Bootstrap & SSH-Keys Neuanfang (#69)

* wip

* ufw: wireguard: Regeln verschärft(UDP)

* wip

* weitere ceph-nodes ergänzt

inventories/group_vars/all.yml

@@ -44,19 +44,8 @@
       - staging
       - test
       - virt
-  - username: ansible-user
+      - ceph
-    password: "{{ lookup('keepass', 'linux_mg_user_password', 'password') }}"
+      - k8s
-    update_password: on_create
-    ssh_key: "{{ lookup('keepass', 'ssh_pubkey_ansible-user', 'password') }}"
-    use_sudo: yes
-    use_sudo_nopass: yes
-    user_state: present
-    groups: ssh, ansible, sudo
-    servers:
-      - production
-      - staging
-      - test
-      - virt
   ### geerlingguy.dotfiles
   dotfiles_repo: "https://github.com/quotengrote/dotfiles.git"
   dotfiles_repo_local_destination: "/home/mg/dotfiles-repo"

inventories/group_vars/ceph.yml

@@ -0,0 +1,7 @@
+---
+  ### oefenweb.ufw
+  ufw_rules:
+    - rule: allow
+      interface: ens18
+    - rule: allow
+      interface: ens19

inventories/inventory

@@ -58,6 +58,10 @@ all:
         ceph-1.grote.lan:
         ceph-2.grote.lan:
         ceph-3.grote.lan:
+        ceph-4.grote.lan:
+        ceph-5.grote.lan:
+        ceph-6.grote.lan:
+        ceph-7.grote.lan:
     k8s:
       hosts:
         k8s-1.grote.lan:

playbooks/base/1_bootstrap.yml

@@ -7,7 +7,13 @@
     roles:
       - { role: robertdebock.bootstrap, tags: "bootstrap" }
       - { role: ryandaniels.create_users, tags: "user", become: yes }
+      - { role: nickjj.ansible-user, tag: "ansible", become: yes }
+
     vars:
+      ### nickjj.ansible-users
+      user_name: "ansible-user"
+      user_local_ssh_key_path: "/home/mg/ansible/id_rsa_ansible_user_pub"
+      user_enable_passwordless_sudo: True
       ### reobertdebock.bootstrap
       bootstrap_user: mg
       bootstrap_wait_for_host: no

roles/nickjj.ansible-user/.gitignore

@@ -0,0 +1,8 @@
+.DS_Store
+*/**.DS_Store
+._*
+.*.sw*
+*~
+.idea/
+.vscode/
+*.retry

roles/nickjj.ansible-user/.travis.yml

@@ -0,0 +1,17 @@
+---
+
+services: "docker"
+
+env:
+  - distro: "ubuntu1604"
+  - distro: "ubuntu1804"
+  - distro: "debian8"
+  - distro: "debian9"
+
+script:
+  # Download test shim.
+  - wget -O ${PWD}/tests/test.sh https://gist.githubusercontent.com/nickjj/d12353b5b601e33cd62fda111359957a/raw
+  - chmod +x ${PWD}/tests/test.sh
+
+  # Run tests.
+  - ${PWD}/tests/test.sh

roles/nickjj.ansible-user/CHANGES.md

@@ -0,0 +1,50 @@
+# Changelog
+
+### v0.4.0
+
+*Released: January 25th 2018*
+
+- Rename `user_authorized_keys_path` to `user_local_ssh_key_path`
+- Add proper tests and support for Ubuntu 16, Debian Stretch and Debian Jessie
+- Update format and style consistencies
+
+### v0.3.3
+
+*Released: October 27th 2016*
+
+- Add ability to generate an SSH key pair (disabled by default)
+
+### v0.3.1
+
+*Released: October 9th 2016*
+
+- Append groups to users
+- Test against Ubuntu 16.04 LTS and Debian Jessie on Travis-CI
+
+### v0.3.0
+
+*Released: October 7th 2016*
+
+- Add ability to create/assign groups
+- Add ability to set a different shell
+- Add ability to toggle copying an SSH key
+- Add ability to toggle passwordless sudo
+- Use the updated YAML syntax for tasks
+
+### v0.2.1
+
+*Released: October 6th 2016*
+
+- Fix Travis-CI tests
+
+### v0.2.0
+
+*Released: October 6th 2016*
+
+- Update role for Ansible 2.1
+
+### v0.1.0
+
+*Released: May 4th 2014*
+
+- Initial release

