🐛 Bug - OS/Distro specific built-in users spread to different(wrong) OS

[reelsense]

• Add/remove users, groups, and user variables like default shell.
  • With a caveats for built-in AMI/vagrant users like ubuntu, vagrant, or ec2-user.

...

I always need to add the same users to my servers but I don't want to add an ubuntu user to a FreeBSD server. Nor do I want to add the default FreeBSD AMI user; "ec2-user", to an Ubuntu server. I want those default accounts to stay, but I still want to be able to update them like the other user accounts. - https://github.com/stationgroup/ansible-experiments/issues/9#issue-343283051

My ubuntu user/configs for Ubuntu on EC2 end up on my FreeBSD instances. Same with the ec2-user in the FreeBSD AMI.

I know, you're probably thinking "Oh not again, you're doing it wrong". Please advice what method I should be using if this was completed.

List of global users: remember direct degree sand grief jam king

Exclusive users: ubuntu (Ubuntu AMI) ec2-user (FreeBSD AMI) vagrant (FreeBSD, Ubuntu, Debian, etc)

[srgvg]

Can you show your inventory and how you configure for this? (/cc @vincentvdk)

[reelsense]

 

(Click to expand `hosts` inventory)

``` [ubuntu-office] redacted [ubuntu-ec2] redacted [ubuntu-lab] lab1 ansible_host=10.0.0.43 ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3 lab2 ansible_host=10.0.0.79 ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3 bastion-lab ansible_host=10.0.0.61 ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3 [debian] redacted [ubuntu:vars] ansible_python_interpreter=/usr/bin/python3 [usa:children] ubuntu-office ubuntu-ec2 ubuntu-vultr ubuntu-lab freebsd-office freebsd-ec2 freebsd-vultr freebsd-lab [ubuntu:children] usa [freebsd:children] usa [freebsd-lab] lab3 ansible_host=10.0.0.219 ansible_user=ec2-user ansible_python_interpreter=/usr/local/bin/python lab4 ansible_host=10.0.0.162 ansible_user=ec2-user ansible_python_interpreter=/usr/local/bin/python [freebsd-vultr] redacted ```

---

 

(Click to expand `ansible.cfg`)

``` [ssh_connection] [defaults] retry_files_enabled = False retry_files_save_path = /tmp/ inventory=./hosts host_key_checking=false gathering = smart stdout_callback=unixy #stdout_callback=debug [privilege_escalation] #become=True #become_method=su #become_user=root #become_ask_pass=False ``` I added had to add the privilege escalation in the roles to fix broken/erroring _FreeBSD_ stuff _(Ubuntu always worked fine)_.

---

I've copied the stuff below from the comment in the ssh_config file Issue: https://github.com/stationgroup/ansible-experiments/issues/11#issuecomment-422962420

 

(Click to expand group_vars/all)

```yaml --- user_groups: - name: test gid: 799 state: absent users: - name: ec2-user state: present enable_sudo: true keys: - file: ec2-user state: present - name: ubuntu state: present enable_sudo: true keys: - file: ubuntu state: present bash_lines: - line: 'export GPG_AGENT_INFO="${HOME}/.gnupg/S.gpg-agent:0:1"' state: absent bash_lines: - line: 'export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent"' state: present bash_blocks: - content: | # SSH with GPG key on Yubikey export GPG_TTY="$(tty)" export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent" state: absent - content: | ### ## Filecount in a directory. alias filecount='find . -maxdepth 1 -type f -print | wc -l' ## Reload shell alias reload-bash_profile="source ~/.bashrc" ### ### # Change UP and DOWN arrows to cycle through previous entrys of the current command. Like FreeBSD. # From http://www.ukuug.org/events/linux2003/papers/bash_tips/ # Incremental searching with Up and Down is configured in .inputrc bind '"\e[A": history-search-backward' bind '"\e[B": history-search-forward' #"\e[5~": history-search-backward #"\e[6~": history-search-forward #This allows you to continue using arrows for absolute chronological history then use PageUp and PageDn for history search. #You could also change it to. #"\e[5~": history-substring-search-backward #"\e[6~": history-substring-search-forward ### state: present ssh_config: - line: "ServerAliveInterval: 10" - line: "StreamLocalBindUnlink: yes" ``` I'm using: ``` ssh_config: - line: "ServerAliveInterval: 10" - line: "StreamLocalBindUnlink: yes" ``` as per PR #12

---

I've made some minor changes to fix issues a chicken and egg issue with FreeBSD. But nothing that should have broke ssh_config.

 

(Click to expand roles/users/tasks/users.yml)

