diff --git a/inventories/group_vars/all.yml b/inventories/group_vars/all.yml index 378df21c..d2548122 100644 --- a/inventories/group_vars/all.yml +++ b/inventories/group_vars/all.yml @@ -44,19 +44,8 @@ - staging - test - virt - - username: ansible-user - password: "{{ lookup('keepass', 'linux_mg_user_password', 'password') }}" - update_password: on_create - ssh_key: "{{ lookup('keepass', 'ssh_pubkey_ansible-user', 'password') }}" - use_sudo: yes - use_sudo_nopass: yes - user_state: present - groups: ssh, ansible, sudo - servers: - - production - - staging - - test - - virt + - ceph + - k8s ### geerlingguy.dotfiles dotfiles_repo: "https://github.com/quotengrote/dotfiles.git" dotfiles_repo_local_destination: "/home/mg/dotfiles-repo" diff --git a/inventories/group_vars/ceph.yml b/inventories/group_vars/ceph.yml new file mode 100644 index 00000000..046244b3 --- /dev/null +++ b/inventories/group_vars/ceph.yml @@ -0,0 +1,7 @@ +--- + ### oefenweb.ufw + ufw_rules: + - rule: allow + interface: ens18 + - rule: allow + interface: ens19 diff --git a/inventories/inventory b/inventories/inventory index bbd65085..b39c4778 100644 --- a/inventories/inventory +++ b/inventories/inventory @@ -58,6 +58,10 @@ all: ceph-1.grote.lan: ceph-2.grote.lan: ceph-3.grote.lan: + ceph-4.grote.lan: + ceph-5.grote.lan: + ceph-6.grote.lan: + ceph-7.grote.lan: k8s: hosts: k8s-1.grote.lan: diff --git a/playbooks/base/1_bootstrap.yml b/playbooks/base/1_bootstrap.yml index 35856c2c..1f6a641e 100644 --- a/playbooks/base/1_bootstrap.yml +++ b/playbooks/base/1_bootstrap.yml @@ -7,7 +7,13 @@ roles: - { role: robertdebock.bootstrap, tags: "bootstrap" } - { role: ryandaniels.create_users, tags: "user", become: yes } + - { role: nickjj.ansible-user, tag: "ansible", become: yes } + vars: + ### nickjj.ansible-users + user_name: "ansible-user" + user_local_ssh_key_path: "/home/mg/ansible/id_rsa_ansible_user_pub" + user_enable_passwordless_sudo: True ### reobertdebock.bootstrap bootstrap_user: mg bootstrap_wait_for_host: no diff --git a/roles/nickjj.ansible-user/.gitignore b/roles/nickjj.ansible-user/.gitignore new file mode 100644 index 00000000..59053d40 --- /dev/null +++ b/roles/nickjj.ansible-user/.gitignore @@ -0,0 +1,8 @@ +.DS_Store +*/**.DS_Store +._* +.*.sw* +*~ +.idea/ +.vscode/ +*.retry diff --git a/roles/nickjj.ansible-user/.travis.yml b/roles/nickjj.ansible-user/.travis.yml new file mode 100644 index 00000000..ebeda4b0 --- /dev/null +++ b/roles/nickjj.ansible-user/.travis.yml @@ -0,0 +1,17 @@ +--- + +services: "docker" + +env: + - distro: "ubuntu1604" + - distro: "ubuntu1804" + - distro: "debian8" + - distro: "debian9" + +script: + # Download test shim. + - wget -O ${PWD}/tests/test.sh https://gist.githubusercontent.com/nickjj/d12353b5b601e33cd62fda111359957a/raw + - chmod +x ${PWD}/tests/test.sh + + # Run tests. + - ${PWD}/tests/test.sh diff --git a/roles/nickjj.ansible-user/CHANGES.md b/roles/nickjj.ansible-user/CHANGES.md new file mode 100644 index 00000000..ce0edcf8 --- /dev/null +++ b/roles/nickjj.ansible-user/CHANGES.md @@ -0,0 +1,50 @@ +# Changelog + +### v0.4.0 + +*Released: January 25th 2018* + +- Rename `user_authorized_keys_path` to `user_local_ssh_key_path` +- Add proper tests and support for Ubuntu 16, Debian Stretch and Debian Jessie +- Update format and style consistencies + +### v0.3.3 + +*Released: October 27th 2016* + +- Add ability to generate an SSH key pair (disabled by default) + +### v0.3.1 + +*Released: October 9th 2016* + +- Append groups to users +- Test against Ubuntu 16.04 LTS and Debian Jessie on Travis-CI + +### v0.3.0 + +*Released: October 7th 2016* + +- Add ability to create/assign groups +- Add ability to set a different shell +- Add ability to toggle copying an SSH key +- Add ability to toggle passwordless sudo +- Use the updated YAML syntax for tasks + +### v0.2.1 + +*Released: October 6th 2016* + +- Fix Travis-CI tests + +### v0.2.0 + +*Released: October 6th 2016* + +- Update role for Ansible 2.1 + +### v0.1.0 + +*Released: May 4th 2014* + +- Initial release diff --git a/roles/nickjj.ansible-user/LICENSE b/roles/nickjj.ansible-user/LICENSE new file mode 100644 index 00000000..38c335bc --- /dev/null +++ b/roles/nickjj.ansible-user/LICENSE @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2014 Nick Janetakis nick.janetakis@gmail.com + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +'Software'), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/roles/nickjj.ansible-user/README.md b/roles/nickjj.ansible-user/README.md new file mode 100644 index 00000000..c97d6ee4 --- /dev/null +++ b/roles/nickjj.ansible-user/README.md @@ -0,0 +1,97 @@ +## What is ansible-user? [![Build Status](https://secure.travis-ci.org/nickjj/ansible-user.png)](http://travis-ci.org/nickjj/ansible-user) + +It is an [Ansible](http://www.ansible.com/home) role to: + +- Create user groups +- Create a single user, add it to any groups you created and configure its shell +- Set your public SSH key as an authorized key so you can login without a password +- Enable passwordless sudo + +## Why would you want to use this role? + +When you spin up a new server, you'll often want to set up a non-root user that +you can login as and run your applications under. That's because running your +applications as root is a questionable idea from a security point of view. + +This role sets you up to do that, but it also includes a few other user related +tasks, such as what's listed in the above bullets. Having all of these things +together in 1 role means less work for you to do! + +## Supported platforms + +- Ubuntu 16.04 LTS (Xenial) +- Ubuntu 18.04 LTS (Bionic) +- Debian 8 (Jessie) +- Debian 9 (Stretch) + +## Role variables + +``` +# Optionally create additional user groupss. If empty, the user you create will +# automatically be a part of their user's group, ie. deploy:deploy. +user_groups: [] + +# The user you want to create. +user_name: "deploy" + +# Which shell should you default to? Typically "bash" or "sh". +user_shell: "/bin/bash" + +# Do you want to create an SSH keypair for this user? You probably don't for a +# regular user that you plan to login as which is why it's disabled by default. +user_generate_ssh_key: False + +# When set, this will copy your local SSH public key from this path to your +# user's authorized keys on your server. +# +# If you don't want this behavior then use an empty string as the value but keep +# in mind this role does not set a default password for the user you create, so +# you will be locked out if you don't supply your public SSH key. +user_local_ssh_key_path: "~/.ssh/id_rsa.pub" + +# Do you want to enable running root commands without needing a password? +user_enable_passwordless_sudo: True +``` + +## Example usage + +For the sake of this example let's assume you have a group called **app** and +you have a typical `site.yml` playbook. + +To use this role edit your `site.yml` file to look something like this: + +``` +--- + +- name: "Configure app server(s)" + hosts: "app" + become: True + + roles: + - { role: "nickjj.user", tags: "user" } +``` + +Let's say you want to edit the user name, you can do this by opening or +creating `group_vars/app.yml` which is located relative to your `inventory` +directory and then make it look something like this: + +``` +--- + +user_name: "thor" +``` + +Now you would run `ansible-playbook -i inventory/hosts site.yml -t user`. + +## Installation + +`$ ansible-galaxy install nickjj.user` + +### Ansible Galaxy + +You can find it on the official +[Ansible Galaxy](https://galaxy.ansible.com/nickjj/user) if you want to rate it. + +## License + +MIT diff --git