diff --git a/README.md b/README.md index 189802f..415da24 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ The following role variables are relevant: * `append`: Boolean to add `sftp_group_name` to the user groups (if any) instead of setting it (default to `False`). * `mode`: The users home directory mode (defaults to `0750`). * `skeleton`: An optional home skeleton directory (e.g: /dev/null). Default to system defaults. + * `home`: An optional home directory (e.g: /home/bob). Default to `sftp_home_partition/name`. * `sftp_nologin_shell`: The "nologin" user shell. (defaults to /sbin/nologin.) Notes: @@ -63,6 +64,7 @@ Notes: - name: sally password: "" authorized: [sally.pub] + home: /var/tmp/sally append: True - sftp_directories: - imports diff --git a/run-local-tests.sh b/run-local-tests.sh index e402cb4..ae33af9 100755 --- a/run-local-tests.sh +++ b/run-local-tests.sh @@ -12,8 +12,8 @@ run_test() { docker exec --tty "$(cat ${container_id})" env TERM=xterm grep "user1" /etc/shadow && (echo 'User created' && exit 0) || (echo 'User not created' && exit 1) docker exec --tty "$(cat ${container_id})" env TERM=xterm test -d /home/user1/test1 && (echo 'Directory created' && exit 0) || (echo 'Directory not created' && exit 1) docker exec --tty "$(cat ${container_id})" env TERM=xterm grep "foobar" /etc/group && (echo 'Group created' && exit 0) || (echo 'Group not created' && exit 1) - docker exec --tty "$(cat ${container_id})" env TERM=xterm stat -c '%G' /home/user2 - docker exec --tty "$(cat ${container_id})" env TERM=xterm '[ $(stat --format '%G' /home/user2) = "foobar" ]' && (echo 'Good directory ownership' && exit 0) || (echo 'Wrong directory ownership' && exit 1) + docker exec --tty "$(cat ${container_id})" env TERM=xterm stat -c '%G' /var/tmp/user2 + docker exec --tty "$(cat ${container_id})" env TERM=xterm '[ $(stat --format '%G' /var/tmp/user2) = "foobar" ]' && (echo 'Good directory ownership' && exit 0) || (echo 'Wrong directory ownership' && exit 1) docker exec --tty "$(cat ${container_id})" env TERM=xterm '[ $(stat --format '%G' /home/user1) = "sftpusers" ]' && (echo 'Good directory ownership' && exit 0) || (echo 'Wrong directory ownership' && exit 1) docker exec --tty "$(cat ${container_id})" env TERM=xterm test -d /home/user1/test3 && (echo 'User Directory created' && exit 0) || (echo 'User Directory not created' && exit 1) docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/role_under_test/tests/test.yml | grep -q 'changed=0.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1) diff --git a/tasks/main.yml b/tasks/main.yml index f76a61a..f33d02c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,4 +1,12 @@ --- +- name: "Compute SFTP users." + set_fact: + _sftp_users: >- + [{% for sftp_user in sftp_users -%} + {{ sftp_user | combine({'home': sftp_user.home | default(sftp_home_partition + '/' + sftp_user.name) }) }} + {{ '' if loop.last else ',' }} + {%- endfor %}] + # Creates group for SFTP users. - name: SFTP-Server | Create sftp user group group: @@ -47,7 +55,7 @@ group: name: "{{ item }}" state: present - with_items: "{{ sftp_users | selectattr('group', 'defined') | map(attribute='group') | list }}" + with_items: "{{ _sftp_users | selectattr('group', 'defined') | map(attribute='group') | list }}" # Create each SFTP user with home directory on the correct partition, and add to SFTP group. - name: SFTP-Server | Create sftp users @@ -56,21 +64,21 @@ group: "{{ item.group | default(omit) }}" groups: "{{ sftp_group_name }}" append: "{{ item.append | default(False) }}" - home: "{{ sftp_home_partition }}/{{ item.name }}" + home: "{{ item.home }}" # `None` means default value -> default is to have a shell shell: "{{ None if (item.shell | default(True)) else sftp_nologin_shell }}" skeleton: "{{ item.skeleton | default(omit) }}" state: present - with_items: "{{ sftp_users }}" + with_items: "{{ _sftp_users }}" # A working chrooted SFTP setup requires root:sftgroup ownership of a user's home directory. - name: SFTP-Server | Correct ownership and permission of home directories file: - path: "{{ sftp_home_partition }}/{{ item.name }}" + path: "{{ item.home }}" owner: root group: "{{ item.group | default(sftp_group_name) }}" mode: "{{ item.mode | default(0750) }}" - with_items: "{{ sftp_users }}" + with_items: "{{ _sftp_users }}" # Install all relevant public keys. - name: SFTP-Server | Install public keys @@ -78,7 +86,7 @@ user: "{{ item.0.name }}" key: "{{ lookup('file', item.1) }}" with_subelements: - - "{{ sftp_users }}" + - "{{ _sftp_users }}" - authorized - flags: skip_missing: True @@ -88,43 +96,43 @@ user: name: "{{ item.name }}" password: "{{ item.password }}" - with_items: "{{ sftp_users }}" + with_items: "{{ _sftp_users }}" when: item.password is defined # Create directories for all SFTP users. Optional, but recommended. - name: SFTP-Server | Create directories file: - path: "{{ sftp_home_partition }}/{{ item[0].name }}/{{ item[1].name | default(item[1]) }}" + path: "{{ item[0].home }}/{{ item[1].name | default(item[1]) }}" owner: "{{ item[0].name }}" group: "{{ item[0].group | default(item[0].name) }}" mode: "{{ item[1].mode | default(0750) }}" state: directory with_nested: - - "{{ sftp_users }}" + - "{{ _sftp_users }}" - "{{ sftp_directories }}" # Create directories for individual SFTP users. Optional. - name: SFTP-Server | Create directories per user file: - path: "{{ sftp_home_partition }}/{{ item[0].name }}/{{ item[1].name | default(item[1]) }}" + path: "{{ item[0].home }}/{{ item[1].name | default(item[1]) }}" owner: "{{ item[0].name }}" group: "{{ item[0].group | default(item[0].name) }}" mode: "{{ item[1].mode | default(0750) }}" state: directory with_subelements: - - "{{ sftp_users }}" + - "{{ _sftp_users }}" - "sftp_directories" - flags: skip_missing: True - name: SFTP-Server | Create dev directory for logging file: - path: "{{ sftp_home_partition }}/{{ item.name }}/dev" + path: "{{ item[0].home }}/dev" owner: root group: root state: directory with_items: - - "{{ sftp_users }}" + - "{{ _sftp_users }}" when: sftp_enable_logging - name: SFTP-Server | Enable Logging diff --git a/tests/test.yml b/tests/test.yml index bb23a55..d5020ae 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -13,6 +13,7 @@ - test3 - test4 - name: user2 + home: /var/tmp/user2 group: foobar password: "" authorized: []