Add administrative user role

2021-02-26 10:07:57 -06:00 · 2021-02-26 10:07:57 -06:00 · bab051af2c
commit bab051af2c
parent e916cd784f
4 changed files with 57 additions and 0 deletions
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@ -5,6 +5,11 @@ ansible_pull_repo: "https://git.desu.ltd/salt/ansible"
 ansible_pull_commit: master
 common_ansible_pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfXVgMHeD2wtCAIVoDYQ+R19vKfhmR2FgUTkHhAzE2156fB/+IMB+6Qc4X3aFRIcUp+Ls8Vm8JQ3d0jvbcGQkgbAjRExQa71XGBmhxJCxzlCLBoQzBmTSnryL09LExoMynzVgrso8TQP92vZBGJFI/lLGAaop2l9pu+3cgM3sRaK+A11lcRCrS25C3hqPQhKC44zjzOt7sIoaG6RqG3CQ8jhE35bthQdBySOZVDgDKfjDyPuDzVxiKjsuNm4Ojzm0QW5gq6GkLOg2B8OSQ1TGQgBHQu4b8zsKBOUOdbZb0JLM8NdpH1cMntC0QBofy3DzqR/CFaSaBzUx+dnkBH0/pjBOrhHzzqZGOJayfC1igYki67HqzFV5IjhAVa+c4S9L/zbFk0+YZYdgMoKNlMU2LgzrSEastuXHD7NUy3fMP4BZbqg37SjQzFRXoUp5+ctVs9tCoy/qvvjT3UVGcn312eJrRRfWrYagU2nWKGyqbTOpsuOJ5OLlhopy6eP9+yRM= ansible"

+# Admin user configuration
+adminuser_name: salt
+adminuser_ssh_authorized_keys:
+  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPCoRSbzKkb8gd9rjeeRZeE71vp0vF3leBUeyTWGzFJf ansible-generated on lap-s76-lemp9-0.desu.ltd
+
 # For backups
 backup_s3_bucket: !vault |
          $ANSIBLE_VAULT;1.1;AES256
--- a/roles/adminuser/defaults/main.yml
+++ b/roles/adminuser/defaults/main.yml
@ -0,0 +1,23 @@
+#!/usr/bin/env ansible-playbook
+# vim:ft=ansible:
+# Basic user configuration
+adminuser_name: admin
+adminuser_comment: Administrative user
+adminuser_shell: /bin/bash
+# Define me to set a user password
+#adminuser_password:
+
+# SSH keys
+adminuser_ssh_key_type: ed25519
+adminuser_ssh_key: yes
+adminuser_ssh_authorized_keys: []
+adminuser_ssh_unauthorized_keys: []
+
+# Groups
+adminuser_groups: []
+adminuser_groups_extra: []
+adminuser_groups_append: yes
+
+# Sudo rule
+adminuser_sudo_rule: "{{ adminuser_name }} ALL=(ALL:ALL) NOPASSWD:ALL"
+adminuser_sudo: yes
--- a/roles/adminuser/tasks/main.yml
+++ b/roles/adminuser/tasks/main.yml
@ -0,0 +1,27 @@
+#!/usr/bin/env ansible-playbook
+# vim:ft=ansible:
+- name: assure admin user
+  user:
+    name: "{{ adminuser_name }}"
+    append: "{{ adminuser_groups_append }}"
+    groups: "{{ adminuser_groups + adminuser_groups_extra }}"
+    shell: "{{ adminuser_shell }}"
+- name: assure admin user ssh key
+  user:
+    name: "{{ adminuser_name }}"
+    generate_ssh_key: yes
+    ssh_key_type: "{{ adminuser_ssh_key_type }}"
+    ssh_key_file: ".ssh/id_{{ adminuser_ssh_key_type }}"
+  when: adminuser_ssh_key
+- name: assure admin user ssh authorized keys
+  authorized_key: user={{ adminuser_name }} key={{ item }}
+  loop: "{{ adminuser_ssh_authorized_keys }}"
+- name: remove admin user ssh keys
+  authorized_key: state=absent user={{ adminuser_name }} key={{ item }}
+  loop: "{{ adminuser_ssh_unauthorized_keys }}"
+- name: assure admin user pass
+  user: name={{ adminuser_name }} password={{ adminuser_password }}
+  when: adminuser_password is defined
+- name: assure admin user sudo rule
+  lineinfile: path=/etc/sudoers line={{ adminuser_sudo_rule }}
+  when: adminuser_sudo
--- a/site.yml
+++ b/site.yml
@ -8,6 +8,8 @@
      tags: [ common ]
    - role: ansible-pull
      tags: [ ansible, common ]
+    - role: adminuser
+      tags: [ adminuser, common ]
    - role: git
      vars:
        git_repos: