From bab051af2c67c3245673925a2842007574325eb6 Mon Sep 17 00:00:00 2001 From: Salt Date: Fri, 26 Feb 2021 10:07:57 -0600 Subject: [PATCH] Add administrative user role --- inventory/group_vars/all.yml | 5 +++++ roles/adminuser/defaults/main.yml | 23 +++++++++++++++++++++++ roles/adminuser/tasks/main.yml | 27 +++++++++++++++++++++++++++ site.yml | 2 ++ 4 files changed, 57 insertions(+) create mode 100644 roles/adminuser/defaults/main.yml create mode 100644 roles/adminuser/tasks/main.yml diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml index 9788fd2..802d27a 100644 --- a/inventory/group_vars/all.yml +++ b/inventory/group_vars/all.yml @@ -5,6 +5,11 @@ ansible_pull_repo: "https://git.desu.ltd/salt/ansible" ansible_pull_commit: master common_ansible_pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfXVgMHeD2wtCAIVoDYQ+R19vKfhmR2FgUTkHhAzE2156fB/+IMB+6Qc4X3aFRIcUp+Ls8Vm8JQ3d0jvbcGQkgbAjRExQa71XGBmhxJCxzlCLBoQzBmTSnryL09LExoMynzVgrso8TQP92vZBGJFI/lLGAaop2l9pu+3cgM3sRaK+A11lcRCrS25C3hqPQhKC44zjzOt7sIoaG6RqG3CQ8jhE35bthQdBySOZVDgDKfjDyPuDzVxiKjsuNm4Ojzm0QW5gq6GkLOg2B8OSQ1TGQgBHQu4b8zsKBOUOdbZb0JLM8NdpH1cMntC0QBofy3DzqR/CFaSaBzUx+dnkBH0/pjBOrhHzzqZGOJayfC1igYki67HqzFV5IjhAVa+c4S9L/zbFk0+YZYdgMoKNlMU2LgzrSEastuXHD7NUy3fMP4BZbqg37SjQzFRXoUp5+ctVs9tCoy/qvvjT3UVGcn312eJrRRfWrYagU2nWKGyqbTOpsuOJ5OLlhopy6eP9+yRM= ansible" +# Admin user configuration +adminuser_name: salt +adminuser_ssh_authorized_keys: + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPCoRSbzKkb8gd9rjeeRZeE71vp0vF3leBUeyTWGzFJf ansible-generated on lap-s76-lemp9-0.desu.ltd + # For backups backup_s3_bucket: !vault | $ANSIBLE_VAULT;1.1;AES256 diff --git a/roles/adminuser/defaults/main.yml b/roles/adminuser/defaults/main.yml new file mode 100644 index 0000000..3fcf453 --- /dev/null +++ b/roles/adminuser/defaults/main.yml @@ -0,0 +1,23 @@ +#!/usr/bin/env ansible-playbook +# vim:ft=ansible: +# Basic user configuration +adminuser_name: admin +adminuser_comment: Administrative user +adminuser_shell: /bin/bash +# Define me to set a user password +#adminuser_password: + +# SSH keys +adminuser_ssh_key_type: ed25519 +adminuser_ssh_key: yes +adminuser_ssh_authorized_keys: [] +adminuser_ssh_unauthorized_keys: [] + +# Groups +adminuser_groups: [] +adminuser_groups_extra: [] +adminuser_groups_append: yes + +# Sudo rule +adminuser_sudo_rule: "{{ adminuser_name }} ALL=(ALL:ALL) NOPASSWD:ALL" +adminuser_sudo: yes diff --git a/roles/adminuser/tasks/main.yml b/roles/adminuser/tasks/main.yml new file mode 100644 index 0000000..3afed85 --- /dev/null +++ b/roles/adminuser/tasks/main.yml @@ -0,0 +1,27 @@ +#!/usr/bin/env ansible-playbook +# vim:ft=ansible: +- name: assure admin user + user: + name: "{{ adminuser_name }}" + append: "{{ adminuser_groups_append }}" + groups: "{{ adminuser_groups + adminuser_groups_extra }}" + shell: "{{ adminuser_shell }}" +- name: assure admin user ssh key + user: + name: "{{ adminuser_name }}" + generate_ssh_key: yes + ssh_key_type: "{{ adminuser_ssh_key_type }}" + ssh_key_file: ".ssh/id_{{ adminuser_ssh_key_type }}" + when: adminuser_ssh_key +- name: assure admin user ssh authorized keys + authorized_key: user={{ adminuser_name }} key={{ item }} + loop: "{{ adminuser_ssh_authorized_keys }}" +- name: remove admin user ssh keys + authorized_key: state=absent user={{ adminuser_name }} key={{ item }} + loop: "{{ adminuser_ssh_unauthorized_keys }}" +- name: assure admin user pass + user: name={{ adminuser_name }} password={{ adminuser_password }} + when: adminuser_password is defined +- name: assure admin user sudo rule + lineinfile: path=/etc/sudoers line={{ adminuser_sudo_rule }} + when: adminuser_sudo diff --git a/site.yml b/site.yml index 0862468..4321784 100755 --- a/site.yml +++ b/site.yml @@ -8,6 +8,8 @@ tags: [ common ] - role: ansible-pull tags: [ ansible, common ] + - role: adminuser + tags: [ adminuser, common ] - role: git vars: git_repos: