refactor: rework umask settings and global session timeout

2022-09-18 21:44:46 +02:00 · 2022-09-18 21:44:46 +02:00 · e6096b608c
parent 55c3698ae3
commit e6096b608c
6 changed files with 21 additions and 12 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -14,6 +14,7 @@ users_default_users: []
 users_default_groups: []

 users_global_umask: "022"
+users_session_timeout: 300
 users_pass_min_day: 1

 users_global_bash_aliases:
--- a/molecule/centos7/converge.yml
+++ b/molecule/centos7/converge.yml
@ -2,6 +2,7 @@
 - name: Converge
  hosts: all
  vars:
+    users_global_umask: "027"
    users_default_users:
      - name: demouser
        groups:
--- a/molecule/rocky8/converge.yml
+++ b/molecule/rocky8/converge.yml
@ -2,6 +2,7 @@
 - name: Converge
  hosts: all
  vars:
+    users_global_umask: "027"
    users_default_users:
      - name: demouser
        groups:
--- a/tasks/bash.yml
+++ b/tasks/bash.yml
@ -1,6 +1,6 @@
 ---
 - block:
-    - name: Override default .bashrc for given users
+    - name: Override default .bashrc
      template:
        src: etc/bashrc.j2
        dest: "{{ item }}"
@ -9,7 +9,7 @@
        mode: 0644
      loop: "{{ users_bash_bashrc_overrides }}"

-    - name: Setup custom bash profile at '/etc/profile.d/custom.sh'
+    - name: Setup custom bash profile
      template:
        src: etc/profile.d/custom.sh.j2
        dest: /etc/profile.d/custom.sh
@ -17,15 +17,17 @@
        group: root
        mode: 0644

-    - name: Set umask to /etc/login.defs
-      lineinfile:
-        path: /etc/login.defs
-        regexp: '^(?P<umask>UMASK\s+).+'
-        line: \g<umask>{{ users_global_umask }}
-        backrefs: yes
-        state: present
+    - name: Set global umask
+      replace:
+        path: "{{ item }}"
+        regexp: '^(?i)(?P<umask>\s+UMASK\s+).+'
+        replace: \g<umask>{{ users_global_umask }}
+      loop:
+        - /etc/bashrc
+        - /etc/csh.cshrc
+        - /etc/profile

-    - name: Enforcing minimum password lifetime
+    - name: Enforce minimum password lifetime
      lineinfile:
        path: /etc/login.defs
        regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -9,6 +9,8 @@
        - "vars"
      errors: "ignore"

+- include_tasks: bash.yml
+
 - include_tasks: "{{ lookup('first_found', params) }}"
  vars:
    params:
@ -20,4 +22,3 @@
        - "tasks"

 - include_tasks: users_keys.yml
- include_tasks: bash.yml
--- a/templates/etc/profile.d/custom.sh.j2
+++ b/templates/etc/profile.d/custom.sh.j2
@ -1,6 +1,9 @@
 #jinja2:lstrip_blocks: True
 {{ ansible_managed | comment }}
-umask {{ users_global_umask }}
+
+TMOUT={{ users_session_timeout }}
+readonly TMOUT
+export TMOUT

 # are we an interactive shell?
 if [ "$PS1" ]; then