# # Add users expected by tests to an OS X machine. Assumes passwordless sudo to # root. # # WARNING: this creates non-privilged accounts with pre-set passwords! # - hosts: test-targets gather_facts: true become: true tasks: - name: Disable non-localhost SSH for Mitogen users blockinfile: path: /etc/ssh/sshd_config block: | Match User mitogen__* Address !127.0.0.1 DenyUsers * # # Hashed passwords. # - name: Create Mitogen test group group: name: "mitogen__group" - name: Create Mitogen test users user: name: "mitogen__{{item}}" shell: /bin/bash groups: mitogen__group password: "{{ (item + '_password') | password_hash('sha256') }}" with_items: - has_sudo - has_sudo_pubkey - require_tty - pw_required - readonly_homedir - require_tty_pw_required - slow_user when: ansible_system != 'Darwin' - name: Create Mitogen test users user: name: "mitogen__user{{item}}" shell: /bin/bash password: "{{ ('user' + item + '_password') | password_hash('sha256') }}" with_sequence: start=1 end=21 when: ansible_system != 'Darwin' # # Plaintext passwords # - name: Create Mitogen test users user: name: "mitogen__{{item}}" shell: /bin/bash groups: mitogen__group password: "{{item}}_password" with_items: - has_sudo - has_sudo_pubkey - require_tty - pw_required - require_tty_pw_required - readonly_homedir - slow_user when: ansible_system == 'Darwin' - name: Create Mitogen test users user: name: "mitogen__user{{item}}" shell: /bin/bash password: "user{{item}}_password" with_sequence: start=1 end=21 when: ansible_system == 'Darwin' - name: Hide test users from login window. shell: > defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add '{{item}}' with_items: - mitogen__require_tty - mitogen__pw_required - mitogen__require_tty_pw_required when: ansible_system == 'Darwin' - name: Hide test users from login window. shell: > defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add 'mitogen__user{{item}}' with_sequence: start=1 end=21 when: ansible_distribution == 'MacOSX' - name: Readonly homedir for one account shell: "chown -R root: ~mitogen__readonly_homedir" - name: Slow bash profile for one account copy: dest: ~mitogen__slow_user/.{{item}} src: ../data/docker/mitogen__slow_user.profile with_items: - bashrc - profile - name: Install pubkey for one account file: path: ~mitogen__has_sudo_pubkey/.ssh state: directory mode: go= owner: mitogen__has_sudo_pubkey - name: Install pubkey for one account copy: dest: ~mitogen__has_sudo_pubkey/.ssh/authorized_keys src: ../data/docker/mitogen__has_sudo_pubkey.key.pub mode: go= owner: mitogen__has_sudo_pubkey - name: Require a TTY for two accounts lineinfile: path: /etc/sudoers line: "{{item}}" with_items: - Defaults>mitogen__pw_required targetpw - Defaults>mitogen__require_tty requiretty - Defaults>mitogen__require_tty_pw_required requiretty,targetpw - name: Require password for two accounts lineinfile: path: /etc/sudoers line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}) ALL" with_items: - mitogen__pw_required - mitogen__require_tty_pw_required - name: Allow passwordless for two accounts lineinfile: path: /etc/sudoers line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}) NOPASSWD:ALL" with_items: - mitogen__require_tty - mitogen__readonly_homedir - name: Allow passwordless for many accounts lineinfile: path: /etc/sudoers line: "{{lookup('pipe', 'whoami')}} ALL = (mitogen__user{{item}}) NOPASSWD:ALL" with_sequence: start=1 end=21