Dotfiles + SSH Komplettumbau (#64)

* Playbook zum aufräumen der alten dotfiles-Struktur

* Rolle mgrote.dotfiles gelöscht

* Rolle geerlingguy.dotfiles hinzugefügt und ergänzt

* Playbook 5_personalisierung mit neuer Rolle aktualisiert

* GroupVars: Variablen mit neuer Rolle aktualisiert

* Variablenname ssh_pubkey angepasst

* Rolle deploy_ssh_keys gelöscht, wird durch create_users übernommen

* Bugfix: password ssh login verbieten

* Playbook: dotfiles User korrigiert

* Inventar: richtig auskommentiert

* GroupVars Docker: Housekeeping

* Variablenname ssh_pubkey angepasst

* create_users: ansible-user angelegt

* GroupVars dotfiles angepasst für geerlingguy

* Keyfile in ansible.cfg definiert

* Rolle: nickjj.ansible-user entfernt

* gitignore aktualisiert
This commit is contained in:
Quotengrote 2020-11-05 21:52:43 +01:00 committed by GitHub
parent e7fbcdce6b
commit 4f9baa65b1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
39 changed files with 430 additions and 463 deletions

2
.gitignore vendored
View file

@ -1,4 +1,6 @@
.git/
vault-pass.yml
keepass_db.kdbx
id_rsa_ansible_user
id_rsa_ansible_user_pub
# https://www.atlassian.com/git/tutorials/saving-changes/gitignore

View file

@ -19,15 +19,6 @@
tmux_conf_destination: "/home/mg/.tmux.conf"
tmux_bashrc_destination: "/home/mg/.bashrc"
tmux_standardsession_name: "default"
### mgrote.dotfiles
dotfiles_local_repo_directory: "/home/mg/dotfiles-repo"
dotfiles_user: mg
dotfiles_link_target: "/home/mg"
dotfiles_remote_repo: "https://github.com/quotengrote/dotfiles"
dotfiles_files_to_copy:
- .tmux.conf
- .bash_aliases
- .gitconfig
### mgrote.fail2ban
f2b_bantime: 300
f2b_findtime: 300
@ -43,17 +34,39 @@
- username: mg
password: "{{ lookup('keepass', 'linux_mg_user_password', 'password') }}"
update_password: on_create
ssh_key: "{{ lookup('keepass', 'ssh_pubkey', 'password') }}"
ssh_key: "{{ lookup('keepass', 'ssh_pubkey_mg', 'password') }}"
use_sudo: yes
use_sudo_nopass: yes
user_state: present
groups: ssh
groups: ssh, sudo
servers:
- production
- staging
- test
- virt
- username: ansible-user
password: "{{ lookup('keepass', 'linux_mg_user_password', 'password') }}"
update_password: on_create
ssh_key: "{{ lookup('keepass', 'ssh_pubkey_ansible-user', 'password') }}"
use_sudo: yes
use_sudo_nopass: yes
user_state: present
groups: ssh, ansible, sudo
servers:
- production
- staging
- test
- virt
### geerlingguy.dotfiles
dotfiles_repo: "https://github.com/quotengrote/dotfiles.git"
dotfiles_repo_local_destination: "/home/mg/dotfiles-repo"
dotfiles_home: "/home/mg"
dotfiles_user: "mg"
dotfiles_repo_accept_hostkey: true
dotfiles_files:
- .bash_aliases
- .tmux.conf
- .gitconfig
# Ansible Variablen
@ -64,7 +77,7 @@
### python3
# https://docs.ansible.com/ansible/latest/reference_appendices/python_3_support.html
ansible_python_interpreter: "/usr/bin/python3"
ansible_ssh_private_key_file: /home/mg/ansible/id_rsa_ansible_user
# Ansible Plugin Variablen
### Keepass

View file

@ -12,8 +12,6 @@
# comment: 'rssbridge'
- rule: allow
comment: 'alles erlauben'
### mgrote.create_users
create_user_groups: 'sudo, ssh, docker'
### geerlingguy.docker
docker_users:
- mg

