Dotfiles + SSH Komplettumbau (#64)
* Playbook zum aufräumen der alten dotfiles-Struktur * Rolle mgrote.dotfiles gelöscht * Rolle geerlingguy.dotfiles hinzugefügt und ergänzt * Playbook 5_personalisierung mit neuer Rolle aktualisiert * GroupVars: Variablen mit neuer Rolle aktualisiert * Variablenname ssh_pubkey angepasst * Rolle deploy_ssh_keys gelöscht, wird durch create_users übernommen * Bugfix: password ssh login verbieten * Playbook: dotfiles User korrigiert * Inventar: richtig auskommentiert * GroupVars Docker: Housekeeping * Variablenname ssh_pubkey angepasst * create_users: ansible-user angelegt * GroupVars dotfiles angepasst für geerlingguy * Keyfile in ansible.cfg definiert * Rolle: nickjj.ansible-user entfernt * gitignore aktualisiert
This commit is contained in:
parent
e7fbcdce6b
commit
4f9baa65b1
39 changed files with 430 additions and 463 deletions
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -1,4 +1,6 @@
|
|||
.git/
|
||||
vault-pass.yml
|
||||
keepass_db.kdbx
|
||||
id_rsa_ansible_user
|
||||
id_rsa_ansible_user_pub
|
||||
# https://www.atlassian.com/git/tutorials/saving-changes/gitignore
|
||||
|
|
|
@ -19,15 +19,6 @@
|
|||
tmux_conf_destination: "/home/mg/.tmux.conf"
|
||||
tmux_bashrc_destination: "/home/mg/.bashrc"
|
||||
tmux_standardsession_name: "default"
|
||||
### mgrote.dotfiles
|
||||
dotfiles_local_repo_directory: "/home/mg/dotfiles-repo"
|
||||
dotfiles_user: mg
|
||||
dotfiles_link_target: "/home/mg"
|
||||
dotfiles_remote_repo: "https://github.com/quotengrote/dotfiles"
|
||||
dotfiles_files_to_copy:
|
||||
- .tmux.conf
|
||||
- .bash_aliases
|
||||
- .gitconfig
|
||||
### mgrote.fail2ban
|
||||
f2b_bantime: 300
|
||||
f2b_findtime: 300
|
||||
|
@ -43,17 +34,39 @@
|
|||
- username: mg
|
||||
password: "{{ lookup('keepass', 'linux_mg_user_password', 'password') }}"
|
||||
update_password: on_create
|
||||
ssh_key: "{{ lookup('keepass', 'ssh_pubkey', 'password') }}"
|
||||
ssh_key: "{{ lookup('keepass', 'ssh_pubkey_mg', 'password') }}"
|
||||
use_sudo: yes
|
||||
use_sudo_nopass: yes
|
||||
user_state: present
|
||||
groups: ssh
|
||||
groups: ssh, sudo
|
||||
servers:
|
||||
- production
|
||||
- staging
|
||||
- test
|
||||
- virt
|
||||
|
||||
- username: ansible-user
|
||||
password: "{{ lookup('keepass', 'linux_mg_user_password', 'password') }}"
|
||||
update_password: on_create
|
||||
ssh_key: "{{ lookup('keepass', 'ssh_pubkey_ansible-user', 'password') }}"
|
||||
use_sudo: yes
|
||||
use_sudo_nopass: yes
|
||||
user_state: present
|
||||
groups: ssh, ansible, sudo
|
||||
servers:
|
||||
- production
|
||||
- staging
|
||||
- test
|
||||
- virt
|
||||
### geerlingguy.dotfiles
|
||||
dotfiles_repo: "https://github.com/quotengrote/dotfiles.git"
|
||||
dotfiles_repo_local_destination: "/home/mg/dotfiles-repo"
|
||||
dotfiles_home: "/home/mg"
|
||||
dotfiles_user: "mg"
|
||||
dotfiles_repo_accept_hostkey: true
|
||||
dotfiles_files:
|
||||
- .bash_aliases
|
||||
- .tmux.conf
|
||||
- .gitconfig
|
||||
|
||||
|
||||
# Ansible Variablen
|
||||
|
@ -64,7 +77,7 @@
|
|||
### python3
|
||||
# https://docs.ansible.com/ansible/latest/reference_appendices/python_3_support.html
|
||||
ansible_python_interpreter: "/usr/bin/python3"
|
||||
|
||||
ansible_ssh_private_key_file: /home/mg/ansible/id_rsa_ansible_user
|
||||
|
||||
# Ansible Plugin Variablen
|
||||
### Keepass
|
||||
|
|
|
@ -12,8 +12,6 @@
|
|||
# comment: 'rssbridge'
|
||||
- rule: allow
|
||||
comment: 'alles erlauben'
|
||||
### mgrote.create_users
|
||||
create_user_groups: 'sudo, ssh, docker'
|
||||
### geerlingguy.docker
|
||||
docker_users:
|
||||
- mg
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
---
|
||||
|
||||
### mgrote.dotfiles
|
||||
dotfiles_local_repo_directory: "/root/dotfiles-repo"
|
||||
dotfiles_user: "root"
|
||||
dotfiles_link_target: "/root"
|
||||
dotfiles_remote_repo: "https://github.com/quotengrote/dotfiles"
|
||||
dotfiles_files_to_copy:
|
||||
- .tmux.conf
|
||||
### geerlingguy.dotfiles
|
||||
dotfiles_repo: "https://github.com/quotengrote/dotfiles.git"
|
||||
dotfiles_repo_local_destination: "/home/mg/dotfiles-repo"
|
||||
dotfiles_home: "/home/mg"
|
||||
dotfiles_user: "mg"
|
||||
dotfiles_repo_accept_hostkey: true
|
||||
dotfiles_files:
|
||||
- .bash_aliases
|
||||
- .tmux.conf
|
||||
- .gitconfig
|
||||
### mgrote.sanoid
|
||||
sanoid_snapshot_keep_hourly: '24'
|
||||
|
|
|
@ -27,6 +27,6 @@ all:
|
|||
hosts:
|
||||
vm-test.grote.lan:
|
||||
lxc-test.grote.lan:
|
||||
baseimage:
|
||||
hosts:
|
||||
# baseimage:
|
||||
# hosts:
|
||||
# vorlagebaseimage.grote.lan:
|
||||
|
|
|
@ -6,21 +6,17 @@
|
|||
|
||||
roles:
|
||||
- { role: robertdebock.bootstrap, tags: "bootstrap" }
|
||||
- { role: nickjj.ansible-user, tags: "ansible-user" }
|
||||
|
||||
- { role: ryandaniels.create_users, tags: "user", become: yes }
|
||||
vars:
|
||||
### reobertdebock.bootstrap
|
||||
bootstrap_user: mg
|
||||
bootstrap_wait_for_host: no
|
||||
bootstrap_timeout: 1
|
||||
bootstrap_retries: 1
|
||||
### fuer rolle nickjj.ansible-user
|
||||
user_name: "ansible-user"
|
||||
user_generate_ssh_key: true
|
||||
user_local_ssh_key_path: "~/.ssh/id_rsa.pub"
|
||||
user_enable_passwordless_sudo: True
|
||||
### ansible
|
||||
ansible_user: "mg"
|
||||
ansible_password: "hallowelt"
|
||||
ansible_become_password: "hallowelt"
|
||||
ansible_ssh_common_args: "'-o StrictHostKeyChecking=no'"
|
||||
|
||||
# Nach dem ersten durchlaufen ist keine Anmeldung mehr per Passwort & ssh möglich. Somit scheitert auch der Versuch das Playbook ein zweites mal durchlaufen zu lassen.
|
||||
|
|
|
@ -5,4 +5,7 @@
|
|||
- { role: mgrote.tmux,
|
||||
tags: "tmux",
|
||||
when: "not 'virt' in group_names" }
|
||||
- { role: mgrote.dotfiles, tags: "dotfiles" }
|
||||
- { role: geerlingguy.dotfiles,
|
||||
become_user: "{{ dotfiles_user }}" ,
|
||||
become: true,
|
||||
tags: "dotfiles" }
|
||||
|
|
24
playbooks/on-off/remove_dotfiles_dir.yml
Normal file
24
playbooks/on-off/remove_dotfiles_dir.yml
Normal file
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
- hosts: all
|
||||
become: yes
|
||||
tasks:
|
||||
- name: delete /home/mg/dotfiles-repo
|
||||
become: yes
|
||||
file:
|
||||
path: /home/mg/dotfiles-repo
|
||||
state: absent
|
||||
- name: delete /home/mg/.bash_aliases
|
||||
become: yes
|
||||
file:
|
||||
path: /home/mg/.bash_aliases
|
||||
state: absent
|
||||
- name: delete /home/mg/.tmux.conf
|
||||
become: yes
|
||||
file:
|
||||
path: /home/mg/.tmux.conf
|
||||
state: absent
|
||||
- name: delete /home/mg/.gitconfig
|
||||
become: yes
|
||||
file:
|
||||
path: /home/mg/.gitconfig
|
||||
state: absent
|
2
roles/geerlingguy.dotfiles/.ansible-lint
Normal file
2
roles/geerlingguy.dotfiles/.ansible-lint
Normal file
|
@ -0,0 +1,2 @@
|
|||
skip_list:
|
||||
- '106'
|
4
roles/geerlingguy.dotfiles/.github/FUNDING.yml
vendored
Normal file
4
roles/geerlingguy.dotfiles/.github/FUNDING.yml
vendored
Normal file
|
@ -0,0 +1,4 @@
|
|||
# These are supported funding model platforms
|
||||
---
|
||||
github: geerlingguy
|
||||
patreon: geerlingguy
|
56
roles/geerlingguy.dotfiles/.github/stale.yml
vendored
Normal file
56
roles/geerlingguy.dotfiles/.github/stale.yml
vendored
Normal file
|
@ -0,0 +1,56 @@
|
|||
# Configuration for probot-stale - https://github.com/probot/stale
|
||||
|
||||
# Number of days of inactivity before an Issue or Pull Request becomes stale
|
||||
daysUntilStale: 90
|
||||
|
||||
# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
|
||||
# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
|
||||
daysUntilClose: 30
|
||||
|
||||
# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
|
||||
onlyLabels: []
|
||||
|
||||
# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
|
||||
exemptLabels:
|
||||
- pinned
|
||||
- security
|
||||
- planned
|
||||
|
||||
# Set to true to ignore issues in a project (defaults to false)
|
||||
exemptProjects: false
|
||||
|
||||
# Set to true to ignore issues in a milestone (defaults to false)
|
||||
exemptMilestones: false
|
||||
|
||||
# Set to true to ignore issues with an assignee (defaults to false)
|
||||
exemptAssignees: false
|
||||
|
||||
# Label to use when marking as stale
|
||||
staleLabel: stale
|
||||
|
||||
# Limit the number of actions per hour, from 1-30. Default is 30
|
||||
limitPerRun: 30
|
||||
|
||||
pulls:
|
||||
markComment: |-
|
||||
This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution!
