From 4f9baa65b161e930c51f4b3fd54c5e49caecaf75 Mon Sep 17 00:00:00 2001 From: Quotengrote <38253905+quotengrote@users.noreply.github.com> Date: Thu, 5 Nov 2020 21:52:43 +0100 Subject: [PATCH] Dotfiles + SSH Komplettumbau (#64) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Playbook zum aufräumen der alten dotfiles-Struktur * Rolle mgrote.dotfiles gelöscht * Rolle geerlingguy.dotfiles hinzugefügt und ergänzt * Playbook 5_personalisierung mit neuer Rolle aktualisiert * GroupVars: Variablen mit neuer Rolle aktualisiert * Variablenname ssh_pubkey angepasst * Rolle deploy_ssh_keys gelöscht, wird durch create_users übernommen * Bugfix: password ssh login verbieten * Playbook: dotfiles User korrigiert * Inventar: richtig auskommentiert * GroupVars Docker: Housekeeping * Variablenname ssh_pubkey angepasst * create_users: ansible-user angelegt * GroupVars dotfiles angepasst für geerlingguy * Keyfile in ansible.cfg definiert * Rolle: nickjj.ansible-user entfernt * gitignore aktualisiert --- .gitignore | 2 + inventories/group_vars/all.yml | 39 +++++--- inventories/group_vars/docker.yml | 2 - inventories/group_vars/virt.yml | 15 +-- inventories/test | 6 +- playbooks/base/1_bootstrap.yml | 10 +- playbooks/base/5_personalisierung.yml | 5 +- playbooks/on-off/remove_dotfiles_dir.yml | 24 +++++ roles/geerlingguy.dotfiles/.ansible-lint | 2 + .../geerlingguy.dotfiles/.github/FUNDING.yml | 4 + roles/geerlingguy.dotfiles/.github/stale.yml | 56 +++++++++++ .../.github/workflows/ci.yml | 67 +++++++++++++ .../.github/workflows/release.yml | 38 ++++++++ roles/geerlingguy.dotfiles/.gitignore | 3 + roles/geerlingguy.dotfiles/.yamllint | 11 +++ roles/geerlingguy.dotfiles/LICENSE | 20 ++++ roles/geerlingguy.dotfiles/README.md | 56 +++++++++++ roles/geerlingguy.dotfiles/defaults/main.yml | 12 +++ roles/geerlingguy.dotfiles/meta/main.yml | 28 ++++++ .../molecule/default/converge.yml | 13 +++ .../molecule/default/molecule.yml | 17 ++++ .../molecule/default/requirements.yml | 2 + roles/geerlingguy.dotfiles/tasks/main.yml | 30 ++++++ .../tasks/main.yml | 2 +- roles/mgrote.deploy_ssh_keys/README.md | 15 --- .../mgrote.deploy_ssh_keys/defaults/main.yml | 3 - roles/mgrote.deploy_ssh_keys/tasks/main.yml | 22 ----- roles/mgrote.dotfiles/README.md | 22 ----- roles/mgrote.dotfiles/defaults/main.yml | 8 -- roles/mgrote.dotfiles/tasks/main.yml | 34 ------- roles/nickjj.ansible-user/.gitignore | 8 -- roles/nickjj.ansible-user/.travis.yml | 17 ---- roles/nickjj.ansible-user/CHANGES.md | 50 ---------- roles/nickjj.ansible-user/LICENSE | 22 ----- roles/nickjj.ansible-user/README.md | 97 ------------------- roles/nickjj.ansible-user/defaults/main.yml | 10 -- roles/nickjj.ansible-user/meta/main.yml | 25 ----- roles/nickjj.ansible-user/tasks/main.yml | 47 --------- roles/nickjj.ansible-user/tests/test.yml | 49 ---------- 39 files changed, 430 insertions(+), 463 deletions(-) create mode 100644 playbooks/on-off/remove_dotfiles_dir.yml create mode 100644 roles/geerlingguy.dotfiles/.ansible-lint create mode 100644 roles/geerlingguy.dotfiles/.github/FUNDING.yml create mode 100644 roles/geerlingguy.dotfiles/.github/stale.yml create mode 100644 roles/geerlingguy.dotfiles/.github/workflows/ci.yml create mode 100644 roles/geerlingguy.dotfiles/.github/workflows/release.yml create mode 100644 roles/geerlingguy.dotfiles/.gitignore create mode 100644 roles/geerlingguy.dotfiles/.yamllint create mode 100644 roles/geerlingguy.dotfiles/LICENSE create mode 100644 roles/geerlingguy.dotfiles/README.md create mode 100644 roles/geerlingguy.dotfiles/defaults/main.yml create mode 100644 roles/geerlingguy.dotfiles/meta/main.yml create mode 100644 roles/geerlingguy.dotfiles/molecule/default/converge.yml create mode 100644 roles/geerlingguy.dotfiles/molecule/default/molecule.yml create mode 100644 roles/geerlingguy.dotfiles/molecule/default/requirements.yml create mode 100644 roles/geerlingguy.dotfiles/tasks/main.yml delete mode 100644 roles/mgrote.deploy_ssh_keys/README.md delete mode 100644 roles/mgrote.deploy_ssh_keys/defaults/main.yml delete mode 100644 roles/mgrote.deploy_ssh_keys/tasks/main.yml delete mode 100644 roles/mgrote.dotfiles/README.md delete mode 100644 roles/mgrote.dotfiles/defaults/main.yml delete mode 100644 roles/mgrote.dotfiles/tasks/main.yml delete mode 100644 roles/nickjj.ansible-user/.gitignore delete mode 100644 roles/nickjj.ansible-user/.travis.yml delete mode 100644 roles/nickjj.ansible-user/CHANGES.md delete mode 100644 