From 9f5fbc6a0d138eb3daa41ed8fbbcfabb2827882a Mon Sep 17 00:00:00 2001
From: jurgenhaas <juergen@paragon-es.de>
Date: Tue, 10 Dec 2013 12:42:23 +0100
Subject: [PATCH] Lock/unlock users including passwords and ssh keys

---
 defaults/main.yml                  |  1 +
 files/etc_ansible_facts_d_users_sh |  5 +++++
 tasks/cleanup.yml                  | 35 ++++++++++++++++++++++++++++++
 tasks/main.yml                     | 14 ++++++++++++
 4 files changed, 55 insertions(+)
 create mode 100644 defaults/main.yml
 create mode 100644 files/etc_ansible_facts_d_users_sh
 create mode 100644 tasks/cleanup.yml
 create mode 100644 tasks/main.yml

diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..dd16570
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1 @@
+users: []
diff --git a/files/etc_ansible_facts_d_users_sh b/files/etc_ansible_facts_d_users_sh
new file mode 100644
index 0000000..4b4c443
--- /dev/null
+++ b/files/etc_ansible_facts_d_users_sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+echo "[" >/etc/ansible/facts.d/users.fact
+cat /etc/passwd | perl -aF: -ne 'print "{\"name\": \"",$F[0],"\",\"home\": \"",$F[5],"\"},\n" if $F[2] > 499' >>/etc/ansible/facts.d/users.fact
+echo "0]" >>/etc/ansible/facts.d/users.fact
diff --git a/tasks/cleanup.yml b/tasks/cleanup.yml
new file mode 100644
index 0000000..cf84913
--- /dev/null
+++ b/tasks/cleanup.yml
@@ -0,0 +1,35 @@
+##
+# Task file in Ansible role "users" to securely lock deprecated user accounts.
+#
+
+---
+# file: cleanup.yml
+
+- name: "Make sure, the directory exists"
+  file: dest='/etc/ansible/facts.d'
+        state=directory
+        owner=root
+        group=root
+        mode=775
+- name: "Copy the extract script"
+  copy: src='etc_ansible_facts_d_users_sh'
+        dest='/etc/ansible/facts.d/users.sh'
+        owner=root
+        group=root
+        mode=755
+- name: "Extract user list"
+  shell: /etc/ansible/facts.d/users.sh
+- name: "Gather facts"
+  setup:
+- name: "Unlock legitimate user accounts"
+  command: usermod --unlock {{item.name}}
+  with_items: ansible_local.users
+  when: item.name is defined and item.name in users
+- name: "Lock deprecated user accounts"
+  command: usermod --lock {{item.name}}
+  with_items: ansible_local.users
+  when: item.name is defined and item.name not in users
+- name: "Disable ssh keys for deprecated user accounts"
+  command: rm {{item.home}}/.ssh/authorized_keys
+  with_items: ansible_local.users
+  when: item.name is defined and item.name not in users
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..d1075c2
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,14 @@
+##
+# Main task file in Ansible role "users" to manage user accounts on hosts.
+#
+
+---
+# file: main.yml
+
+- name: "Check requirements: is the user hash defined"
+  local_action: shell echo "There are no users defined"
+  when: not users
+  changed_when: false
+  failed_when: not users
+
+- include: cleanup.yml
-- 
GitLab