55 lines
1.4 KiB
YAML
55 lines
1.4 KiB
YAML
---
|
|
- name: Stat umask files
|
|
ansible.builtin.stat:
|
|
path: "{{ item }}"
|
|
loop:
|
|
- /etc/bashrc
|
|
- /etc/csh.cshrc
|
|
- /etc/profile
|
|
register: __users_umask_files
|
|
|
|
- name: Stat pwquality files
|
|
ansible.builtin.stat:
|
|
path: "/etc/security/pwquality.conf"
|
|
register: __users_pwquality_file
|
|
|
|
- name: Set global umask
|
|
ansible.builtin.replace:
|
|
path: "{{ item }}"
|
|
regexp: '(?i)^(?P<umask>\s+UMASK\s+).+'
|
|
replace: \g<umask>{{ users_global_umask }}
|
|
loop: "{{ __users_umask_files | json_query('results[?stat.exists].item') }}"
|
|
|
|
- name: Set umask in /etc/login.defs
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/login.defs
|
|
regexp: '^(?P<umask>UMASK\s+).+'
|
|
line: \g<umask>{{ users_global_umask }}
|
|
backrefs: True
|
|
state: present
|
|
|
|
- name: Enforce minimum password lifetime
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/login.defs
|
|
regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'
|
|
line: \g<passmin>{{ users_pass_min_day }}
|
|
backrefs: True
|
|
state: present
|
|
|
|
- name: Set default account expiration after inactivity
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/default/useradd
|
|
regexp: "^(?P<inactive>INACTIVE=).+"
|
|
line: \g<inactive>{{ users_default_inactive }}
|
|
backrefs: True
|
|
state: present
|
|
|
|
- name: Set pwquality if available
|
|
ansible.builtin.template:
|
|
src: etc/security/pwquality.conf.j2
|
|
dest: /etc/security/pwquality.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
when: __users_pwquality_file.stat.exists | bool
|