roles/nickjj.ansible-user/LICENSE delete mode 100644 roles/nickjj.ansible-user/README.md delete mode 100644 roles/nickjj.ansible-user/defaults/main.yml delete mode 100644 roles/nickjj.ansible-user/meta/main.yml delete mode 100644 roles/nickjj.ansible-user/tasks/main.yml delete mode 100644 roles/nickjj.ansible-user/tests/test.yml diff --git a/.gitignore b/.gitignore index ddac6539..c1a032f5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,6 @@ .git/ vault-pass.yml keepass_db.kdbx +id_rsa_ansible_user +id_rsa_ansible_user_pub # https://www.atlassian.com/git/tutorials/saving-changes/gitignore diff --git a/inventories/group_vars/all.yml b/inventories/group_vars/all.yml index d5a416f5..378df21c 100644 --- a/inventories/group_vars/all.yml +++ b/inventories/group_vars/all.yml @@ -19,15 +19,6 @@ tmux_conf_destination: "/home/mg/.tmux.conf" tmux_bashrc_destination: "/home/mg/.bashrc" tmux_standardsession_name: "default" - ### mgrote.dotfiles - dotfiles_local_repo_directory: "/home/mg/dotfiles-repo" - dotfiles_user: mg - dotfiles_link_target: "/home/mg" - dotfiles_remote_repo: "https://github.com/quotengrote/dotfiles" - dotfiles_files_to_copy: - - .tmux.conf - - .bash_aliases - - .gitconfig ### mgrote.fail2ban f2b_bantime: 300 f2b_findtime: 300 @@ -43,17 +34,39 @@ - username: mg password: "{{ lookup('keepass', 'linux_mg_user_password', 'password') }}" update_password: on_create - ssh_key: "{{ lookup('keepass', 'ssh_pubkey', 'password') }}" + ssh_key: "{{ lookup('keepass', 'ssh_pubkey_mg', 'password') }}" use_sudo: yes use_sudo_nopass: yes user_state: present - groups: ssh + groups: ssh, sudo servers: - production - staging - test - virt - + - username: ansible-user + password: "{{ lookup('keepass', 'linux_mg_user_password', 'password') }}" + update_password: on_create + ssh_key: "{{ lookup('keepass', 'ssh_pubkey_ansible-user', 'password') }}" + use_sudo: yes + use_sudo_nopass: yes + user_state: present + groups: ssh, ansible, sudo + servers: + - production + - staging + - test + - virt + ### geerlingguy.dotfiles + dotfiles_repo: "https://github.com/quotengrote/dotfiles.git" + dotfiles_repo_local_destination: "/home/mg/dotfiles-repo" + dotfiles_home: "/home/mg" + dotfiles_user: "mg" + dotfiles_repo_accept_hostkey: true + dotfiles_files: + - .bash_aliases + - .tmux.conf + - .gitconfig # Ansible Variablen @@ -64,7 +77,7 @@ ### python3 # https://docs.ansible.com/ansible/latest/reference_appendices/python_3_support.html ansible_python_interpreter: "/usr/bin/python3" - + ansible_ssh_private_key_file: /home/mg/ansible/id_rsa_ansible_user # Ansible Plugin Variablen ### Keepass diff --git a/inventories/group_vars/docker.yml b/inventories/group_vars/docker.yml index 66208ca4..ab5b5eb3 100644 --- a/inventories/group_vars/docker.yml +++ b/inventories/group_vars/docker.yml @@ -12,8 +12,6 @@ # comment: 'rssbridge' - rule: allow comment: 'alles erlauben' - ### mgrote.create_users - create_user_groups: 'sudo, ssh, docker' ### geerlingguy.docker docker_users: - mg diff --git a/inventories/group_vars/virt.yml b/inventories/group_vars/virt.yml index cf820cbf..9c9e439f 100644 --- a/inventories/group_vars/virt.yml +++ b/inventories/group_vars/virt.yml @@ -1,13 +1,14 @@ --- - ### mgrote.dotfiles - dotfiles_local_repo_directory: "/root/dotfiles-repo" - dotfiles_user: "root" - dotfiles_link_target: "/root" - dotfiles_remote_repo: "https://github.com/quotengrote/dotfiles" - dotfiles_files_to_copy: - - .tmux.conf + ### geerlingguy.dotfiles + dotfiles_repo: "https://github.com/quotengrote/dotfiles.git" + dotfiles_repo_local_destination: "/home/mg/dotfiles-repo" + dotfiles_home: "/home/mg" + dotfiles_user: "mg" + dotfiles_repo_accept_hostkey: true + dotfiles_files: - .bash_aliases + - .tmux.conf - .gitconfig ### mgrote.sanoid sanoid_snapshot_keep_hourly: '24' diff --git a/inventories/test b/inventories/test index 2efa83fa..e0754bba 100644 --- a/inventories/test +++ b/inventories/test @@ -27,6 +27,6 @@ all: hosts: vm-test.grote.lan: lxc-test.grote.lan: - baseimage: - hosts: - # vorlagebaseimage.grote.lan: +# baseimage: +# hosts: +# vorlagebaseimage.grote.lan: diff --git a/playbooks/base/1_bootstrap.yml b/playbooks/base/1_bootstrap.yml index c692256e..35856c2c 100644 --- a/playbooks/base/1_bootstrap.yml +++ b/playbooks/base/1_bootstrap.yml @@ -6,21 +6,17 @@ roles: - { role: robertdebock.bootstrap, tags: "bootstrap" } - - { role: nickjj.ansible-user, tags: "ansible-user" } - + - { role: ryandaniels.create_users, tags: "user", become: yes } vars: ### reobertdebock.bootstrap bootstrap_user: mg bootstrap_wait_for_host: no bootstrap_timeout: 1 bootstrap_retries: 1 - ### fuer rolle nickjj.ansible-user - user_name: "ansible-user" - user_generate_ssh_key: true - user_local_ssh_key_path: "~/.ssh/id_rsa.pub" - user_enable_passwordless_sudo: True ### ansible ansible_user: "mg" ansible_password: "hallowelt" ansible_become_password: "hallowelt" ansible_ssh_common_args: "'-o StrictHostKeyChecking=no'" + +# Nach dem ersten durchlaufen ist keine Anmeldung mehr per Passwort & ssh möglich. Somit scheitert auch der Versuch das Playbook ein zweites mal durchlaufen zu lassen. diff --git a/playbooks/base/5_personalisierung.yml b/playbooks/base/5_personalisierung.yml index 90a7f7bb..5ad5058a 100644 --- a/playbooks/base/5_personalisierung.yml +++ b/playbooks/base/5_personalisierung.yml @@ -5,4 +5,7 @@ - { role: mgrote.tmux, tags: "tmux", when: "not 'virt' in group_names" } - - { role: mgrote.dotfiles, tags: "dotfiles" } + - { role: geerlingguy.dotfiles, + become_user: "{{ dotfiles_user }}" , + become: true, + tags: "dotfiles" } diff --git a/playbooks/on-off/remove_dotfiles_dir.yml b/playbooks/on-off/remove_dotfiles_dir.yml new file mode 100644 index 00000000..81c1b738 --- /dev/null +++ b/playbooks/on-off/remove_dotfiles_dir.yml @@ -0,0 +1,24 @@ +--- +- hosts: all + become: yes + tasks: + - name: delete /home/mg/dotfiles-repo + become: yes + file: + path: /home/mg/dotfiles-repo + state: absent + - name: delete /home/mg/.bash_aliases + become: yes + file: + path: /home/mg/.bash_aliases + state: absent + - name: delete /home/mg/.tmux.conf + become: yes + file: + path: /home/mg/.tmux.conf + state: absent + - name: delete /home/mg/.gitconfig + become: yes + file: + path: /home/mg/.gitconfig + state: absent diff --git a/roles/geerlingguy.dotfiles/.ansible-lint b/roles/geerlingguy.dotfiles/.ansible-lint new file mode 100644 index 00000000..55572942 --- /dev/null +++ b/roles/geerlingguy.dotfiles/.ansible-lint @@ -0,0 +1,2 @@ +skip_list: + - '106' diff --git a/roles/geerlingguy.dotfiles/.github/FUNDING.yml b/roles/geerlingguy.dotfiles/.github/FUNDING.yml new file mode 100644 index 00000000..96b49383 --- /dev/null +++ b/roles/geerlingguy.dotfiles/.github/FUNDING.yml @@ -0,0 +1,4 @@ +# These are supported funding model platforms +--- +github: geerlingguy +patreon: geerlingguy diff --git a/roles/geerlingguy.dotfiles/.github/stale.yml b/roles/geerlingguy.dotfiles/.github/stale.yml new file mode 100644 index 00000000..c7ff1275 --- /dev/null +++ b/roles/geerlingguy.dotfiles/.github/stale.yml @@ -0,0 +1,56 @@ +# Configuration for probot-stale - https://github.com/probot/stale + +# Number of days of inactivity before an Issue or Pull Request becomes stale +daysUntilStale: 90 + +# Number of days of inactivity before an Issue or Pull Request with the stale label is closed. +# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale. +daysUntilClose: 30 + +# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled) +onlyLabels: [] + +# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable +exemptLabels: + - pinned + - security + - planned + +# Set to true to ignore issues in a project (defaults to false) +exemptProjects: false + +# Set to true to ignore issues in a milestone (defaults to false) +exemptMilestones: false + +# Set to true to ignore issues with an assignee (defaults to false) +exemptAssignees: false + +# Label to use when marking as stale +staleLabel: stale + +# Limit the number of actions per hour, from 1-30. Default is 30 +limitPerRun: 30 + +pulls: + markComment: |- + This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution! + + Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale. + + unmarkComment: >- + This pull request is no longer marked for closure. + + closeComment: >- + This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details. + +issues: + markComment: |- + This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! + + Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale. + + unmarkComment: >- + This issue is no longer marked for closure. + + closeComment: >- + This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details. diff --git a/roles/geerlingguy.dotfiles/.github/workflows/ci.yml b/roles/geerlingguy.dotfiles/.github/workflows/ci.yml new file mode 100644 index 00000000..c3a919c7 --- /dev/null +++ b/roles/geerlingguy.dotfiles/.github/workflows/ci.yml @@ -0,0 +1,67 @@ +--- +name: CI +'on': + pull_request: + push: + branches: + - master + schedule: + - cron: "0 5 * * 1" + +defaults: + run: + working-directory: 'geerlingguy.dotfiles' + +jobs: + + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.dotfiles' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install yamllint ansible-lint + + - name: Lint code. + run: | + yamllint . + ansible-lint + + molecule: + name: Molecule + runs-on: ubuntu-latest + strategy: + matrix: + distro: + - centos7 + - ubuntu1804 + + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.dotfiles' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install ansible molecule[docker] docker + + - name: Run Molecule tests. + run: molecule test + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + MOLECULE_DISTRO: ${{ matrix.distro }} diff --git a/roles/geerlingguy.dotfiles/.github/workflows/release.yml b/roles/geerlingguy.dotfiles/.github/workflows/release.yml new file mode 100644 index 00000000..474eedee --- /dev/null +++ b/roles/geerlingguy.dotfiles/.github/workflows/release.yml @@ -0,0 +1,38 @@ +--- +# This workflow requires a GALAXY_API_KEY secret present in the GitHub +# repository or organization. +# +# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy +# See: https://github.com/ansible/galaxy/issues/46 + +name: Release +'on': + push: + tags: + - '*' + +defaults: + run: + working-directory: 'geerlingguy.dotfiles' + +jobs: + + release: + name: Release + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.dotfiles' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install Ansible. + run: pip3 install ansible-base + + - name: Trigger a new import on Galaxy. + run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/roles/geerlingguy.dotfiles/.gitignore b/roles/geerlingguy.dotfiles/.gitignore new file mode 100644 index 00000000..f56f5b57 --- /dev/null +++ b/roles/geerlingguy.dotfiles/.gitignore @@ -0,0 +1,3 @@ +*.retry +*/__pycache__ +*.pyc diff --git a/roles/geerlingguy.dotfiles/.yamllint b/roles/geerlingguy.dotfiles/.yamllint new file mode 100644 index 00000000..f2033dd2 --- /dev/null +++ b/roles/geerlingguy.dotfiles/.yamllint @@ -0,0 +1,11 @@ +--- +extends: default + +rules: + line-length: + max: 120 + level: warning + +ignore: | + .github/stale.yml + .travis.yml diff --git a/roles/geerlingguy.dotfiles/LICENSE b/roles/geerlingguy.dotfiles/LICENSE new file mode 100644 index 00000000..4275cf3c --- /dev/null +++ b/roles/geerlingguy.dotfiles/LICENSE @@ -0,0 +1,20 @@ +The MIT License (MIT) + +Copyright (c) 2017 Jeff Geerling + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/roles/geerlingguy.dotfiles/README.md b/roles/geerlingguy.dotfiles/README.md new file mode 100644 index 00000000..c7b2a548 --- /dev/null +++ b/roles/geerlingguy.dotfiles/README.md @@ -0,0 +1,56 @@ +# Ansible Role: Dotfiles + +[![CI](https://github.com/geerlingguy/ansible-role-dotfiles/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-dotfiles/actions?query=workflow%3ACI) + +Installs a set of dotfiles from a given Git repository. By default, it will install my (geerlingguy's) [dotfiles](https://github.com/geerlingguy/dotfiles), but you can use any set of dotfiles you'd like, as long as they follow a conventional format. + +## Requirements + +Requires `git` on the managed machine (you can easily install it with `geerlingguy.git` if required). + +## Role Variables + +Available variables are listed below, along with default values (see `defaults/main.yml`): + + dotfiles_repo: "https://github.com/geerlingguy/dotfiles.git" + dotfiles_repo_version: master + +The git repository and branch/tag/commit hash to use for retrieving dotfiles. Dotfiles should generally be laid out within the root directory of the repository. + + dotfiles_repo_accept_hostkey: false + +Add the hostkey for the repo url if not already added. If ssh_opts contains "-o StrictHostKeyChecking=no", this parameter is ignored. + + dotfiles_repo_local_destination: "~/Documents/dotfiles" + +The local path where the `dotfiles_repo` will be cloned. + + dotfiles_home: "~" + +The home directory where dotfiles will be linked. Generally, the default should work, but in some circumstances, or when running the role as sudo on behalf of another user, you may want to specify the full path. + + dotfiles_files: + - .zshrc + - .gitignore + - .inputrc + - .vimrc + +Which files from the dotfiles repository should be linked to the `dotfiles_home`. + +## Dependencies + +None + +## Example Playbook + + - hosts: localhost + roles: + - { role: geerlingguy.dotfiles } + +## License + +MIT / BSD + +## Author Information + +This role was created in 2015 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). diff --git a/roles/geerlingguy.dotfiles/defaults/main.yml b/roles/geerlingguy.dotfiles/defaults/main.yml new file mode 100644 index 00000000..fa7d2ef6 --- /dev/null +++ b/roles/geerlingguy.dotfiles/defaults/main.yml @@ -0,0 +1,12 @@ +--- +dotfiles_repo: "https://github.com/geerlingguy/dotfiles.git" +dotfiles_repo_version: master +dotfiles_repo_accept_hostkey: false +dotfiles_repo_local_destination: "~/Documents/dotfiles" + +dotfiles_home: "~" +dotfiles_files: + - .zshrc + - .gitignore + - .inputrc + - .vimrc diff --git a/roles/geerlingguy.dotfiles/meta/main.yml b/roles/geerlingguy.dotfiles/meta/main.yml new file mode 100644 index 00000000..f08b72f5 --- /dev/null +++ b/roles/geerlingguy.dotfiles/meta/main.yml @@ -0,0 +1,28 @@ +--- +dependencies: [] + +galaxy_info: + role_name: dotfiles + author: geerlingguy + description: Dotfile installation for UNIX/Linux. + company: "Midwestern Mac, LLC" + license: "license (BSD, MIT)" + min_ansible_version: 2.2 + platforms: + - name: GenericUNIX + versions: + - all + - any + - name: GenericBSD + versions: + - all + - any + - name: GenericLinux + versions: + - all + - any + galaxy_tags: + - development + - system + - dotfiles + - configuration diff --git a/roles/geerlingguy.dotfiles/molecule/default/converge.yml b/roles/geerlingguy.dotfiles/molecule/default/converge.yml new file mode 100644 index 00000000..41f0ba45 --- /dev/null +++ b/roles/geerlingguy.dotfiles/molecule/default/converge.yml @@ -0,0 +1,13 @@ +--- +- name: Converge + hosts: all + become: true + + pre_tasks: + - name: Update apt cache. + apt: update_cache=yes cache_valid_time=600 + when: ansible_os_family == 'Debian' + + roles: + - role: geerlingguy.git + - role: geerlingguy.dotfiles diff --git a/roles/geerlingguy.dotfiles/molecule/default/molecule.yml b/roles/geerlingguy.dotfiles/molecule/default/molecule.yml new file mode 100644 index 00000000..74907107 --- /dev/null +++ b/roles/geerlingguy.dotfiles/molecule/default/molecule.yml @@ -0,0 +1,17 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: instance + image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +provisioner: + name: ansible + playbooks: + converge: ${MOLECULE_PLAYBOOK:-converge.yml} diff --git a/roles/geerlingguy.dotfiles/molecule/default/requirements.yml b/roles/geerlingguy.dotfiles/molecule/default/requirements.yml new file mode 100644 index 00000000..6208520d --- /dev/null +++ b/roles/geerlingguy.dotfiles/molecule/default/requirements.yml @@ -0,0 +1,2 @@ +--- +- src: geerlingguy.git diff --git a/roles/geerlingguy.dotfiles/tasks/main.yml b/roles/geerlingguy.dotfiles/tasks/main.yml new file mode 100644 index 00000000..9f4e7b33 --- /dev/null +++ b/roles/geerlingguy.dotfiles/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: Ensure dotfiles repository is cloned locally. + git: + repo: "{{ dotfiles_repo }}" + dest: "{{ dotfiles_repo_local_destination }}" + version: "{{ dotfiles_repo_version }}" + depth: 1 + +- name: Ensure all configured dotfiles are links. + command: "ls -F {{ dotfiles_home }}/{{ item }}" + register: existing_dotfile_info + failed_when: false + check_mode: false + changed_when: false + with_items: "{{ dotfiles_files }}" + +- name: Remove existing dotfiles file if a replacement is being linked. + file: + path: "{{ dotfiles_home }}/{{ dotfiles_files[item.0] }}" + state: absent + when: "'@' not in item.1.stdout" + with_indexed_items: "{{ existing_dotfile_info.results }}" + +- name: Link dotfiles into home folder. + file: + src: "{{ dotfiles_repo_local_destination }}/{{ item }}" + dest: "{{ dotfiles_home }}/{{ item }}" + state: link + mode: 0644 + with_items: "{{ dotfiles_files }}" diff --git a/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml b/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml index 427bffb3..cf9b0702 100644 --- a/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml +++ b/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml @@ -6,5 +6,5 @@ regexp: '#PasswordAuthentication yes' line: 'PasswordAuthentication no' state: present - backrefs: yes +# backrefs: yes notify: restart_sshd diff --git a/roles/mgrote.deploy_ssh_keys/README.md b/roles/mgrote.deploy_ssh_keys/README.md deleted file mode 100644 index 9485070f..00000000 --- a/roles/mgrote.deploy_ssh_keys/README.md +++ /dev/null @@ -1,15 +0,0 @@ -## mgrote.deploy_ssh_keys - -### Beschreibung -Deployed einen ssh key in die authorized_keys. -Erlaubt dem Nutzer passwortloses "sudo" - -### Funktioniert auf -- [x] Ubuntu (>=18.04) -- [ ] ProxMox 6.1 - -### Variablen + Defaults -##### Nutzer - ssh_user: mg -##### Key - ssh_pubkey: ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuBZc+/pULaZefCgjKGL1zXIFFlw== mg@irantu diff --git a/roles/mgrote.deploy_ssh_keys/defaults/main.yml b/roles/mgrote.deploy_ssh_keys/defaults/main.yml deleted file mode 100644 index 4b43d255..00000000 --- a/roles/mgrote.deploy_ssh_keys/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- - ssh_user: mg - ssh_pubkey: ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuBZc+/pULaZefCgjKGL1zXIFFlw== mg@irantu diff --git a/roles/mgrote.deploy_ssh_keys/tasks/main.yml b/roles/mgrote.deploy_ssh_keys/tasks/main.yml deleted file mode 100644 index 4ae5014d..00000000 --- a/roles/mgrote.deploy_ssh_keys/tasks/main.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - - name: create .ssh directory - become: yes - file: - path: "/home/{{ ssh_user }}/.ssh" - state: directory - - - name: touch file - become: yes - file: - path: "/home/{{ ssh_user }}/.ssh/authorized_keys" - state: touch - modification_time: preserve - access_time: preserve - - - name: put pubkey - become: yes - lineinfile: - path: "/home/{{ ssh_user }}/.ssh/authorized_keys" - line: "{{ ssh_pubkey }}" - state: present - backup: yes diff --git a/roles/mgrote.dotfiles/README.md b/roles/mgrote.dotfiles/README.md deleted file mode 100644 index bb523a97..00000000 --- a/roles/mgrote.dotfiles/README.md +++ /dev/null @@ -1,22 +0,0 @@ -## mgrote.dotfiles - -### Beschreibung -Klont ein git-repo, und symlinked die darin enthaltenen Dateien in ein Verzeichnis. - -### Funktioniert auf -- [ ] Ubuntu (>=18.04) -- [ ] ProxMox 6.1 - -### Variablen + Defaults -##### Remote Repository - dotfiles_remote_repo: "https://github.com/quotengrote/dotfiles" -##### User - dotfiles_user: "mg" -##### Where to Link - dotfiles_link_target: "/home/mg" -##### Local Repo - dotfiles_local_repo_directory: "/home/mg/dotfiles-repo" -##### Which files should be linked - dotfiles_files_to_copy: - - .tmux.conf - - .bash_aliases diff --git a/roles/mgrote.dotfiles/defaults/main.yml b/roles/mgrote.dotfiles/defaults/main.yml deleted file mode 100644 index 45563fd4..00000000 --- a/roles/mgrote.dotfiles/defaults/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - dotfiles_local_repo_directory: "/home/mg/dotfiles-repo" - dotfiles_user: "mg" - dotfiles_link_target: "/home/mg" - dotfiles_remote_repo: "https://github.com/quotengrote/dotfiles" - dotfiles_files_to_copy: - - .tmux.conf - - .bash_aliases diff --git a/roles/mgrote.dotfiles/tasks/main.yml b/roles/mgrote.dotfiles/tasks/main.yml deleted file mode 100644 index 32bd16ef..00000000 --- a/roles/mgrote.dotfiles/tasks/main.yml +++ /dev/null @@ -1,34 +0,0 @@ -- name: create repo-directory - become: true - file: - path: "{{ dotfiles_local_repo_directory }}" - state: directory - owner: "{{ dotfiles_user }}" - group: "{{ dotfiles_user }}" - recurse: yes - mode: 0644 - -# noqa [401] -- name: clone repository - become: true - git: - repo: "{{ dotfiles_remote_repo }}" - dest: "{{ dotfiles_local_repo_directory }}" - clone: yes - force: yes - depth: 1 - version: HEAD - tags: - - skip_ansible_lint - -- name: create symlinks for files from repo - become: true - file: - src: "{{ dotfiles_local_repo_directory }}/{{ item }}" - dest: "{{ dotfiles_link_target }}/{{ item }}" - owner: "{{ dotfiles_user }}" - group: "{{ dotfiles_user }}" - mode: 0644 - state: link - force: yes - with_items: "{{ dotfiles_files_to_copy }}" diff --git a/roles/nickjj.ansible-user/.gitignore b/roles/nickjj.ansible-user/.gitignore deleted file mode 100644 index 59053d40..00000000 --- a/roles/nickjj.ansible-user/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -.DS_Store -*/**.DS_Store -._* -.*.sw* -*~ -.idea/ -.vscode/ -*.retry diff --git a/roles/nickjj.ansible-user/.travis.yml b/roles/nickjj.ansible-user/.travis.yml deleted file mode 100644 index ebeda4b0..00000000 --- a/roles/nickjj.ansible-user/.travis.