|
||||
|
||||
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale.
|
||||
|
||||
unmarkComment: >-
|
||||
This pull request is no longer marked for closure.
|
||||
|
||||
closeComment: >-
|
||||
This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details.
|
||||
|
||||
issues:
|
||||
markComment: |-
|
||||
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
|
||||
|
||||
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
|
||||
|
||||
unmarkComment: >-
|
||||
This issue is no longer marked for closure.
|
||||
|
||||
closeComment: >-
|
||||
This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
|
67
roles/geerlingguy.dotfiles/.github/workflows/ci.yml
vendored
Normal file
67
roles/geerlingguy.dotfiles/.github/workflows/ci.yml
vendored
Normal file
|
@ -0,0 +1,67 @@
|
|||
---
|
||||
name: CI
|
||||
'on':
|
||||
pull_request:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
schedule:
|
||||
- cron: "0 5 * * 1"
|
||||
|
||||
defaults:
|
||||
run:
|
||||
working-directory: 'geerlingguy.dotfiles'
|
||||
|
||||
jobs:
|
||||
|
||||
lint:
|
||||
name: Lint
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out the codebase.
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
path: 'geerlingguy.dotfiles'
|
||||
|
||||
- name: Set up Python 3.
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: '3.x'
|
||||
|
||||
- name: Install test dependencies.
|
||||
run: pip3 install yamllint ansible-lint
|
||||
|
||||
- name: Lint code.
|
||||
run: |
|
||||
yamllint .
|
||||
ansible-lint
|
||||
|
||||
molecule:
|
||||
name: Molecule
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
matrix:
|
||||
distro:
|
||||
- centos7
|
||||
- ubuntu1804
|
||||
|
||||
steps:
|
||||
- name: Check out the codebase.
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
path: 'geerlingguy.dotfiles'
|
||||
|
||||
- name: Set up Python 3.
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: '3.x'
|
||||
|
||||
- name: Install test dependencies.
|
||||
run: pip3 install ansible molecule[docker] docker
|
||||
|
||||
- name: Run Molecule tests.
|
||||
run: molecule test
|
||||
env:
|
||||
PY_COLORS: '1'
|
||||
ANSIBLE_FORCE_COLOR: '1'
|
||||
MOLECULE_DISTRO: ${{ matrix.distro }}
|
38
roles/geerlingguy.dotfiles/.github/workflows/release.yml
vendored
Normal file
38
roles/geerlingguy.dotfiles/.github/workflows/release.yml
vendored
Normal file
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
# This workflow requires a GALAXY_API_KEY secret present in the GitHub
|
||||
# repository or organization.
|
||||
#
|
||||
# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
|
||||
# See: https://github.com/ansible/galaxy/issues/46
|
||||
|
||||
name: Release
|
||||
'on':
|
||||
push:
|
||||
tags:
|
||||
- '*'
|
||||
|
||||
defaults:
|
||||
run:
|
||||
working-directory: 'geerlingguy.dotfiles'
|
||||
|
||||
jobs:
|
||||
|
||||
release:
|
||||
name: Release
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out the codebase.
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
path: 'geerlingguy.dotfiles'
|
||||
|
||||
- name: Set up Python 3.
