public-health-ch/ansible/roles/dev-sec.os-hardening/tasks/user_accounts.yml

---

- name: get UID_MIN from login.defs
  shell: awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs removes=/etc/login.defs
  register: uid_min
  check_mode: no
  changed_when: False

- name: calculate UID_MAX from UID_MIN by substracting 1
  set_fact: uid_max='{{ uid_min.stdout | int - 1 }}'
  when: uid_min is defined

- name: set UID_MAX on Debian-systems if no login.defs exist
  set_fact: uid_max='999'
  when: ansible_os_family == 'Debian' and not uid_min

- name: set UID_MAX on other systems if no login.defs exist
  set_fact: uid_max='499'
  when: not uid_min

- name: get all system accounts
  command: awk -F'':'' '{ if ( $3 <= {{uid_max|quote}} ) print $1}' /etc/passwd removes=/etc/passwd
  changed_when: False
  check_mode: no
  register: sys_accs

- name: remove always ignored system accounts from list
  set_fact:
    sys_accs_cond: '{{sys_accs.stdout_lines | difference(os_always_ignore_users) }}'
  check_mode: no

- name: change system accounts not on the user provided ignore-list
  user: name='{{item}}' shell='{{os_nologin_shell_path}}' password='*'
  with_items:
    - '{{sys_accs_cond | default(omit) | difference(os_ignore_users) }}'