roles/nickjj.ansible-user/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Nick Janetakis nick.janetakis@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

roles/nickjj.ansible-user/README.md

@@ -0,0 +1,97 @@
+## What is ansible-user? [![Build Status](https://secure.travis-ci.org/nickjj/ansible-user.png)](http://travis-ci.org/nickjj/ansible-user)
+
+It is an [Ansible](http://www.ansible.com/home) role to:
+
+- Create user groups
+- Create a single user, add it to any groups you created and configure its shell
+- Set your public SSH key as an authorized key so you can login without a password
+- Enable passwordless sudo
+
+## Why would you want to use this role?
+
+When you spin up a new server, you'll often want to set up a non-root user that
+you can login as and run your applications under. That's because running your
+applications as root is a questionable idea from a security point of view.
+
+This role sets you up to do that, but it also includes a few other user related
+tasks, such as what's listed in the above bullets. Having all of these things
+together in 1 role means less work for you to do!
+
+## Supported platforms
+
+- Ubuntu 16.04 LTS (Xenial)
+- Ubuntu 18.04 LTS (Bionic)
+- Debian 8 (Jessie)
+- Debian 9 (Stretch)
+
+## Role variables
+
+```
+# Optionally create additional user groupss. If empty, the user you create will
+# automatically be a part of their user's group, ie. deploy:deploy.
+user_groups: []
+
+# The user you want to create.
+user_name: "deploy"
+
+# Which shell should you default to? Typically "bash" or "sh".
+user_shell: "/bin/bash"
+
+# Do you want to create an SSH keypair for this user? You probably don't for a
+# regular user that you plan to login as which is why it's disabled by default.
+user_generate_ssh_key: False
+
+# When set, this will copy your local SSH public key from this path to your
+# user's authorized keys on your server.
+#
+# If you don't want this behavior then use an empty string as the value but keep
+# in mind this role does not set a default password for the user you create, so
+# you will be locked out if you don't supply your public SSH key.
+user_local_ssh_key_path: "~/.ssh/id_rsa.pub"
+
+# Do you want to enable running root commands without needing a password?
+user_enable_passwordless_sudo: True
+```
+
+## Example usage
+
+For the sake of this example let's assume you have a group called **app** and
+you have a typical `site.yml` playbook.
+
+To use this role edit your `site.yml` file to look something like this:
+
+```
+---
+
+- name: "Configure app server(s)"
+  hosts: "app"
+  become: True
+
+  roles:
+    - { role: "nickjj.user", tags: "user" }
+```
+
+Let's say you want to edit the user name, you can do this by opening or
+creating `group_vars/app.yml` which is located relative to your `inventory`
+directory and then make it look something like this:
+
+```
+---
+
+user_name: "thor"
+```
+
+Now you would run `ansible-playbook -i inventory/hosts site.yml -t user`.
+
+## Installation
+
+`$ ansible-galaxy install nickjj.user`
+
+### Ansible Galaxy
+
+You can find it on the official
+[Ansible Galaxy](https://galaxy.ansible.com/nickjj/user) if you want to rate it.
+
+## License
+
+MIT

roles/nickjj.ansible-user/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+
+user_groups: []
+user_name: "deploy"
+user_shell: "/bin/bash"
+user_generate_ssh_key: False
+
+user_local_ssh_key_path: "~/.ssh/id_rsa.pub"
+
+user_enable_passwordless_sudo: True