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -services: "docker" - -env: - - distro: "ubuntu1604" - - distro: "ubuntu1804" - - distro: "debian8" - - distro: "debian9" - -script: - # Download test shim. - - wget -O ${PWD}/tests/test.sh https://gist.githubusercontent.com/nickjj/d12353b5b601e33cd62fda111359957a/raw - - chmod +x ${PWD}/tests/test.sh - - # Run tests. - - ${PWD}/tests/test.sh diff --git a/roles/nickjj.ansible-user/CHANGES.md b/roles/nickjj.ansible-user/CHANGES.md deleted file mode 100644 index ce0edcf8..00000000 --- a/roles/nickjj.ansible-user/CHANGES.md +++ /dev/null @@ -1,50 +0,0 @@ -# Changelog - -### v0.4.0 - -*Released: January 25th 2018* - -- Rename `user_authorized_keys_path` to `user_local_ssh_key_path` -- Add proper tests and support for Ubuntu 16, Debian Stretch and Debian Jessie -- Update format and style consistencies - -### v0.3.3 - -*Released: October 27th 2016* - -- Add ability to generate an SSH key pair (disabled by default) - -### v0.3.1 - -*Released: October 9th 2016* - -- Append groups to users -- Test against Ubuntu 16.04 LTS and Debian Jessie on Travis-CI - -### v0.3.0 - -*Released: October 7th 2016* - -- Add ability to create/assign groups -- Add ability to set a different shell -- Add ability to toggle copying an SSH key -- Add ability to toggle passwordless sudo -- Use the updated YAML syntax for tasks - -### v0.2.1 - -*Released: October 6th 2016* - -- Fix Travis-CI tests - -### v0.2.0 - -*Released: October 6th 2016* - -- Update role for Ansible 2.1 - -### v0.1.0 - -*Released: May 4th 2014* - -- Initial release diff --git a/roles/nickjj.ansible-user/LICENSE b/roles/nickjj.ansible-user/LICENSE deleted file mode 100644 index 38c335bc..00000000 --- a/roles/nickjj.ansible-user/LICENSE +++ /dev/null @@ -1,22 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2014 Nick Janetakis nick.janetakis@gmail.com - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -'Software'), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY -CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, -TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE -SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/roles/nickjj.ansible-user/README.md b/roles/nickjj.ansible-user/README.md deleted file mode 100644 index c97d6ee4..00000000 --- a/roles/nickjj.ansible-user/README.md +++ /dev/null @@ -1,97 +0,0 @@ -## What is ansible-user? [![Build Status](https://secure.travis-ci.org/nickjj/ansible-user.png)](http://travis-ci.org/nickjj/ansible-user) - -It is an [Ansible](http://www.ansible.com/home) role to: - -- Create user groups -- Create a single user, add it to any groups you created and configure its shell -- Set your public SSH key as an authorized key so you can login without a password -- Enable passwordless sudo - -## Why would you want to use this role? - -When you spin up a new server, you'll often want to set up a non-root user that -you can login as and run your applications under. That's because running your -applications as root is a questionable idea from a security point of view. - -This role sets you up to do that, but it also includes a few other user related -tasks, such as what's listed in the above bullets. Having all of these things -together in 1 role means less work for you to do! - -## Supported platforms - -- Ubuntu 16.04 LTS (Xenial) -- Ubuntu 18.04 LTS (Bionic) -- Debian 8 (Jessie) -- Debian 9 (Stretch) - -## Role variables - -``` -# Optionally create additional user groupss. If empty, the user you create will -# automatically be a part of their user's group, ie. deploy:deploy. -user_groups: [] - -# The user you want to create. -user_name: "deploy" - -# Which shell should you default to? Typically "bash" or "sh". -user_shell: "/bin/bash" - -# Do you want to create an SSH keypair for this user? You probably don't for a -# regular user that you plan to login as which is why it's disabled by default. -user_generate_ssh_key: False - -# When set, this will copy your local SSH public key from this path to your -# user's authorized keys on your server. -# -# If you don't want this behavior then use an empty string as the value but keep -# in mind this role does not set a default password for the user you create, so -# you will be locked out if you don't supply your public SSH key. -user_local_ssh_key_path: "~/.ssh/id_rsa.pub" - -# Do you want to enable running root commands without needing a password? -user_enable_passwordless_sudo: True -``` - -## Example usage - -For the sake of this example let's assume you have a group called **app** and -you have a typical `site.yml` playbook. - -To use this role edit your `site.yml` file to look something like this: - -``` ---- - -- name: "Configure app server(s)" - hosts: "app" - become: True - - roles: - - { role: "nickjj.user", tags: "user" } -``` - -Let's say you want to edit the user name, you can do this by opening or -creating `group_vars/app.yml` which is located relative to your `inventory` -directory and then make it look something like this: - -``` ---- - -user_name: "thor" -``` - -Now you would run `ansible-playbook -i inventory/hosts site.yml -t user`. - -## Installation - -`$ ansible-galaxy install nickjj.user` - -### Ansible Galaxy - -You can find it on the official -[Ansible Galaxy](https://galaxy.ansible.com/nickjj/user) if you want to rate it. - -## License - -MIT diff --git a/roles/nickjj.ansible-user/defaults/main.yml b/roles/nickjj.ansible-user/defaults/main.yml deleted file mode 100644 index 88db4e06..00000000 --- a/roles/nickjj.ansible-user/defaults/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -user_groups: [] -user_name: "deploy" -user_shell: "/bin/bash" -user_generate_ssh_key: False - -user_local_ssh_key_path: "~/.ssh/id_rsa.pub" - -user_enable_passwordless_sudo: True diff --git a/roles/nickjj.ansible-user/meta/main.yml b/roles/nickjj.ansible-user/meta/main.yml deleted file mode 100644 index 650d91de..00000000 --- a/roles/nickjj.ansible-user/meta/main.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -galaxy_info: - author: "Nick Janetakis" - description: "Create and configure a user for SSH key based logins and passwordless sudo." - company: - license: "MIT" - min_ansible_version: "2.5" - - platforms: - - name: "Ubuntu" - versions: - - "xenial" - - "bionic" - - name: "Debian" - versions: - - "jessie" - - "stretch" - - galaxy_tags: - - "groups" - - "system" - - "users" - -dependencies: [] diff --git a/roles/nickjj.ansible-user/tasks/main.yml b/roles/nickjj.ansible-user/tasks/main.yml deleted file mode 100644 index 7e482518..00000000 --- a/roles/nickjj.ansible-user/tasks/main.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- - -- name: "Create user group(s)" - group: - name: "{{ item }}" - loop: "{{ user_groups }}" - when: user_groups - -- name: "Create user" - user: - name: "{{ user_name }}" - groups: "{{ (user_groups | join(',')) }}" - generate_ssh_key: "{{ user_generate_ssh_key }}" - shell: "{{ user_shell }}" - -- name: "Set authorized_key to allow SSH key based logins" - authorized_key: - user: "{{ user_name }}" - key: "{{ lookup('file', user_local_ssh_key_path) }}" - when: user_local_ssh_key_path | default(False) - -- name: "Enable including files from sudoers.d/" - lineinfile: - path: "/etc/sudoers" - regexp: "^#includedir /etc/sudoers.d" - line: "#includedir /etc/sudoers.d" - state: "present" - backup: True - when: user_enable_passwordless_sudo - -- name: Disable sudoers.d - lineinfile: - path: "/etc/sudoers" - regexp: "^#includedir /etc/sudoers.d" - line: "#includedir /etc/sudoers.d" - state: "absent" - backup: True - when: user_enable_passwordless_sudo == False - -- name: "Enable passwordless sudo" - copy: - content: "%{{ user_name }} ALL=(ALL) NOPASSWD:ALL" - dest: "/etc/sudoers.d/{{ user_name }}" - owner: "root" - group: "root" - mode: "0440" - when: user_enable_passwordless_sudo diff --git a/roles/nickjj.ansible-user/tests/test.yml b/roles/nickjj.ansible-user/tests/test.yml deleted file mode 100644 index 4a974db7..00000000 --- a/roles/nickjj.ansible-user/tests/test.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- - -- hosts: "all" - become: True - - vars: - user_local_ssh_key_path: "/root/.ssh/id_rsa.pub" - user_groups: ["foo", "bar"] - - roles: - - "role_under_test" - - pre_tasks: - - name: "Create fake SSH directory" - file: - path: "/root/.ssh" - state: "directory" - owner: "root" - group: "root" - mode: "0755" - - - name: "Generate fake SSH key" - lineinfile: - path: "/root/.ssh/id_rsa.pub" - line: "ssh-rsa foo hello@world" - state: "present" - create: True - - post_tasks: - - name: "Ensure user belongs to the correct groups" - command: groups {{ user_name }} - register: result - changed_when: result.stdout.split(":")[1] | trim != ([user_name] + user_groups) | join(" ") - - - name: "Ensure authorized_key is set" - command: cat /root/.ssh/id_rsa.pub - register: result - changed_when: result.stdout != "ssh-rsa foo hello@world" - - - name: "Ensure /etc/sudoers.d/deploy contains 'NOPASSWD:ALL'" - command: grep NOPASSWD:ALL /etc/sudoers.d/deploy - register: result - changed_when: result.rc != 0 - - - name: "Ensure passwordless sudo works" - become_user: "{{ user_name }}" - command: sudo whoami - register: result - changed_when: result.stdout != "root"