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: '3.x'
|
||||
|
||||
- name: Install Ansible.
|
||||
run: pip3 install ansible-base
|
||||
|
||||
- name: Trigger a new import on Galaxy.
|
||||
run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)
|
3
roles/geerlingguy.dotfiles/.gitignore
vendored
Normal file
3
roles/geerlingguy.dotfiles/.gitignore
vendored
Normal file
|
@ -0,0 +1,3 @@
|
|||
*.retry
|
||||
*/__pycache__
|
||||
*.pyc
|
11
roles/geerlingguy.dotfiles/.yamllint
Normal file
11
roles/geerlingguy.dotfiles/.yamllint
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
extends: default
|
||||
|
||||
rules:
|
||||
line-length:
|
||||
max: 120
|
||||
level: warning
|
||||
|
||||
ignore: |
|
||||
.github/stale.yml
|
||||
.travis.yml
|
20
roles/geerlingguy.dotfiles/LICENSE
Normal file
20
roles/geerlingguy.dotfiles/LICENSE
Normal file
|
@ -0,0 +1,20 @@
|
|||
The MIT License (MIT)
|
||||
|
||||
Copyright (c) 2017 Jeff Geerling
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
||||
this software and associated documentation files (the "Software"), to deal in
|
||||
the Software without restriction, including without limitation the rights to
|
||||
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
||||
the Software, and to permit persons to whom the Software is furnished to do so,
|
||||
subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
||||
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
||||
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
||||
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
||||
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
56
roles/geerlingguy.dotfiles/README.md
Normal file
56
roles/geerlingguy.dotfiles/README.md
Normal file
|
@ -0,0 +1,56 @@
|
|||
# Ansible Role: Dotfiles
|
||||
|
||||
[![CI](https://github.com/geerlingguy/ansible-role-dotfiles/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-dotfiles/actions?query=workflow%3ACI)
|
||||
|
||||
Installs a set of dotfiles from a given Git repository. By default, it will install my (geerlingguy's) [dotfiles](https://github.com/geerlingguy/dotfiles), but you can use any set of dotfiles you'd like, as long as they follow a conventional format.
|
||||
|
||||
## Requirements
|
||||
|
||||
Requires `git` on the managed machine (you can easily install it with `geerlingguy.git` if required).
|
||||
|
||||
## Role Variables
|
||||
|
||||
Available variables are listed below, along with default values (see `defaults/main.yml`):
|
||||
|
||||
dotfiles_repo: "https://github.com/geerlingguy/dotfiles.git"
|
||||
dotfiles_repo_version: master
|
||||
|
||||
The git repository and branch/tag/commit hash to use for retrieving dotfiles. Dotfiles should generally be laid out within the root directory of the repository.
|
||||
|
||||
dotfiles_repo_accept_hostkey: false
|
||||
|
||||
Add the hostkey for the repo url if not already added. If ssh_opts contains "-o StrictHostKeyChecking=no", this parameter is ignored.
|
||||
|
||||
dotfiles_repo_local_destination: "~/Documents/dotfiles"
|
||||
|
||||
The local path where the `dotfiles_repo` will be cloned.
|
||||
|
||||
dotfiles_home: "~"
|
||||
|
||||
The home directory where dotfiles will be linked. Generally, the default should work, but in some circumstances, or when running the role as sudo on behalf of another user, you may want to specify the full path.
|
||||
|
||||
dotfiles_files:
|
||||
- .zshrc
|
||||
- .gitignore
|
||||
- .inputrc
|
||||
- .vimrc
|
||||
|
||||
Which files from the dotfiles repository should be linked to the `dotfiles_home`.
|
||||
|
||||
## Dependencies
|
||||
|
||||
None
|
||||
|
||||
## Example Playbook
|
||||
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- { role: geerlingguy.dotfiles }
|
||||
|
||||
## License
|
||||
|
||||
MIT / BSD
|
||||
|
||||
## Author Information
|
||||
|
||||
This role was created in 2015 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
|
12
roles/geerlingguy.dotfiles/defaults/main.yml
Normal file
12
roles/geerlingguy.dotfiles/defaults/main.yml
Normal file
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
dotfiles_repo: "https://github.com/geerlingguy/dotfiles.git"
|
||||
dotfiles_repo_version: master
|
||||
dotfiles_repo_accept_hostkey: false
|
||||
dotfiles_repo_local_destination: "~/Documents/dotfiles"
|
||||
|
||||
dotfiles_home: "~"
|
||||
dotfiles_files:
|
||||
- .zshrc
|
||||
- .gitignore
|
||||
- .inputrc
|
||||
- .vimrc
|
28
roles/geerlingguy.dotfiles/meta/main.yml
Normal file
28
roles/geerlingguy.dotfiles/meta/main.yml
Normal file
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
dependencies: []
|
||||
|
||||
galaxy_info:
|
||||
role_name: dotfiles
|
||||
author: geerlingguy
|
||||
description: Dotfile installation for UNIX/Linux.
|
||||
company: "Midwestern Mac, LLC"
|
||||
license: "license (BSD, MIT)"
|
||||
min_ansible_version: 2.2
|
||||
platforms:
|
||||
- name: GenericUNIX
|
||||
versions:
|
||||
- all
|
||||
- any
|
||||
- name: GenericBSD
|
||||
versions:
|
||||
- all
|
||||
- any
|
||||
- name: GenericLinux
|
||||
versions:
|
||||
- all
|
||||
- any
|
||||
galaxy_tags:
|
||||
- development
|
||||
- system
|
||||
- dotfiles
|
||||
- configuration
|
13
roles/geerlingguy.dotfiles/molecule/default/converge.yml
Normal file
13
roles/geerlingguy.dotfiles/molecule/default/converge.yml
Normal file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
become: true
|
||||
|
||||
pre_tasks:
|
||||
- name: Update apt cache.
