Bootstrap & SSH-Keys Neuanfang (#69)

* wip

* ufw: wireguard: Regeln verschärft(UDP)

* wip

* weitere ceph-nodes ergänzt
This commit is contained in:
Quotengrote 2020-11-21 18:44:56 +01:00 committed by GitHub
parent 8b9e758e13
commit aab871d86b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 344 additions and 13 deletions

View file

@ -44,19 +44,8 @@
- staging
- test
- virt
- username: ansible-user
password: "{{ lookup('keepass', 'linux_mg_user_password', 'password') }}"
update_password: on_create
ssh_key: "{{ lookup('keepass', 'ssh_pubkey_ansible-user', 'password') }}"
use_sudo: yes
use_sudo_nopass: yes
user_state: present
groups: ssh, ansible, sudo
servers:
- production
- staging
- test
- virt
- ceph
- k8s
### geerlingguy.dotfiles
dotfiles_repo: "https://github.com/quotengrote/dotfiles.git"
dotfiles_repo_local_destination: "/home/mg/dotfiles-repo"

View file

@ -0,0 +1,7 @@
---
### oefenweb.ufw
ufw_rules:
- rule: allow
interface: ens18
- rule: allow
interface: ens19

View file

@ -58,6 +58,10 @@ all:
ceph-1.grote.lan:
ceph-2.grote.lan:
ceph-3.grote.lan:
ceph-4.grote.lan:
ceph-5.grote.lan:
ceph-6.grote.lan:
ceph-7.grote.lan:
k8s:
hosts:
k8s-1.grote.lan:

View file

@ -7,7 +7,13 @@
roles:
- { role: robertdebock.bootstrap, tags: "bootstrap" }
- { role: ryandaniels.create_users, tags: "user", become: yes }
- { role: nickjj.ansible-user, tag: "ansible", become: yes }
vars:
### nickjj.ansible-users
user_name: "ansible-user"
user_local_ssh_key_path: "/home/mg/ansible/id_rsa_ansible_user_pub"
user_enable_passwordless_sudo: True
### reobertdebock.bootstrap
bootstrap_user: mg
bootstrap_wait_for_host: no

8
roles/nickjj.ansible-user/.gitignore vendored Normal file
View file

@ -0,0 +1,8 @@
.DS_Store
*/**.DS_Store
._*
.*.sw*
*~
.idea/
.vscode/
*.retry

View file

@ -0,0 +1,17 @@
---
services: "docker"
env:
- distro: "ubuntu1604"
- distro: "ubuntu1804"
- distro: "debian8"
- distro: "debian9"
script:
# Download test shim.
- wget -O ${PWD}/tests/test.sh https://gist.githubusercontent.com/nickjj/d12353b5b601e33cd62fda111359957a/raw
- chmod +x ${PWD}/tests/test.sh
# Run tests.
- ${PWD}/tests/test.sh

View file

@ -0,0 +1,50 @@
# Changelog
### v0.4.0
*Released: January 25th 2018*
- Rename `user_authorized_keys_path` to `user_local_ssh_key_path`
- Add proper tests and support for Ubuntu 16, Debian Stretch and Debian Jessie
- Update format and style consistencies
### v0.3.3
*Released: October 27th 2016*
- Add ability to generate an SSH key pair (disabled by default)
### v0.3.1
*Released: October 9th 2016*
- Append groups to users
- Test against Ubuntu 16.04 LTS and Debian Jessie on Travis-CI
### v0.3.0
*Released: October 7th 2016*
- Add ability to create/assign groups
- Add ability to set a different shell
- Add ability to toggle copying an SSH key
- Add ability to toggle passwordless sudo
- Use the updated YAML syntax for tasks
### v0.2.1
*Released: October 6th 2016*
- Fix Travis-CI tests
### v0.2.0
*Released: October 6th 2016*
- Update role for Ansible 2.1
### v0.1.0
*Released: May 4th 2014*
- Initial release

View file

@ -0,0 +1,22 @@
The MIT License (MIT)
Copyright (c) 2014 Nick Janetakis nick.janetakis@gmail.com
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
'Software'), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