 ```yaml --- - name: Ensure sudo is installed (Debian) become_method: sudo apt: name: sudo update_cache: yes cache_valid_time: "{{ apt_cache_valid | default('86400') }}" when: ansible_os_family == "Debian" - name: Ensure sudo is installed (FreeBSD) become_method: su pkgng: name: sudo state: present when: ansible_os_family == "FreeBSD" - name: Enable sudo for user (FreeBSD) become_method: su lineinfile: path: "{{ sudoers_path }}/{{ item.name }}" line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL" state: present create: true when: - ansible_os_family == "FreeBSD" - item.enable_sudo is defined and item.enable_sudo == true with_items: "{{ users }}" - name: Enable sudo for user (Ubuntu) become_method: sudo lineinfile: path: "{{ sudoers_path }}/{{ item.name }}" line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL" state: present create: true when: - ansible_os_family == "Debian" - item.enable_sudo is defined and item.enable_sudo == true with_items: "{{ users }}" - name: Add/Remove group become_method: sudo group: name: "{{ item.name }}" gid: "{{ item.gid | default(omit) }}" state: "{{ item.state | default('present') }}" with_items: "{{ user_groups }}" - name: Add/Remove user become_method: sudo user: name: "{{ item.name }}" state: "{{ item.state | default('present') }}" password: "{{ item.password | default(omit) }}" groups: "{{ item.groups | default(omit) }}" uid: "{{ item.uid | default(omit) }}" shell: "{{ item.shell | default(default_shell) }}" remove: yes no_log: False with_items: "{{ users }}" - name: Configure bashrc lines become_method: sudo lineinfile: path: "/home/{{ item.0.name }}/.bashrc" line: "{{ item.1.line }}" state: "{{ item.1.state | default('present') }}" backup: yes with_subelements: - "{{ users }}" - bash_lines - skip_missing: true when: ansible_os_family == 'Debian' and item.0.state == "present" - name: Configure bashrc blocks become_method: sudo blockinfile: path: "/home/{{ item.0.name }}/.bashrc" content: "{{ item.1.content }}" marker: "# {mark} ANSIBLE managed content. Block item #{{ listitem }}" state: "{{ item.1.state | default('present') }}" backup: yes with_subelements: - "{{ users }}" - bash_blocks - skip_missing: true when: ansible_os_family == 'Debian' and item.0.state == "present" loop_control: index_var: listitem - name: Configure cshrc lines become_method: su lineinfile: path: "/home/{{ item.0.name }}/.cshrc" line: "{{ item.1.line }}" state: "{{ item.1.state | default('present')}}" backup: yes with_subelements: - "{{ users }}" - csh_lines - skip_missing: true when: ansible_os_family == 'FreeBSD' and item.0.state == "present" - name: Configure cshrc blocks become_method: su blockinfile: path: "/home/{{ item.0.name }}/.cshrc" content: "{{ item.1.content }}" marker: "# {mark} ANSIBLE managed content. Block item #{{ listitem }}" state: "{{ item.1.state | default('present')}}" backup: yes with_subelements: - "{{ users }}" - csh_blocks - skip_missing: true when: ansible_os_family == 'FreeBSD' and item.0.state == "present" loop_control: index_var: listitem - name: Disable sudo for user become: true file: path: "{{ sudoers_path }}/{{ item.name }}" state: absent when: item.enable_sudo is defined and item.enable_sudo == false with_items: "{{ users }}" - name: Include sudoers.d become: true lineinfile: dest: "{{ sudo_config_path }}" state: present regexp: '^\#includedir {{ sudoers_path }}' line: '#includedir {{ sudoers_path }}' validate: 'visudo -cf %s' ```

[reelsense]

Resolved ✅