View file

@ -1,13 +1,14 @@
---
### mgrote.dotfiles
dotfiles_local_repo_directory: "/root/dotfiles-repo"
dotfiles_user: "root"
dotfiles_link_target: "/root"
dotfiles_remote_repo: "https://github.com/quotengrote/dotfiles"
dotfiles_files_to_copy:
- .tmux.conf
### geerlingguy.dotfiles
dotfiles_repo: "https://github.com/quotengrote/dotfiles.git"
dotfiles_repo_local_destination: "/home/mg/dotfiles-repo"
dotfiles_home: "/home/mg"
dotfiles_user: "mg"
dotfiles_repo_accept_hostkey: true
dotfiles_files:
- .bash_aliases
- .tmux.conf
- .gitconfig
### mgrote.sanoid
sanoid_snapshot_keep_hourly: '24'

View file

@ -27,6 +27,6 @@ all:
hosts:
vm-test.grote.lan:
lxc-test.grote.lan:
baseimage:
hosts:
# vorlagebaseimage.grote.lan:
# baseimage:
# hosts:
# vorlagebaseimage.grote.lan:

View file

@ -6,21 +6,17 @@
roles:
- { role: robertdebock.bootstrap, tags: "bootstrap" }
- { role: nickjj.ansible-user, tags: "ansible-user" }
- { role: ryandaniels.create_users, tags: "user", become: yes }
vars:
### reobertdebock.bootstrap
bootstrap_user: mg
bootstrap_wait_for_host: no
bootstrap_timeout: 1
bootstrap_retries: 1
### fuer rolle nickjj.ansible-user
user_name: "ansible-user"
user_generate_ssh_key: true
user_local_ssh_key_path: "~/.ssh/id_rsa.pub"
user_enable_passwordless_sudo: True
### ansible
ansible_user: "mg"
ansible_password: "hallowelt"
ansible_become_password: "hallowelt"
ansible_ssh_common_args: "'-o StrictHostKeyChecking=no'"
# Nach dem ersten durchlaufen ist keine Anmeldung mehr per Passwort & ssh möglich. Somit scheitert auch der Versuch das Playbook ein zweites mal durchlaufen zu lassen.

View file

@ -5,4 +5,7 @@
- { role: mgrote.tmux,
tags: "tmux",
when: "not 'virt' in group_names" }
- { role: mgrote.dotfiles, tags: "dotfiles" }
- { role: geerlingguy.dotfiles,
become_user: "{{ dotfiles_user }}" ,
become: true,
tags: "dotfiles" }

View file

@ -0,0 +1,24 @@
---
- hosts: all
become: yes
tasks:
- name: delete /home/mg/dotfiles-repo
become: yes
file:
path: /home/mg/dotfiles-repo
state: absent
- name: delete /home/mg/.bash_aliases
become: yes
file:
path: /home/mg/.bash_aliases
state: absent
- name: delete /home/mg/.tmux.conf
become: yes
file:
path: /home/mg/.tmux.conf
state: absent
- name: delete /home/mg/.gitconfig
become: yes
file:
path: /home/mg/.gitconfig
state: absent

View file

@ -0,0 +1,2 @@
skip_list:
- '106'

View file

@ -0,0 +1,4 @@
# These are supported funding model platforms
---
github: geerlingguy
patreon: geerlingguy

View file

@ -0,0 +1,56 @@
# Configuration for probot-stale - https://github.com/probot/stale
# Number of days of inactivity before an Issue or Pull Request becomes stale
daysUntilStale: 90
# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
daysUntilClose: 30
# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
onlyLabels: []
# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
exemptLabels:
- pinned
- security
- planned
# Set to true to ignore issues in a project (defaults to false)
exemptProjects: false
# Set to true to ignore issues in a milestone (defaults to false)
exemptMilestones: false
# Set to true to ignore issues with an assignee (defaults to false)
exemptAssignees: false
# Label to use when marking as stale
staleLabel: stale
# Limit the number of actions per hour, from 1-30. Default is 30
limitPerRun: 30
pulls:
markComment: |-
This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution!
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale.
unmarkComment: >-
This pull request is no longer marked for closure.
closeComment: >-
This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details.
issues:
markComment: |-
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
unmarkComment: >-
This issue is no longer marked for closure.
closeComment: >-
This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.

View file

@ -0,0 +1,67 @@
---
name: CI
'on':
pull_request:
push:
branches:
- master
schedule:
- cron: "0 5 * * 1"
defaults:
run:
working-directory: 'geerlingguy.dotfiles'
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.dotfiles'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install yamllint ansible-lint
- name: Lint code.
run: |
yamllint .
ansible-lint
molecule:
name: Molecule
runs-on: ubuntu-latest
strategy:
matrix:
distro:
- centos7
- ubuntu1804
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.dotfiles'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install ansible molecule[docker] docker
- name: Run Molecule tests.
run: molecule test
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
MOLECULE_DISTRO: ${{ matrix.distro }}

View file

@ -0,0 +1,38 @@
---
# This workflow requires a GALAXY_API_KEY secret present in the GitHub
# repository or organization.
#
# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
# See: https://github.com/ansible/galaxy/issues/46
name: Release
'on':
push:
tags:
- '*'
defaults:
run:
working-directory: 'geerlingguy.dotfiles'
jobs:
release:
name: Release
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.dotfiles'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install Ansible.
run: pip3 install ansible-base
- name: Trigger a new import on Galaxy.
run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

3
roles/geerlingguy.dotfiles/.gitignore vendored Normal file
View file

@ -0,0 +1,3 @@
*.retry
*/__pycache__
*.pyc

View file

@ -0,0 +1,11 @@
---
extends: default
rules:
line-length:
max: 120
level: warning
ignore: |
.github/stale.yml
.travis.yml

View file

@ -0,0 +1,20 @@
The MIT License (MIT)
Copyright (c) 2017 Jeff Geerling
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

View file

@ -0,0 +1,56 @@
# Ansible Role: Dotfiles
[![CI](https://github.com/geerlingguy/ansible-role-dotfiles/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-dotfiles/actions?query=workflow%3ACI)
Installs a set of dotfiles from a given Git repository. By default, it will install my (geerlingguy's) [dotfiles](https://github.com/geerlingguy/dotfiles), but you can use any set of dotfiles you'd like, as long as they follow a conventional format.
## Requirements
Requires `git` on the managed machine (you can easily install it with `geerlingguy.git` if required).
## Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
dotfiles_repo: "https://github.com/geerlingguy/dotfiles.git"
dotfiles_repo_version: master
The git repository and branch/tag/commit hash to use for retrieving dotfiles. Dotfiles should generally be laid out within the root directory of the repository.
dotfiles_repo_accept_hostkey: false
Add the hostkey for the repo url if not already added. If ssh_opts contains "-o StrictHostKeyChecking=no", this parameter is ignored.
dotfiles_repo_local_destination: "~/Documents/dotfiles"
The local path where the `dotfiles_repo` will be cloned.
dotfiles_home: "~"
The home directory where dotfiles will be linked. Generally, the default should work, but in some circumstances, or when running the role as sudo on behalf of another user, you may want to specify the full path.
dotfiles_files:
- .zshrc
- .gitignore
- .inputrc
- .vimrc
Which files from the dotfiles repository should be linked to the `dotfiles_home`.
## Dependencies
None
## Example Playbook
- hosts: localhost
roles:
- { role: geerlingguy.dotfiles }
## License
MIT / BSD
## Author Information
This role was created in 2015 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).

View file

@ -0,0 +1,12 @@
---
dotfiles_repo: "https://github.com/geerlingguy/dotfiles.git"
dotfiles_repo_version: master
dotfiles_repo_accept_hostkey: false
dotfiles_repo_local_destination: "~/Documents/dotfiles"
dotfiles_home: "~"
dotfiles_files:
- .zshrc
- .gitignore
- .inputrc
- .vimrc

View file

@ -0,0 +1,28 @@
---
dependencies: []
galaxy_info:
role_name: dotfiles
author: geerlingguy
description: Dotfile installation for UNIX/Linux.
company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)"
min_ansible_version: 2.2
platforms:
- name: GenericUNIX
versions:
- all
- any
- name: GenericBSD
versions:
- all
- any
- name: GenericLinux
versions:
- all
- any
galaxy_tags:
- development
- system
- dotfiles
- configuration

View file

@ -0,0 +1,13 @@
---
- name: Converge
hosts: all
become: true
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
roles:
- role: geerlingguy.git
- role: geerlingguy.dotfiles

View file

@ -0,0 +1,17 @@
---
dependency:
name: galaxy
driver:
name: docker
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
playbooks:
converge: ${MOLECULE_PLAYBOOK:-converge.yml}