|
||||
apt: update_cache=yes cache_valid_time=600
|
||||
when: ansible_os_family == 'Debian'
|
||||
|
||||
roles:
|
||||
- role: geerlingguy.git
|
||||
- role: geerlingguy.dotfiles
|
17
roles/geerlingguy.dotfiles/molecule/default/molecule.yml
Normal file
17
roles/geerlingguy.dotfiles/molecule/default/molecule.yml
Normal file
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
dependency:
|
||||
name: galaxy
|
||||
driver:
|
||||
name: docker
|
||||
platforms:
|
||||
- name: instance
|
||||
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
|
||||
command: ${MOLECULE_DOCKER_COMMAND:-""}
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||
privileged: true
|
||||
pre_build_image: true
|
||||
provisioner:
|
||||
name: ansible
|
||||
playbooks:
|
||||
converge: ${MOLECULE_PLAYBOOK:-converge.yml}
|
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
- src: geerlingguy.git
|
30
roles/geerlingguy.dotfiles/tasks/main.yml
Normal file
30
roles/geerlingguy.dotfiles/tasks/main.yml
Normal file
|
@ -0,0 +1,30 @@
|
|||
---
|
||||
- name: Ensure dotfiles repository is cloned locally.
|
||||
git:
|
||||
repo: "{{ dotfiles_repo }}"
|
||||
dest: "{{ dotfiles_repo_local_destination }}"
|
||||
version: "{{ dotfiles_repo_version }}"
|
||||
depth: 1
|
||||
|
||||
- name: Ensure all configured dotfiles are links.
|
||||
command: "ls -F {{ dotfiles_home }}/{{ item }}"
|
||||
register: existing_dotfile_info
|
||||
failed_when: false
|
||||
check_mode: false
|
||||
changed_when: false
|
||||
with_items: "{{ dotfiles_files }}"
|
||||
|
||||
- name: Remove existing dotfiles file if a replacement is being linked.
|
||||
file:
|
||||
path: "{{ dotfiles_home }}/{{ dotfiles_files[item.0] }}"
|
||||
state: absent
|
||||
when: "'@' not in item.1.stdout"
|
||||
with_indexed_items: "{{ existing_dotfile_info.results }}"
|
||||
|
||||
- name: Link dotfiles into home folder.
|
||||
file:
|
||||
src: "{{ dotfiles_repo_local_destination }}/{{ item }}"
|
||||
dest: "{{ dotfiles_home }}/{{ item }}"
|
||||
state: link
|
||||
mode: 0644
|
||||
with_items: "{{ dotfiles_files }}"
|
|
@ -6,5 +6,5 @@
|
|||
regexp: '#PasswordAuthentication yes'
|
||||
line: 'PasswordAuthentication no'
|
||||
state: present
|
||||
backrefs: yes
|
||||
# backrefs: yes
|
||||
notify: restart_sshd
|
||||
|
|
|
@ -1,15 +0,0 @@
|
|||
## mgrote.deploy_ssh_keys
|
||||
|
||||
### Beschreibung
|
||||
Deployed einen ssh key in die authorized_keys.
|
||||
Erlaubt dem Nutzer passwortloses "sudo"
|
||||
|
||||
### Funktioniert auf
|
||||
- [x] Ubuntu (>=18.04)
|
||||
- [ ] ProxMox 6.1
|
||||
|
||||
### Variablen + Defaults
|
||||
##### Nutzer
|
||||
ssh_user: mg
|
||||
##### Key
|
||||
ssh_pubkey: ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuBZc+/pULaZefCgjKGL1zXIFFlw== mg@irantu
|
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
ssh_user: mg
|
||||
ssh_pubkey: ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuBZc+/pULaZefCgjKGL1zXIFFlw== mg@irantu
|
|
@ -1,22 +0,0 @@
|
|||
---
|
||||
- name: create .ssh directory
|
||||
become: yes
|
||||
file:
|
||||
path: "/home/{{ ssh_user }}/.ssh"
|
||||
state: directory
|
||||
|
||||
- name: touch file
|
||||
become: yes
|
||||
file:
|
||||
path: "/home/{{ ssh_user }}/.ssh/authorized_keys"
|
||||
state: touch
|
||||
modification_time: preserve
|
||||
access_time: preserve
|
||||
|
||||
- name: put pubkey
|
||||
become: yes
|
||||
lineinfile:
|
||||
path: "/home/{{ ssh_user }}/.ssh/authorized_keys"
|
||||
line: "{{ ssh_pubkey }}"
|
||||
state: present
|
||||
backup: yes
|
|
@ -1,22 +0,0 @@
|
|||
## mgrote.dotfiles
|
||||
|
||||
### Beschreibung
|
||||
Klont ein git-repo, und symlinked die darin enthaltenen Dateien in ein Verzeichnis.
