Bootstrap & SSH-Keys Neuanfang (#69)
* wip * ufw: wireguard: Regeln verschärft(UDP) * wip * weitere ceph-nodes ergänzt
This commit is contained in:
parent
8b9e758e13
commit
aab871d86b
13 changed files with 344 additions and 13 deletions
|
@ -44,19 +44,8 @@
|
|||
- staging
|
||||
- test
|
||||
- virt
|
||||
- username: ansible-user
|
||||
password: "{{ lookup('keepass', 'linux_mg_user_password', 'password') }}"
|
||||
update_password: on_create
|
||||
ssh_key: "{{ lookup('keepass', 'ssh_pubkey_ansible-user', 'password') }}"
|
||||
use_sudo: yes
|
||||
use_sudo_nopass: yes
|
||||
user_state: present
|
||||
groups: ssh, ansible, sudo
|
||||
servers:
|
||||
- production
|
||||
- staging
|
||||
- test
|
||||
- virt
|
||||
- ceph
|
||||
- k8s
|
||||
### geerlingguy.dotfiles
|
||||
dotfiles_repo: "https://github.com/quotengrote/dotfiles.git"
|
||||
dotfiles_repo_local_destination: "/home/mg/dotfiles-repo"
|
||||
|
|
7
inventories/group_vars/ceph.yml
Normal file
7
inventories/group_vars/ceph.yml
Normal file
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
### oefenweb.ufw
|
||||
ufw_rules:
|
||||
- rule: allow
|
||||
interface: ens18
|
||||
- rule: allow
|
||||
interface: ens19
|
|
@ -58,6 +58,10 @@ all:
|
|||
ceph-1.grote.lan:
|
||||
ceph-2.grote.lan:
|
||||
ceph-3.grote.lan:
|
||||
ceph-4.grote.lan:
|
||||
ceph-5.grote.lan:
|
||||
ceph-6.grote.lan:
|
||||
ceph-7.grote.lan:
|
||||
k8s:
|
||||
hosts:
|
||||
k8s-1.grote.lan:
|
||||
|
|
|
@ -7,7 +7,13 @@
|
|||
roles:
|
||||
- { role: robertdebock.bootstrap, tags: "bootstrap" }
|
||||
- { role: ryandaniels.create_users, tags: "user", become: yes }
|
||||
- { role: nickjj.ansible-user, tag: "ansible", become: yes }
|
||||
|
||||
vars:
|
||||
### nickjj.ansible-users
|
||||
user_name: "ansible-user"
|
||||
user_local_ssh_key_path: "/home/mg/ansible/id_rsa_ansible_user_pub"
|
||||
user_enable_passwordless_sudo: True
|
||||
### reobertdebock.bootstrap
|
||||
bootstrap_user: mg
|
||||
bootstrap_wait_for_host: no
|
||||
|
|
8
roles/nickjj.ansible-user/.gitignore
vendored
Normal file
8
roles/nickjj.ansible-user/.gitignore
vendored
Normal file
|
@ -0,0 +1,8 @@
|
|||
.DS_Store
|
||||
*/**.DS_Store
|
||||
._*
|
||||
.*.sw*
|
||||
*~
|
||||
.idea/
|
||||
.vscode/
|
||||
*.retry
|
17
roles/nickjj.ansible-user/.travis.yml
Normal file
17
roles/nickjj.ansible-user/.travis.yml
Normal file
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
|
||||
services: "docker"
|
||||
|
||||
env:
|
||||
- distro: "ubuntu1604"
|
||||
- distro: "ubuntu1804"
|
||||
- distro: "debian8"
|
||||
- distro: "debian9"
|
||||
|
||||
script:
|
||||
# Download test shim.
|
||||
- wget -O ${PWD}/tests/test.sh https://gist.githubusercontent.com/nickjj/d12353b5b601e33cd62fda111359957a/raw