roles/nickjj.ansible-user/meta/main.yml

@@ -0,0 +1,25 @@
+---
+
+galaxy_info:
+  author: "Nick Janetakis"
+  description: "Create and configure a user for SSH key based logins and passwordless sudo."
+  company:
+  license: "MIT"
+  min_ansible_version: "2.5"
+
+  platforms:
+    - name: "Ubuntu"
+      versions:
+        - "xenial"
+        - "bionic"
+    - name: "Debian"
+      versions:
+        - "jessie"
+        - "stretch"
+
+  galaxy_tags:
+    - "groups"
+    - "system"
+    - "users"
+
+dependencies: []

roles/nickjj.ansible-user/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+
+- name: "Create user group(s)"
+  group:
+    name: "{{ item }}"
+  loop: "{{ user_groups }}"
+  when: user_groups
+
+- name: "Create user"
+  user:
+    name: "{{ user_name }}"
+    groups: "{{ (user_groups | join(',')) }}"
+    generate_ssh_key: "{{ user_generate_ssh_key }}"
+    shell: "{{ user_shell }}"
+
+- name: "Set authorized_key to allow SSH key based logins"
+  authorized_key:
+    user: "{{ user_name }}"
+    key: "{{ lookup('file', user_local_ssh_key_path) }}"
+  when: user_local_ssh_key_path | default(False)
+
+- name: "Enable including files from sudoers.d/"
+  lineinfile:
+    path: "/etc/sudoers"
+    regexp: "^#includedir /etc/sudoers.d"
+    line: "#includedir /etc/sudoers.d"
+    state: "present"
+    backup: True
+  when: user_enable_passwordless_sudo
+
+- name: Disable sudoers.d
+  lineinfile:
+    path: "/etc/sudoers"
+    regexp: "^#includedir /etc/sudoers.d"
+    line: "#includedir /etc/sudoers.d"
+    state: "absent"
+    backup: True
+  when: user_enable_passwordless_sudo == False
+
+- name: "Enable passwordless sudo"
+  copy:
+    content: "%{{ user_name }} ALL=(ALL) NOPASSWD:ALL"
+    dest: "/etc/sudoers.d/{{ user_name }}"
+    owner: "root"
+    group: "root"
+    mode: "0440"
+  when: user_enable_passwordless_sudo

roles/nickjj.ansible-user/tests/test.yml

@@ -0,0 +1,49 @@
+---
+
+- hosts: "all"
+  become: True
+
+  vars:
+    user_local_ssh_key_path: "/root/.ssh/id_rsa.pub"
+    user_groups: ["foo", "bar"]
+
+  roles:
+    - "role_under_test"
+
+  pre_tasks:
+    - name: "Create fake SSH directory"
+      file:
+        path: "/root/.ssh"
+        state: "directory"
+        owner: "root"
+        group: "root"
+        mode: "0755"
+
+    - name: "Generate fake SSH key"
+      lineinfile:
+        path: "/root/.ssh/id_rsa.pub"
+        line: "ssh-rsa foo hello@world"
+        state: "present"
+        create: True
+
+  post_tasks:
+    - name: "Ensure user belongs to the correct groups"
+      command: groups {{ user_name }}
+      register: result
+      changed_when: result.stdout.split(":")[1] | trim != ([user_name] + user_groups) | join(" ")
+
+    - name: "Ensure authorized_key is set"
+      command: cat /root/.ssh/id_rsa.pub
+      register: result
+      changed_when: result.stdout != "ssh-rsa foo hello@world"
+
+    - name: "Ensure /etc/sudoers.d/deploy contains 'NOPASSWD:ALL'"
+      command: grep NOPASSWD:ALL /etc/sudoers.d/deploy
+      register: result
+      changed_when: result.rc != 0
+
+    - name: "Ensure passwordless sudo works"
+      become_user: "{{ user_name }}"
+      command: sudo whoami
+      register: result
+      changed_when: result.stdout != "root"