|
||||
|
||||
### Funktioniert auf
|
||||
- [ ] Ubuntu (>=18.04)
|
||||
- [ ] ProxMox 6.1
|
||||
|
||||
### Variablen + Defaults
|
||||
##### Remote Repository
|
||||
dotfiles_remote_repo: "https://github.com/quotengrote/dotfiles"
|
||||
##### User
|
||||
dotfiles_user: "mg"
|
||||
##### Where to Link
|
||||
dotfiles_link_target: "/home/mg"
|
||||
##### Local Repo
|
||||
dotfiles_local_repo_directory: "/home/mg/dotfiles-repo"
|
||||
##### Which files should be linked
|
||||
dotfiles_files_to_copy:
|
||||
- .tmux.conf
|
||||
- .bash_aliases
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
dotfiles_local_repo_directory: "/home/mg/dotfiles-repo"
|
||||
dotfiles_user: "mg"
|
||||
dotfiles_link_target: "/home/mg"
|
||||
dotfiles_remote_repo: "https://github.com/quotengrote/dotfiles"
|
||||
dotfiles_files_to_copy:
|
||||
- .tmux.conf
|
||||
- .bash_aliases
|
|
@ -1,34 +0,0 @@
|
|||
- name: create repo-directory
|
||||
become: true
|
||||
file:
|
||||
path: "{{ dotfiles_local_repo_directory }}"
|
||||
state: directory
|
||||
owner: "{{ dotfiles_user }}"
|
||||
group: "{{ dotfiles_user }}"
|
||||
recurse: yes
|
||||
mode: 0644
|
||||
|
||||
# noqa [401]
|
||||
- name: clone repository
|
||||
become: true
|
||||
git:
|
||||
repo: "{{ dotfiles_remote_repo }}"
|
||||
dest: "{{ dotfiles_local_repo_directory }}"
|
||||
clone: yes
|
||||
force: yes
|
||||
depth: 1
|
||||
version: HEAD
|
||||
tags:
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: create symlinks for files from repo
|
||||
become: true
|
||||
file:
|
||||
src: "{{ dotfiles_local_repo_directory }}/{{ item }}"
|
||||
dest: "{{ dotfiles_link_target }}/{{ item }}"
|
||||
owner: "{{ dotfiles_user }}"
|
||||
group: "{{ dotfiles_user }}"
|
||||
mode: 0644
|
||||
state: link
|
||||
force: yes
|
||||
with_items: "{{ dotfiles_files_to_copy }}"
|
8
roles/nickjj.ansible-user/.gitignore
vendored
8
roles/nickjj.ansible-user/.gitignore
vendored
|
@ -1,8 +0,0 @@
|
|||
.DS_Store
|
||||
*/**.DS_Store
|
||||
._*
|
||||
.*.sw*
|
||||
*~
|
||||
.idea/
|
||||
.vscode/
|
||||
*.retry
|
|
@ -1,17 +0,0 @@
|
|||
---
|
||||
|
||||
services: "docker"
|
||||
|
||||
env:
|
||||
- distro: "ubuntu1604"
|
||||
- distro: "ubuntu1804"
|
||||
- distro: "debian8"
|
||||
- distro: "debian9"
|
||||
|
||||
script:
|
||||
# Download test shim.
|
||||
- wget -O ${PWD}/tests/test.sh https://gist.githubusercontent.com/nickjj/d12353b5b601e33cd62fda111359957a/raw