|
||||
- chmod +x ${PWD}/tests/test.sh
|
||||
|
||||
# Run tests.
|
||||
- ${PWD}/tests/test.sh
|
50
roles/nickjj.ansible-user/CHANGES.md
Normal file
50
roles/nickjj.ansible-user/CHANGES.md
Normal file
|
@ -0,0 +1,50 @@
|
|||
# Changelog
|
||||
|
||||
### v0.4.0
|
||||
|
||||
*Released: January 25th 2018*
|
||||
|
||||
- Rename `user_authorized_keys_path` to `user_local_ssh_key_path`
|
||||
- Add proper tests and support for Ubuntu 16, Debian Stretch and Debian Jessie
|
||||
- Update format and style consistencies
|
||||
|
||||
### v0.3.3
|
||||
|
||||
*Released: October 27th 2016*
|
||||
|
||||
- Add ability to generate an SSH key pair (disabled by default)
|
||||
|
||||
### v0.3.1
|
||||
|
||||
*Released: October 9th 2016*
|
||||
|
||||
- Append groups to users
|
||||
- Test against Ubuntu 16.04 LTS and Debian Jessie on Travis-CI
|
||||
|
||||
### v0.3.0
|
||||
|
||||
*Released: October 7th 2016*
|
||||
|
||||
- Add ability to create/assign groups
|
||||
- Add ability to set a different shell
|
||||
- Add ability to toggle copying an SSH key
|
||||
- Add ability to toggle passwordless sudo
|
||||
- Use the updated YAML syntax for tasks
|
||||
|
||||
### v0.2.1
|
||||
|
||||
*Released: October 6th 2016*
|
||||
|
||||
- Fix Travis-CI tests
|
||||
|
||||
### v0.2.0
|
||||
|
||||
*Released: October 6th 2016*
|
||||
|
||||
- Update role for Ansible 2.1
|
||||
|
||||
### v0.1.0
|
||||
|
||||
*Released: May 4th 2014*
|
||||
|
||||
- Initial release
|
22
roles/nickjj.ansible-user/LICENSE
Normal file
22
roles/nickjj.ansible-user/LICENSE
Normal file
|
@ -0,0 +1,22 @@
|
|||
The MIT License (MIT)
|
||||
|
||||
Copyright (c) 2014 Nick Janetakis nick.janetakis@gmail.com
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining
|
||||
a copy of this software and associated documentation files (the
|
||||
'Software'), to deal in the Software without restriction, including
|
||||
without limitation the rights to use, copy, modify, merge, publish,
|
||||
distribute, sublicense, and/or sell copies of the Software, and to
|
||||
permit persons to whom the Software is furnished to do so, subject to
|
||||
the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be
|
||||
included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
|
||||
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
|
||||
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
|
||||
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
97
roles/nickjj.ansible-user/README.md
Normal file
97
roles/nickjj.ansible-user/README.md
Normal file
|
@ -0,0 +1,97 @@
|
|||
## What is ansible-user? [![Build Status](https://secure.travis-ci.org/nickjj/ansible-user.png)](http://travis-ci.org/nickjj/ansible-user)
|
||||
|
||||
It is an [Ansible](http://www.ansible.com/home) role to:
|
||||
|
||||
- Create user groups
|
||||
- Create a single user, add it to any groups you created and configure its shell
|
||||
- Set your public SSH key as an authorized key so you can login without a password
|
||||
- Enable passwordless sudo
|
||||
|
||||
## Why would you want to use this role?
|
||||
|
||||
When you spin up a new server, you'll often want to set up a non-root user that
|
||||
you can login as and run your applications under. That's because running your
|
||||
applications as root is a questionable idea from a security point of view.
|
||||
|
||||
This role sets you up to do that, but it also includes a few other user related
|
||||
tasks, such as what's listed in the above bullets. Having all of these things
|
||||
together in 1 role means less work for you to do!
