feat: add option to set account expiration after inactivity

2022-09-20 09:10:15 +02:00 · 2022-09-20 09:10:15 +02:00 · 3d6f7b9129
commit 3d6f7b9129
parent fbabf36b43
4 changed files with 45 additions and 34 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -15,6 +15,7 @@ users_default_groups: []

 users_global_umask: "022"
 users_pass_min_day: 1
+users_default_inactive: -1

 users_global_bash_aliases:
  - alias: "ll"
--- a/tasks/bash.yml
+++ b/tasks/bash.yml
@ -1,14 +1,5 @@
 ---
 - block:
-    - name: Stat umask files
-      stat:
-        path: "{{ item }}"
-      loop:
-        - /etc/bashrc
-        - /etc/csh.cshrc
-        - /etc/profile
-      register: __users_umask_files
-
    - name: Override default .bashrc
      template:
        src: etc/bashrc.j2
@ -25,28 +16,5 @@
        owner: root
        group: root
        mode: 0644
-
-    - name: Set global umask
-      replace:
-        path: "{{ item }}"
-        regexp: '^(?i)(?P<umask>\s+UMASK\s+).+'
-        replace: \g<umask>{{ users_global_umask }}
-      loop: "{{ __users_umask_files | json_query('results[?stat.exists].item') }}"
-
-    - name: Set umask in /etc/login.defs
-      lineinfile:
-        path: /etc/login.defs
-        regexp: '^(?P<umask>UMASK\s+).+'
-        line: \g<umask>{{ users_global_umask }}
-        backrefs: yes
-        state: present
-
-    - name: Enforce minimum password lifetime
-      lineinfile:
-        path: /etc/login.defs
-        regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'
-        line: \g<passmin>{{ users_pass_min_day }}
-        backrefs: yes
-        state: present
  become: True
  become_user: root
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -9,8 +9,8 @@
        - "vars"
      errors: "ignore"

+- include_tasks: security.yml
 - include_tasks: bash.yml
-
 - include_tasks: "{{ lookup('first_found', params) }}"
  vars:
    params:
@ -20,5 +20,4 @@
        - "users_default.yml"
      paths:
        - "tasks"
-
 - include_tasks: users_keys.yml
--- a/tasks/security.yml
+++ b/tasks/security.yml
@ -0,0 +1,43 @@
+---
+- block:
+    - name: Stat umask files
+      stat:
+        path: "{{ item }}"
+      loop:
+        - /etc/bashrc
+        - /etc/csh.cshrc
+        - /etc/profile
+      register: __users_umask_files
+
+    - name: Set global umask
+      replace:
+        path: "{{ item }}"
+        regexp: '^(?i)(?P<umask>\s+UMASK\s+).+'
+        replace: \g<umask>{{ users_global_umask }}
+      loop: "{{ __users_umask_files | json_query('results[?stat.exists].item') }}"
+
+    - name: Set umask in /etc/login.defs
+      lineinfile:
+        path: /etc/login.defs
+        regexp: '^(?P<umask>UMASK\s+).+'
+        line: \g<umask>{{ users_global_umask }}
+        backrefs: yes
+        state: present
+
+    - name: Enforce minimum password lifetime
+      lineinfile:
+        path: /etc/login.defs
+        regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'
+        line: \g<passmin>{{ users_pass_min_day }}
+        backrefs: yes
+        state: present
+
+    - name: Set default account expiration after inactivity
+      lineinfile:
+        path: /etc/default/useradd
+        regexp: "^(?P<inactive>INACTIVE=).+"
+        line: \g<inactive>{{ users_default_inactive }}
+        backrefs: yes
+        state: present
+  become: True
+  become_user: root