|
||||
- chmod +x ${PWD}/tests/test.sh
|
||||
|
||||
# Run tests.
|
||||
- ${PWD}/tests/test.sh
|
|
@ -1,50 +0,0 @@
|
|||
# Changelog
|
||||
|
||||
### v0.4.0
|
||||
|
||||
*Released: January 25th 2018*
|
||||
|
||||
- Rename `user_authorized_keys_path` to `user_local_ssh_key_path`
|
||||
- Add proper tests and support for Ubuntu 16, Debian Stretch and Debian Jessie
|
||||
- Update format and style consistencies
|
||||
|
||||
### v0.3.3
|
||||
|
||||
*Released: October 27th 2016*
|
||||
|
||||
- Add ability to generate an SSH key pair (disabled by default)
|
||||
|
||||
### v0.3.1
|
||||
|
||||
*Released: October 9th 2016*
|
||||
|
||||
- Append groups to users
|
||||
- Test against Ubuntu 16.04 LTS and Debian Jessie on Travis-CI
|
||||
|
||||
### v0.3.0
|
||||
|
||||
*Released: October 7th 2016*
|
||||
|
||||
- Add ability to create/assign groups
|
||||
- Add ability to set a different shell
|
||||
- Add ability to toggle copying an SSH key
|
||||
- Add ability to toggle passwordless sudo
|
||||
- Use the updated YAML syntax for tasks
|
||||
|
||||
### v0.2.1
|
||||
|
||||
*Released: October 6th 2016*
|
||||
|
||||
- Fix Travis-CI tests
|
||||
|
||||
### v0.2.0
|
||||
|
||||
*Released: October 6th 2016*
|
||||
|
||||
- Update role for Ansible 2.1
|
||||
|
||||
### v0.1.0
|
||||
|
||||
*Released: May 4th 2014*
|
||||
|
||||
- Initial release
|
|
@ -1,22 +0,0 @@
|
|||
The MIT License (MIT)
|
||||
|
||||
Copyright (c) 2014 Nick Janetakis nick.janetakis@gmail.com
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining
|
||||
a copy of this software and associated documentation files (the
|
||||
'Software'), to deal in the Software without restriction, including
|
||||
without limitation the rights to use, copy, modify, merge, publish,
|
||||
distribute, sublicense, and/or sell copies of the Software, and to
|
||||
permit persons to whom the Software is furnished to do so, subject to
|
||||
the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be
|
||||
included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
|
||||
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
|
||||
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
|
||||
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
@ -1,97 +0,0 @@
|
|||
## What is ansible-user? [![Build Status](https://secure.travis-ci.org/nickjj/ansible-user.png)](http://travis-ci.org/nickjj/ansible-user)
|
||||
|
||||
It is an [Ansible](http://www.ansible.com/home) role to:
|
||||
|
||||
- Create user groups
|
||||
- Create a single user, add it to any groups you created and configure its shell
|
||||
- Set your public SSH key as an authorized key so you can login without a password
|
||||
- Enable passwordless sudo
|
||||
|
||||
## Why would you want to use this role?
|
||||
|
||||
When you spin up a new server, you'll often want to set up a non-root user that
|
||||
you can login as and run your applications under. That's because running your
|
||||
applications as root is a questionable idea from a security point of view.
|
||||
|
||||
This role sets you up to do that, but it also includes a few other user related
|
||||
tasks, such as what's listed in the above bullets. Having all of these things
|
||||
together in 1 role means less work for you to do!
|
||||
|
||||
## Supported platforms
|
||||
|
||||
- Ubuntu 16.04 LTS (Xenial)
|
||||
- Ubuntu 18.04 LTS (Bionic)
|
||||
- Debian 8 (Jessie)
|
||||
- Debian 9 (Stretch)
|
||||
|
||||
## Role variables
|
||||
|
||||
```
|
||||
# Optionally create additional user groupss. If empty, the user you create will
|
||||
# automatically be a part of their user's group, ie. deploy:deploy.
|
||||
user_groups: []
|
||||
|
||||
# The user you want to create.
|
||||
user_name: "deploy"
|
||||
|
||||
# Which shell should you default to? Typically "bash" or "sh".
|
||||
user_shell: "/bin/bash"
|
||||
|
||||
# Do you want to create an SSH keypair for this user? You probably don't for a
|
||||
# regular user that you plan to login as which is why it's disabled by default.
|
||||
user_generate_ssh_key: False
|
||||
|
||||
# When set, this will copy your local SSH public key from this path to your
|
||||
# user's authorized keys on your server.
|
||||
#
|
||||
# If you don't want this behavior then use an empty string as the value but keep
|
||||
# in mind this role does not set a default password for the user you create, so
|
||||
# you will be locked out if you don't supply your public SSH key.
|
||||
user_local_ssh_key_path: "~/.ssh/id_rsa.pub"
|
||||
|
||||
# Do you want to enable running root commands without needing a password?
|
||||
user_enable_passwordless_sudo: True
|
||||
```
|
||||
|
||||
## Example usage
|
||||
|
||||
For the sake of this example let's assume you have a group called **app** and
|
||||
you have a typical `site.yml` playbook.
|
||||
|
||||
To use this role edit your `site.yml` file to look something like this:
|
||||
|
||||
```
|
||||
---
|
||||
|
||||
- name: "Configure app server(s)"
|
||||
hosts: "app"
|
||||
become: True
|
||||
|
||||
roles:
|
||||
- { role: "nickjj.user", tags: "user" }
|
||||
```
|
||||
|
||||
Let's say you want to edit the user name, you can do this by opening or
|
||||
creating `group_vars/app.yml` which is located relative to your `inventory`
|
||||
directory and then make it look something like this:
|
||||
|
||||
```
|
||||
---
|
||||
|
||||
user_name: "thor"
|
||||
```
|
||||
|
||||
Now you would run `ansible-playbook -i inventory/hosts site.yml -t user`.
|
||||
|
||||
## Installation
|
||||
|
||||
`$ ansible-galaxy install nickjj.user`
|
||||
|
||||
### Ansible Galaxy
|
||||
|
||||
You can find it on the official
|
||||
[Ansible Galaxy](https://galaxy.ansible.com/nickjj/user) if you want to rate it.