|
||||
|
||||
## Supported platforms
|
||||
|
||||
- Ubuntu 16.04 LTS (Xenial)
|
||||
- Ubuntu 18.04 LTS (Bionic)
|
||||
- Debian 8 (Jessie)
|
||||
- Debian 9 (Stretch)
|
||||
|
||||
## Role variables
|
||||
|
||||
```
|
||||
# Optionally create additional user groupss. If empty, the user you create will
|
||||
# automatically be a part of their user's group, ie. deploy:deploy.
|
||||
user_groups: []
|
||||
|
||||
# The user you want to create.
|
||||
user_name: "deploy"
|
||||
|
||||
# Which shell should you default to? Typically "bash" or "sh".
|
||||
user_shell: "/bin/bash"
|
||||
|
||||
# Do you want to create an SSH keypair for this user? You probably don't for a
|
||||
# regular user that you plan to login as which is why it's disabled by default.
|
||||
user_generate_ssh_key: False
|
||||
|
||||
# When set, this will copy your local SSH public key from this path to your
|
||||
# user's authorized keys on your server.
|
||||
#
|
||||
# If you don't want this behavior then use an empty string as the value but keep
|
||||
# in mind this role does not set a default password for the user you create, so
|
||||
# you will be locked out if you don't supply your public SSH key.
|
||||
user_local_ssh_key_path: "~/.ssh/id_rsa.pub"
|
||||
|
||||
# Do you want to enable running root commands without needing a password?
|
||||
user_enable_passwordless_sudo: True
|
||||
```
|
||||
|
||||
## Example usage
|
||||
|
||||
For the sake of this example let's assume you have a group called **app** and
|
||||
you have a typical `site.yml` playbook.
|
||||
|
||||
To use this role edit your `site.yml` file to look something like this:
|
||||
|
||||
```
|
||||
---
|
||||
|
||||
- name: "Configure app server(s)"
|
||||
hosts: "app"
|
||||
become: True
|
||||
|
||||
roles:
|
||||
- { role: "nickjj.user", tags: "user" }
|
||||
```
|
||||
|
||||
Let's say you want to edit the user name, you can do this by opening or
|
||||
creating `group_vars/app.yml` which is located relative to your `inventory`
|
||||
directory and then make it look something like this:
|
||||
|
||||
```
|
||||
---
|
||||
|
||||
user_name: "thor"
|
||||
```
|
||||
|
||||
Now you would run `ansible-playbook -i inventory/hosts site.yml -t user`.
|
||||
|
||||
## Installation
|
||||
|
||||
`$ ansible-galaxy install nickjj.user`
|
||||
|
||||
### Ansible Galaxy
|
||||
|
||||
You can find it on the official
|
||||
[Ansible Galaxy](https://galaxy.ansible.com/nickjj/user) if you want to rate it.
|
||||
|
||||
## License
|
||||
|
||||
MIT
|
10
roles/nickjj.ansible-user/defaults/main.yml
Normal file
10
roles/nickjj.ansible-user/defaults/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
|
||||
user_groups: []
|
||||
user_name: "deploy"
|
||||
user_shell: "/bin/bash"
|
||||
user_generate_ssh_key: False
|
||||
|
||||
user_local_ssh_key_path: "~/.ssh/id_rsa.pub"
|
||||
|
||||
user_enable_passwordless_sudo: True
|
25
roles/nickjj.ansible-user/meta/main.yml
Normal file
25
roles/nickjj.ansible-user/meta/main.yml
Normal file
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
|
||||
galaxy_info:
|
||||
author: "Nick Janetakis"
|
||||
description: "Create and configure a user for SSH key based logins and passwordless sudo."