View file

@ -0,0 +1,2 @@
---
- src: geerlingguy.git

View file

@ -0,0 +1,30 @@
---
- name: Ensure dotfiles repository is cloned locally.
git:
repo: "{{ dotfiles_repo }}"
dest: "{{ dotfiles_repo_local_destination }}"
version: "{{ dotfiles_repo_version }}"
depth: 1
- name: Ensure all configured dotfiles are links.
command: "ls -F {{ dotfiles_home }}/{{ item }}"
register: existing_dotfile_info
failed_when: false
check_mode: false
changed_when: false
with_items: "{{ dotfiles_files }}"
- name: Remove existing dotfiles file if a replacement is being linked.
file:
path: "{{ dotfiles_home }}/{{ dotfiles_files[item.0] }}"
state: absent
when: "'@' not in item.1.stdout"
with_indexed_items: "{{ existing_dotfile_info.results }}"
- name: Link dotfiles into home folder.
file:
src: "{{ dotfiles_repo_local_destination }}/{{ item }}"
dest: "{{ dotfiles_home }}/{{ item }}"
state: link
mode: 0644
with_items: "{{ dotfiles_files }}"

View file

@ -6,5 +6,5 @@
regexp: '#PasswordAuthentication yes'
line: 'PasswordAuthentication no'
state: present
backrefs: yes
# backrefs: yes
notify: restart_sshd

View file

@ -1,15 +0,0 @@
## mgrote.deploy_ssh_keys
### Beschreibung
Deployed einen ssh key in die authorized_keys.
Erlaubt dem Nutzer passwortloses "sudo"
### Funktioniert auf
- [x] Ubuntu (>=18.04)
- [ ] ProxMox 6.1
### Variablen + Defaults
##### Nutzer
ssh_user: mg
##### Key
ssh_pubkey: ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuBZc+/pULaZefCgjKGL1zXIFFlw== mg@irantu

View file

@ -1,3 +0,0 @@
---
ssh_user: mg
ssh_pubkey: ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuBZc+/pULaZefCgjKGL1zXIFFlw== mg@irantu

View file

@ -1,22 +0,0 @@
---
- name: create .ssh directory
become: yes
file:
path: "/home/{{ ssh_user }}/.ssh"
state: directory
- name: touch file
become: yes
file:
path: "/home/{{ ssh_user }}/.ssh/authorized_keys"
state: touch
modification_time: preserve
access_time: preserve
- name: put pubkey
become: yes
lineinfile:
path: "/home/{{ ssh_user }}/.ssh/authorized_keys"
line: "{{ ssh_pubkey }}"
state: present
backup: yes

View file

@ -1,22 +0,0 @@
## mgrote.dotfiles
### Beschreibung
Klont ein git-repo, und symlinked die darin enthaltenen Dateien in ein Verzeichnis.
### Funktioniert auf
- [ ] Ubuntu (>=18.04)
- [ ] ProxMox 6.1
### Variablen + Defaults
##### Remote Repository
dotfiles_remote_repo: "https://github.com/quotengrote/dotfiles"
##### User
dotfiles_user: "mg"
##### Where to Link
dotfiles_link_target: "/home/mg"
##### Local Repo
dotfiles_local_repo_directory: "/home/mg/dotfiles-repo"
##### Which files should be linked
dotfiles_files_to_copy:
- .tmux.conf
- .bash_aliases

View file

@ -1,8 +0,0 @@
---
dotfiles_local_repo_directory: "/home/mg/dotfiles-repo"
dotfiles_user: "mg"
dotfiles_link_target: "/home/mg"
dotfiles_remote_repo: "https://github.com/quotengrote/dotfiles"
dotfiles_files_to_copy:
- .tmux.conf
- .bash_aliases

View file

@ -1,34 +0,0 @@
- name: create repo-directory
become: true
file:
path: "{{ dotfiles_local_repo_directory }}"
state: directory
owner: "{{ dotfiles_user }}"
group: "{{ dotfiles_user }}"
recurse: yes
mode: 0644
# noqa [401]
- name: clone repository
become: true
git:
repo: "{{ dotfiles_remote_repo }}"
dest: "{{ dotfiles_local_repo_directory }}"
clone: yes
force: yes
depth: 1
version: HEAD
tags:
- skip_ansible_lint
- name: create symlinks for files from repo
become: true
file:
src: "{{ dotfiles_local_repo_directory }}/{{ item }}"
dest: "{{ dotfiles_link_target }}/{{ item }}"
owner: "{{ dotfiles_user }}"
group: "{{ dotfiles_user }}"
mode: 0644
state: link
force: yes
with_items: "{{ dotfiles_files_to_copy }}"