a/roles/nickjj.ansible-user/defaults/main.yml b/roles/nickjj.ansible-user/defaults/main.yml new file mode 100644 index 00000000..88db4e06 --- /dev/null +++ b/roles/nickjj.ansible-user/defaults/main.yml @@ -0,0 +1,10 @@ +--- + +user_groups: [] +user_name: "deploy" +user_shell: "/bin/bash" +user_generate_ssh_key: False + +user_local_ssh_key_path: "~/.ssh/id_rsa.pub" + +user_enable_passwordless_sudo: True diff --git a/roles/nickjj.ansible-user/meta/main.yml b/roles/nickjj.ansible-user/meta/main.yml new file mode 100644 index 00000000..650d91de --- /dev/null +++ b/roles/nickjj.ansible-user/meta/main.yml @@ -0,0 +1,25 @@ +--- + +galaxy_info: + author: "Nick Janetakis" + description: "Create and configure a user for SSH key based logins and passwordless sudo." + company: + license: "MIT" + min_ansible_version: "2.5" + + platforms: + - name: "Ubuntu" + versions: + - "xenial" + - "bionic" + - name: "Debian" + versions: + - "jessie" + - "stretch" + + galaxy_tags: + - "groups" + - "system" + - "users" + +dependencies: [] diff --git a/roles/nickjj.ansible-user/tasks/main.yml b/roles/nickjj.ansible-user/tasks/main.yml new file mode 100644 index 00000000..7e482518 --- /dev/null +++ b/roles/nickjj.ansible-user/tasks/main.yml @@ -0,0 +1,47 @@ +--- + +- name: "Create user group(s)" + group: + name: "{{ item }}" + loop: "{{ user_groups }}" + when: user_groups + +- name: "Create user" + user: + name: "{{ user_name }}" + groups: "{{ (user_groups | join(',')) }}" + generate_ssh_key: "{{ user_generate_ssh_key }}" + shell: "{{ user_shell }}" + +- name: "Set authorized_key to allow SSH key based logins" + authorized_key: + user: "{{ user_name }}" + key: "{{ lookup('file', user_local_ssh_key_path) }}" + when: user_local_ssh_key_path | default(False) + +- name: "Enable including files from sudoers.d/" + lineinfile: + path: "/etc/sudoers" + regexp: "^#includedir /etc/sudoers.d" + line: "#includedir /etc/sudoers.d" + state: "present" + backup: True + when: user_enable_passwordless_sudo + +- name: Disable sudoers.d + lineinfile: + path: "/etc/sudoers" + regexp: "^#includedir /etc/sudoers.d" + line: "#includedir /etc/sudoers.d" + state: "absent" + backup: True + when: user_enable_passwordless_sudo == False + +- name: "Enable passwordless sudo" + copy: + content: "%{{ user_name }} ALL=(ALL) NOPASSWD:ALL" + dest: "/etc/sudoers.d/{{ user_name }}" + owner: "root" + group: "root" + mode: "0440" + when: user_enable_passwordless_sudo diff --git a/roles/nickjj.ansible-user/tests/test.yml b/roles/nickjj.ansible-user/tests/test.yml new file mode 100644 index 00000000..4a974db7 --- /dev/null +++ b/roles/nickjj.ansible-user/tests/test.yml @@ -0,0 +1,49 @@ +--- + +- hosts: "all" + become: True + + vars: + user_local_ssh_key_path: "/root/.ssh/id_rsa.pub" + user_groups: ["foo", "bar"] + + roles: + - "role_under_test" + + pre_tasks: + - name: "Create fake SSH directory" + file: + path: "/root/.ssh" + state: "directory" + owner: "root" + group: "root" + mode: "0755" + + - name: "Generate fake SSH key" + lineinfile: + path: "/root/.ssh/id_rsa.pub" + line: "ssh-rsa foo hello@world" + state: "present" + create: True + + post_tasks: + - name: "Ensure user belongs to the correct groups" + command: groups {{ user_name }} + register: result + changed_when: result.stdout.split(":")[1] | trim != ([user_name] + user_groups) | join(" ") + + - name: "Ensure authorized_key is set" + command: cat /root/.ssh/id_rsa.pub + register: result + changed_when: result.stdout != "ssh-rsa foo hello@world" + + - name: "Ensure /etc/sudoers.d/deploy contains 'NOPASSWD:ALL'" + command: grep NOPASSWD:ALL /etc/sudoers.d/deploy + register: result + changed_when: result.rc != 0 + + - name: "Ensure passwordless sudo works" + become_user: "{{ user_name }}" + command: sudo whoami + register: result + changed_when: result.stdout != "root"