feat: add option to set account expiration after inactivity
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Robert Kaussow 2022-09-20 09:10:15 +02:00
parent fbabf36b43
commit 3d6f7b9129
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
4 changed files with 45 additions and 34 deletions

View File

@ -15,6 +15,7 @@ users_default_groups: []
users_global_umask: "022" users_global_umask: "022"
users_pass_min_day: 1 users_pass_min_day: 1
users_default_inactive: -1
users_global_bash_aliases: users_global_bash_aliases:
- alias: "ll" - alias: "ll"

View File

@ -1,14 +1,5 @@
--- ---
- block: - block:
- name: Stat umask files
stat:
path: "{{ item }}"
loop:
- /etc/bashrc
- /etc/csh.cshrc
- /etc/profile
register: __users_umask_files
- name: Override default .bashrc - name: Override default .bashrc
template: template:
src: etc/bashrc.j2 src: etc/bashrc.j2
@ -25,28 +16,5 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
- name: Set global umask
replace:
path: "{{ item }}"
regexp: '^(?i)(?P<umask>\s+UMASK\s+).+'
replace: \g<umask>{{ users_global_umask }}
loop: "{{ __users_umask_files | json_query('results[?stat.exists].item') }}"
- name: Set umask in /etc/login.defs
lineinfile:
path: /etc/login.defs
regexp: '^(?P<umask>UMASK\s+).+'
line: \g<umask>{{ users_global_umask }}
backrefs: yes
state: present
- name: Enforce minimum password lifetime
lineinfile:
path: /etc/login.defs
regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'
line: \g<passmin>{{ users_pass_min_day }}
backrefs: yes
state: present
become: True become: True
become_user: root become_user: root

View File

@ -9,8 +9,8 @@
- "vars" - "vars"
errors: "ignore" errors: "ignore"
- include_tasks: security.yml
- include_tasks: bash.yml - include_tasks: bash.yml
- include_tasks: "{{ lookup('first_found', params) }}" - include_tasks: "{{ lookup('first_found', params) }}"
vars: vars:
params: params:
@ -20,5 +20,4 @@
- "users_default.yml" - "users_default.yml"
paths: paths:
- "tasks" - "tasks"
- include_tasks: users_keys.yml - include_tasks: users_keys.yml

43
tasks/security.yml Normal file
View File

@ -0,0 +1,43 @@
---
- block:
- name: Stat umask files
stat:
path: "{{ item }}"
loop:
- /etc/bashrc
- /etc/csh.cshrc
- /etc/profile
register: __users_umask_files
- name: Set global umask
replace:
path: "{{ item }}"
regexp: '^(?i)(?P<umask>\s+UMASK\s+).+'
replace: \g<umask>{{ users_global_umask }}
loop: "{{ __users_umask_files | json_query('results[?stat.exists].item') }}"
- name: Set umask in /etc/login.defs
lineinfile:
path: /etc/login.defs
regexp: '^(?P<umask>UMASK\s+).+'
line: \g<umask>{{ users_global_umask }}
backrefs: yes
state: present
- name: Enforce minimum password lifetime
lineinfile:
path: /etc/login.defs
regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'
line: \g<passmin>{{ users_pass_min_day }}
backrefs: yes
state: present
- name: Set default account expiration after inactivity
lineinfile:
path: /etc/default/useradd
regexp: "^(?P<inactive>INACTIVE=).+"
line: \g<inactive>{{ users_default_inactive }}
backrefs: yes
state: present
become: True
become_user: root