|
||||
company:
|
||||
license: "MIT"
|
||||
min_ansible_version: "2.5"
|
||||
|
||||
platforms:
|
||||
- name: "Ubuntu"
|
||||
versions:
|
||||
- "xenial"
|
||||
- "bionic"
|
||||
- name: "Debian"
|
||||
versions:
|
||||
- "jessie"
|
||||
- "stretch"
|
||||
|
||||
galaxy_tags:
|
||||
- "groups"
|
||||
- "system"
|
||||
- "users"
|
||||
|
||||
dependencies: []
|
47
roles/nickjj.ansible-user/tasks/main.yml
Normal file
47
roles/nickjj.ansible-user/tasks/main.yml
Normal file
|
@ -0,0 +1,47 @@
|
|||
---
|
||||
|
||||
- name: "Create user group(s)"
|
||||
group:
|
||||
name: "{{ item }}"
|
||||
loop: "{{ user_groups }}"
|
||||
when: user_groups
|
||||
|
||||
- name: "Create user"
|
||||
user:
|
||||
name: "{{ user_name }}"
|
||||
groups: "{{ (user_groups | join(',')) }}"
|
||||
generate_ssh_key: "{{ user_generate_ssh_key }}"
|
||||
shell: "{{ user_shell }}"
|
||||
|
||||
- name: "Set authorized_key to allow SSH key based logins"
|
||||
authorized_key:
|
||||
user: "{{ user_name }}"
|
||||
key: "{{ lookup('file', user_local_ssh_key_path) }}"
|
||||
when: user_local_ssh_key_path | default(False)
|
||||
|
||||
- name: "Enable including files from sudoers.d/"
|
||||
lineinfile:
|
||||
path: "/etc/sudoers"
|
||||
regexp: "^#includedir /etc/sudoers.d"
|
||||
line: "#includedir /etc/sudoers.d"
|
||||
state: "present"
|
||||
backup: True
|
||||
when: user_enable_passwordless_sudo
|
||||
|
||||
- name: Disable sudoers.d
|
||||
lineinfile:
|
||||
path: "/etc/sudoers"
|
||||
regexp: "^#includedir /etc/sudoers.d"
|
||||
line: "#includedir /etc/sudoers.d"
|
||||
state: "absent"
|
||||
backup: True
|
||||
when: user_enable_passwordless_sudo == False
|
||||
|
||||
- name: "Enable passwordless sudo"
|
||||
copy:
|
||||
content: "%{{ user_name }} ALL=(ALL) NOPASSWD:ALL"
|
||||
dest: "/etc/sudoers.d/{{ user_name }}"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0440"
|
||||
when: user_enable_passwordless_sudo
|
49
roles/nickjj.ansible-user/tests/test.yml
Normal file
49
roles/nickjj.ansible-user/tests/test.yml
Normal file
|
@ -0,0 +1,49 @@
|
|||
---
|
||||
|
||||
- hosts: "all"
|
||||
become: True
|
||||
|
||||
vars:
|
||||
user_local_ssh_key_path: "/root/.ssh/id_rsa.pub"
|
||||
user_groups: ["foo", "bar"]
|
||||
|
||||
roles:
|
||||
- "role_under_test"
|
||||
|
||||
pre_tasks:
|
||||
- name: "Create fake SSH directory"
|
||||
file:
|
||||
path: "/root/.ssh"
|
||||
state: "directory"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0755"
|
||||
|
||||
- name: "Generate fake SSH key"
|
||||
lineinfile:
|
||||
path: "/root/.ssh/id_rsa.pub"
|
||||
line: "ssh-rsa foo hello@world"
|
||||
state: "present"
|
||||
create: True
|
||||
|
||||
post_tasks:
|
||||
- name: "Ensure user belongs to the correct groups"
|
||||
command: groups {{ user_name }}
|
||||
register: result
|
||||
changed_when: result.stdout.split(":")[1] | trim != ([user_name] + user_groups) | join(" ")
|
||||
|
||||
- name: "Ensure authorized_key is set"
|
||||
command: cat /root/.ssh/id_rsa.pub
|
||||
register: result
|
||||
changed_when: result.stdout != "ssh-rsa foo hello@world"
|
||||
|
||||
- name: "Ensure /etc/sudoers.d/deploy contains 'NOPASSWD:ALL'"
|
||||
command: grep NOPASSWD:ALL /etc/sudoers.d/deploy
|
||||
register: result
|
||||
changed_when: result.rc != 0
|
||||
|
||||
- name: "Ensure passwordless sudo works"
|
||||
become_user: "{{ user_name }}"
|
||||
command: sudo whoami
|
||||
register: result
|
||||
changed_when: result.stdout != "root"
|
Loading…
Reference in a new issue