|
||||
|
||||
## License
|
||||
|
||||
MIT
|
|
@ -1,10 +0,0 @@
|
|||
---
|
||||
|
||||
user_groups: []
|
||||
user_name: "deploy"
|
||||
user_shell: "/bin/bash"
|
||||
user_generate_ssh_key: False
|
||||
|
||||
user_local_ssh_key_path: "~/.ssh/id_rsa.pub"
|
||||
|
||||
user_enable_passwordless_sudo: True
|
|
@ -1,25 +0,0 @@
|
|||
---
|
||||
|
||||
galaxy_info:
|
||||
author: "Nick Janetakis"
|
||||
description: "Create and configure a user for SSH key based logins and passwordless sudo."
|
||||
company:
|
||||
license: "MIT"
|
||||
min_ansible_version: "2.5"
|
||||
|
||||
platforms:
|
||||
- name: "Ubuntu"
|
||||
versions:
|
||||
- "xenial"
|
||||
- "bionic"
|
||||
- name: "Debian"
|
||||
versions:
|
||||
- "jessie"
|
||||
- "stretch"
|
||||
|
||||
galaxy_tags:
|
||||
- "groups"
|
||||
- "system"
|
||||
- "users"
|
||||
|
||||
dependencies: []
|
|
@ -1,47 +0,0 @@
|
|||
---
|
||||
|
||||
- name: "Create user group(s)"
|
||||
group:
|
||||
name: "{{ item }}"
|
||||
loop: "{{ user_groups }}"
|
||||
when: user_groups
|
||||
|
||||
- name: "Create user"
|
||||
user:
|
||||
name: "{{ user_name }}"
|
||||
groups: "{{ (user_groups | join(',')) }}"
|
||||
generate_ssh_key: "{{ user_generate_ssh_key }}"
|
||||
shell: "{{ user_shell }}"
|
||||
|
||||
- name: "Set authorized_key to allow SSH key based logins"
|
||||
authorized_key:
|
||||
user: "{{ user_name }}"
|
||||
key: "{{ lookup('file', user_local_ssh_key_path) }}"
|
||||
when: user_local_ssh_key_path | default(False)
|
||||
|
||||
- name: "Enable including files from sudoers.d/"
|
||||
lineinfile:
|
||||
path: "/etc/sudoers"
|
||||
regexp: "^#includedir /etc/sudoers.d"
|
||||
line: "#includedir /etc/sudoers.d"
|
||||
state: "present"
|
||||
backup: True
|
||||
when: user_enable_passwordless_sudo
|
||||
|
||||
- name: Disable sudoers.d
|
||||
lineinfile:
|
||||
path: "/etc/sudoers"
|
||||
regexp: "^#includedir /etc/sudoers.d"
|
||||
line: "#includedir /etc/sudoers.d"
|
||||
state: "absent"
|
||||
backup: True
|
||||
when: user_enable_passwordless_sudo == False
|
||||
|
||||
- name: "Enable passwordless sudo"
|
||||
copy:
|
||||
content: "%{{ user_name }} ALL=(ALL) NOPASSWD:ALL"
|
||||
dest: "/etc/sudoers.d/{{ user_name }}"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0440"
|
||||
when: user_enable_passwordless_sudo
|
|
@ -1,49 +0,0 @@
|
|||
---
|
||||
|
||||
- hosts: "all"
|
||||
become: True
|
||||
|
||||
vars:
|
||||
user_local_ssh_key_path: "/root/.ssh/id_rsa.pub"
|
||||
user_groups: ["foo", "bar"]
|
||||
|
||||
roles:
|
||||
- "role_under_test"
|
||||
|
||||
pre_tasks:
|
||||
- name: "Create fake SSH directory"
|
||||
file:
|
||||
path: "/root/.ssh"
|
||||
state: "directory"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0755"
|
||||
|
||||
- name: "Generate fake SSH key"
|
||||
lineinfile:
|
||||
path: "/root/.ssh/id_rsa.pub"
|
||||
line: "ssh-rsa foo hello@world"
|
||||
state: "present"
|
||||
create: True
|
||||
|
||||
post_tasks:
|
||||
- name: "Ensure user belongs to the correct groups"
|
||||
command: groups {{ user_name }}
|
||||
register: result
|
||||
changed_when: result.stdout.split(":")[1] | trim != ([user_name] + user_groups) | join(" ")
|
||||
|
||||
- name: "Ensure authorized_key is set"
|
||||
command: cat /root/.ssh/id_rsa.pub
|
||||
register: result
|
||||
changed_when: result.stdout != "ssh-rsa foo hello@world"
|
||||
|
||||
- name: "Ensure /etc/sudoers.d/deploy contains 'NOPASSWD:ALL'"
|
||||
command: grep NOPASSWD:ALL /etc/sudoers.d/deploy
|
||||
register: result
|
||||
changed_when: result.rc != 0
|
||||
|
||||
- name: "Ensure passwordless sudo works"
|
||||
become_user: "{{ user_name }}"
|
||||
command: sudo whoami
|
||||
register: result
|
||||
changed_when: result.stdout != "root"
|
Loading…
Reference in a new issue