View file

@ -1,8 +0,0 @@
.DS_Store
*/**.DS_Store
._*
.*.sw*
*~
.idea/
.vscode/
*.retry

View file

@ -1,17 +0,0 @@
---
services: "docker"
env:
- distro: "ubuntu1604"
- distro: "ubuntu1804"
- distro: "debian8"
- distro: "debian9"
script:
# Download test shim.
- wget -O ${PWD}/tests/test.sh https://gist.githubusercontent.com/nickjj/d12353b5b601e33cd62fda111359957a/raw
- chmod +x ${PWD}/tests/test.sh
# Run tests.
- ${PWD}/tests/test.sh

View file

@ -1,50 +0,0 @@
# Changelog
### v0.4.0
*Released: January 25th 2018*
- Rename `user_authorized_keys_path` to `user_local_ssh_key_path`
- Add proper tests and support for Ubuntu 16, Debian Stretch and Debian Jessie
- Update format and style consistencies
### v0.3.3
*Released: October 27th 2016*
- Add ability to generate an SSH key pair (disabled by default)
### v0.3.1
*Released: October 9th 2016*
- Append groups to users
- Test against Ubuntu 16.04 LTS and Debian Jessie on Travis-CI
### v0.3.0
*Released: October 7th 2016*
- Add ability to create/assign groups
- Add ability to set a different shell
- Add ability to toggle copying an SSH key
- Add ability to toggle passwordless sudo
- Use the updated YAML syntax for tasks
### v0.2.1
*Released: October 6th 2016*
- Fix Travis-CI tests
### v0.2.0
*Released: October 6th 2016*
- Update role for Ansible 2.1
### v0.1.0
*Released: May 4th 2014*
- Initial release

View file

@ -1,22 +0,0 @@
The MIT License (MIT)
Copyright (c) 2014 Nick Janetakis nick.janetakis@gmail.com
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
'Software'), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

View file

@ -1,97 +0,0 @@
## What is ansible-user? [![Build Status](https://secure.travis-ci.org/nickjj/ansible-user.png)](http://travis-ci.org/nickjj/ansible-user)
It is an [Ansible](http://www.ansible.com/home) role to:
- Create user groups
- Create a single user, add it to any groups you created and configure its shell
- Set your public SSH key as an authorized key so you can login without a password
- Enable passwordless sudo
## Why would you want to use this role?
When you spin up a new server, you'll often want to set up a non-root user that
you can login as and run your applications under. That's because running your
applications as root is a questionable idea from a security point of view.
This role sets you up to do that, but it also includes a few other user related
tasks, such as what's listed in the above bullets. Having all of these things
together in 1 role means less work for you to do!
## Supported platforms
- Ubuntu 16.04 LTS (Xenial)
- Ubuntu 18.04 LTS (Bionic)
- Debian 8 (Jessie)
- Debian 9 (Stretch)
## Role variables
```
# Optionally create additional user groupss. If empty, the user you create will
# automatically be a part of their user's group, ie. deploy:deploy.
user_groups: []
# The user you want to create.
user_name: "deploy"
# Which shell should you default to? Typically "bash" or "sh".
user_shell: "/bin/bash"
# Do you want to create an SSH keypair for this user? You probably don't for a
# regular user that you plan to login as which is why it's disabled by default.
user_generate_ssh_key: False
# When set, this will copy your local SSH public key from this path to your
# user's authorized keys on your server.
#
# If you don't want this behavior then use an empty string as the value but keep
# in mind this role does not set a default password for the user you create, so
# you will be locked out if you don't supply your public SSH key.
user_local_ssh_key_path: "~/.ssh/id_rsa.pub"
# Do you want to enable running root commands without needing a password?
user_enable_passwordless_sudo: True
```
## Example usage
For the sake of this example let's assume you have a group called **app** and
you have a typical `site.yml` playbook.
To use this role edit your `site.yml` file to look something like this:
```
---
- name: "Configure app server(s)"
hosts: "app"
become: True
roles:
- { role: "nickjj.user", tags: "user" }
```
Let's say you want to edit the user name, you can do this by opening or
creating `group_vars/app.yml` which is located relative to your `inventory`
directory and then make it look something like this:
```
---
user_name: "thor"
```
Now you would run `ansible-playbook -i inventory/hosts site.yml -t user`.
## Installation
`$ ansible-galaxy install nickjj.user`
### Ansible Galaxy
You can find it on the official
[Ansible Galaxy](https://galaxy.ansible.com/nickjj/user) if you want to rate it.
## License
MIT