View file

@ -0,0 +1,97 @@
## What is ansible-user? [![Build Status](https://secure.travis-ci.org/nickjj/ansible-user.png)](http://travis-ci.org/nickjj/ansible-user)
It is an [Ansible](http://www.ansible.com/home) role to:
- Create user groups
- Create a single user, add it to any groups you created and configure its shell
- Set your public SSH key as an authorized key so you can login without a password
- Enable passwordless sudo
## Why would you want to use this role?
When you spin up a new server, you'll often want to set up a non-root user that
you can login as and run your applications under. That's because running your
applications as root is a questionable idea from a security point of view.
This role sets you up to do that, but it also includes a few other user related
tasks, such as what's listed in the above bullets. Having all of these things
together in 1 role means less work for you to do!
## Supported platforms
- Ubuntu 16.04 LTS (Xenial)
- Ubuntu 18.04 LTS (Bionic)
- Debian 8 (Jessie)
- Debian 9 (Stretch)
## Role variables
```
# Optionally create additional user groupss. If empty, the user you create will
# automatically be a part of their user's group, ie. deploy:deploy.
user_groups: []
# The user you want to create.
user_name: "deploy"
# Which shell should you default to? Typically "bash" or "sh".
user_shell: "/bin/bash"
# Do you want to create an SSH keypair for this user? You probably don't for a
# regular user that you plan to login as which is why it's disabled by default.
user_generate_ssh_key: False
# When set, this will copy your local SSH public key from this path to your
# user's authorized keys on your server.
#
# If you don't want this behavior then use an empty string as the value but keep
# in mind this role does not set a default password for the user you create, so
# you will be locked out if you don't supply your public SSH key.
user_local_ssh_key_path: "~/.ssh/id_rsa.pub"
# Do you want to enable running root commands without needing a password?
user_enable_passwordless_sudo: True
```
## Example usage
For the sake of this example let's assume you have a group called **app** and
you have a typical `site.yml` playbook.
To use this role edit your `site.yml` file to look something like this:
```
---
- name: "Configure app server(s)"
hosts: "app"
become: True
roles:
- { role: "nickjj.user", tags: "user" }
```
Let's say you want to edit the user name, you can do this by opening or
creating `group_vars/app.yml` which is located relative to your `inventory`
directory and then make it look something like this:
```
---
user_name: "thor"
```
Now you would run `ansible-playbook -i inventory/hosts site.yml -t user`.
## Installation
`$ ansible-galaxy install nickjj.user`
### Ansible Galaxy
You can find it on the official
[Ansible Galaxy](https://galaxy.ansible.com/nickjj/user) if you want to rate it.
## License
MIT

View file

@ -0,0 +1,10 @@
---
user_groups: []
user_name: "deploy"
user_shell: "/bin/bash"
user_generate_ssh_key: False
user_local_ssh_key_path: "~/.ssh/id_rsa.pub"
user_enable_passwordless_sudo: True

View file

@ -0,0 +1,25 @@
---
galaxy_info:
author: "Nick Janetakis"
description: "Create and configure a user for SSH key based logins and passwordless sudo."
company:
license: "MIT"
min_ansible_version: "2.5"
platforms:
- name: "Ubuntu"
versions:
- "xenial"
- "bionic"
- name: "Debian"
versions:
- "jessie"
- "stretch"
galaxy_tags:
- "groups"
- "system"
- "users"
dependencies: []

View file

@ -0,0 +1,47 @@
---
- name: "Create user group(s)"
group:
name: "{{ item }}"
loop: "{{ user_groups }}"
when: user_groups
- name: "Create user"
user:
name: "{{ user_name }}"
groups: "{{ (user_groups | join(',')) }}"
generate_ssh_key: "{{ user_generate_ssh_key }}"
shell: "{{ user_shell }}"
- name: "Set authorized_key to allow SSH key based logins"
authorized_key:
user: "{{ user_name }}"
key: "{{ lookup('file', user_local_ssh_key_path) }}"
when: user_local_ssh_key_path | default(False)
- name: "Enable including files from sudoers.d/"
lineinfile:
path: "/etc/sudoers"
regexp: "^#includedir /etc/sudoers.d"
line: "#includedir /etc/sudoers.d"
state: "present"
backup: True
when: user_enable_passwordless_sudo
- name: Disable sudoers.d
lineinfile:
path: "/etc/sudoers"
regexp: "^#includedir /etc/sudoers.d"
line: "#includedir /etc/sudoers.d"
state: "absent"
backup: True
when: user_enable_passwordless_sudo == False
- name: "Enable passwordless sudo"
copy:
content: "%{{ user_name }} ALL=(ALL) NOPASSWD:ALL"
dest: "/etc/sudoers.d/{{ user_name }}"
owner: "root"
group: "root"
mode: "0440"
when: user_enable_passwordless_sudo

View file

@ -0,0 +1,49 @@
---
- hosts: "all"
become: True
vars:
user_local_ssh_key_path: "/root/.ssh/id_rsa.pub"
user_groups: ["foo", "bar"]
roles:
- "role_under_test"
pre_tasks:
- name: "Create fake SSH directory"
file:
path: "/root/.ssh"
state: "directory"
owner: "root"
group: "root"
mode: "0755"
- name: "Generate fake SSH key"
lineinfile:
path: "/root/.ssh/id_rsa.pub"
line: "ssh-rsa foo hello@world"
state: "present"
create: True
post_tasks:
- name: "Ensure user belongs to the correct groups"
command: groups {{ user_name }}
register: result
changed_when: result.stdout.split(":")[1] | trim != ([user_name] + user_groups) | join(" ")
- name: "Ensure authorized_key is set"
command: cat /root/.ssh/id_rsa.pub
register: result
changed_when: result.stdout != "ssh-rsa foo hello@world"
- name: "Ensure /etc/sudoers.d/deploy contains 'NOPASSWD:ALL'"
command: grep NOPASSWD:ALL /etc/sudoers.d/deploy
register: result
changed_when: result.rc != 0
- name: "Ensure passwordless sudo works"
become_user: "{{ user_name }}"
command: sudo whoami
register: result
changed_when: result.stdout != "root"