lib/AccountsService/users register: out - name: Hide users from login window (Linux). when: ansible_system == 'Linux' and out.stat.exists with_items: "{{all_users}}" copy: dest: /var/lib/AccountsService/users/mitogen__{{item}} content: | [User] SystemAccount=true - name: Restart AccountsService (Linux). when: ansible_system == 'Linux' and out.stat.exists service: name: accounts-daemon restarted: true - name: Readonly homedir for one account shell: "chown -R root: ~mitogen__readonly_homedir" - name: Slow bash profile for one account copy: dest: ~mitogen__slow_user/.{{item}} src: ../data/docker/mitogen__slow_user.profile with_items: - bashrc - profile - name: "Login throws permission denied errors (issue #271)" copy: dest: ~mitogen__permdenied/.{{item}} src: ../data/docker/mitogen__permdenied.profile with_items: - bashrc - profile - name: Install pubkey for mitogen__has_sudo_pubkey block: - file: path: ~mitogen__has_sudo_pubkey/.ssh state: directory mode: go= owner: mitogen__has_sudo_pubkey - copy: dest: ~mitogen__has_sudo_pubkey/.ssh/authorized_keys src: ../data/docker/mitogen__has_sudo_pubkey.key.pub mode: go= owner: mitogen__has_sudo_pubkey - name: Install slow profile for one account block: - copy: dest: ~mitogen__slow_user/.profile src: ../data/docker/mitogen__slow_user.profile - copy: dest: ~mitogen__slow_user/.bashrc src: ../data/docker/mitogen__slow_user.profile - name: Require a TTY for two accounts lineinfile: path: /etc/sudoers line: "{{item}}" with_items: - Defaults>mitogen__pw_required targetpw - Defaults>mitogen__require_tty requiretty - Defaults>mitogen__require_tty_pw_required requiretty,targetpw - name: Require password for two accounts lineinfile: path: /etc/sudoers line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}:ALL) ALL" validate: '/usr/sbin/visudo -cf %s' with_items: - mitogen__pw_required - mitogen__require_tty_pw_required - name: Allow passwordless sudo for require_tty/readonly_homedir lineinfile: path: /etc/sudoers line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}:ALL) NOPASSWD:ALL" validate: '/usr/sbin/visudo -cf %s' with_items: - mitogen__require_tty - mitogen__readonly_homedir - name: Allow passwordless for many accounts lineinfile: path: /etc/sudoers line: "{{lookup('pipe', 'whoami')}} ALL = (mitogen__{{item}}:ALL) NOPASSWD:ALL" validate: '/usr/sbin/visudo -cf %s' with_items: "{{normal_users}}"