View file

@ -1,10 +0,0 @@
---
user_groups: []
user_name: "deploy"
user_shell: "/bin/bash"
user_generate_ssh_key: False
user_local_ssh_key_path: "~/.ssh/id_rsa.pub"
user_enable_passwordless_sudo: True

View file

@ -1,25 +0,0 @@
---
galaxy_info:
author: "Nick Janetakis"
description: "Create and configure a user for SSH key based logins and passwordless sudo."
company:
license: "MIT"
min_ansible_version: "2.5"
platforms:
- name: "Ubuntu"
versions:
- "xenial"
- "bionic"
- name: "Debian"
versions:
- "jessie"
- "stretch"
galaxy_tags:
- "groups"
- "system"
- "users"
dependencies: []

View file

@ -1,47 +0,0 @@
---
- name: "Create user group(s)"
group:
name: "{{ item }}"
loop: "{{ user_groups }}"
when: user_groups
- name: "Create user"
user:
name: "{{ user_name }}"
groups: "{{ (user_groups | join(',')) }}"
generate_ssh_key: "{{ user_generate_ssh_key }}"
shell: "{{ user_shell }}"
- name: "Set authorized_key to allow SSH key based logins"
authorized_key:
user: "{{ user_name }}"
key: "{{ lookup('file', user_local_ssh_key_path) }}"
when: user_local_ssh_key_path | default(False)
- name: "Enable including files from sudoers.d/"
lineinfile:
path: "/etc/sudoers"
regexp: "^#includedir /etc/sudoers.d"
line: "#includedir /etc/sudoers.d"
state: "present"
backup: True
when: user_enable_passwordless_sudo
- name: Disable sudoers.d
lineinfile:
path: "/etc/sudoers"
regexp: "^#includedir /etc/sudoers.d"
line: "#includedir /etc/sudoers.d"
state: "absent"
backup: True
when: user_enable_passwordless_sudo == False
- name: "Enable passwordless sudo"
copy:
content: "%{{ user_name }} ALL=(ALL) NOPASSWD:ALL"
dest: "/etc/sudoers.d/{{ user_name }}"
owner: "root"
group: "root"
mode: "0440"
when: user_enable_passwordless_sudo

View file

@ -1,49 +0,0 @@
---
- hosts: "all"
become: True
vars:
user_local_ssh_key_path: "/root/.ssh/id_rsa.pub"
user_groups: ["foo", "bar"]
roles:
- "role_under_test"
pre_tasks:
- name: "Create fake SSH directory"
file:
path: "/root/.ssh"
state: "directory"
owner: "root"
group: "root"
mode: "0755"
- name: "Generate fake SSH key"
lineinfile:
path: "/root/.ssh/id_rsa.pub"
line: "ssh-rsa foo hello@world"
state: "present"
create: True
post_tasks:
- name: "Ensure user belongs to the correct groups"
command: groups {{ user_name }}
register: result
changed_when: result.stdout.split(":")[1] | trim != ([user_name] + user_groups) | join(" ")
- name: "Ensure authorized_key is set"
command: cat /root/.ssh/id_rsa.pub
register: result
changed_when: result.stdout != "ssh-rsa foo hello@world"
- name: "Ensure /etc/sudoers.d/deploy contains 'NOPASSWD:ALL'"
command: grep NOPASSWD:ALL /etc/sudoers.d/deploy
register: result
changed_when: result.rc != 0
- name: "Ensure passwordless sudo works"
become_user: "{{ user_name }}"
command: sudo whoami
register: result
changed_when: result.stdout != "root"