From c7d674a9b0a6422ba2afc4b2cdf38fff4e6d6935 Mon Sep 17 00:00:00 2001 From: Salt Date: Mon, 1 Jun 2020 04:54:38 -0500 Subject: [PATCH] Modularize user role, fix indentation with ansible vault secrets --- 9iron.yml | 14 ++++++++ desktop.yml | 17 +++++++++- inventory/group_vars/all.yml | 62 ++++++++++++++++++------------------ roles/user/defaults/main.yml | 4 +++ roles/user/tasks/main.yml | 37 +++++++-------------- 5 files changed, 76 insertions(+), 58 deletions(-) create mode 100644 roles/user/defaults/main.yml diff --git a/9iron.yml b/9iron.yml index 18c4f27..5fed137 100644 --- a/9iron.yml +++ b/9iron.yml @@ -6,6 +6,20 @@ - common - user - influxdb + - role: user + vars: + user_username: salt + user_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 37666131343936663962386535343939373161343337383436613961303637376136633736353533 + 3366623536646563383563373265313134663464396231370a303033353661336436386561366139 + 30393536393634653566646636366436656435623534626266343632313336336336346131383361 + 3366343932383930350a383637646261373135376138633533306530306339316235353262356135 + 34626466363266616265653064333365663663306330666632343864373335626265323230633331 + 33623431633665353964623437636231623366383733626266353162633762373035376638663936 + 62383065653836366431316461663862393130653761643937376565366435646665313961663534 + 64303363653631653433343361616635373966326433663466636164613062343561333036613937 + 35616666633737356331653632323639373330396433366639326466373639313630 - hosts: 9iron.club roles: - role: backups diff --git a/desktop.yml b/desktop.yml index b7bf016..0bd8ad2 100644 --- a/desktop.yml +++ b/desktop.yml @@ -4,8 +4,23 @@ - hosts: localhost roles: - common - - user - desktop + - role: user + vars: + user_username: salt + user_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 37666131343936663962386535343939373161343337383436613961303637376136633736353533 + 3366623536646563383563373265313134663464396231370a303033353661336436386561366139 + 30393536393634653566646636366436656435623534626266343632313336336336346131383361 + 3366343932383930350a383637646261373135376138633533306530306339316235353262356135 + 34626466363266616265653064333365663663306330666632343864373335626265323230633331 + 33623431633665353964623437636231623366383733626266353162633762373035376638663936 + 62383065653836366431316461663862393130653761643937376565366435646665313961663534 + 64303363653631653433343361616635373966326433663466636164613062343561333036613937 + 35616666633737356331653632323639373330396433366639326466373639313630 + tags: [ user ] - role: ansiblehost vars: pullplaybook: "desktop.yml" + tags: [ ansiblehost ] diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml index b0b13c1..1695b18 100644 --- a/inventory/group_vars/all.yml +++ b/inventory/group_vars/all.yml @@ -12,12 +12,12 @@ acme_webroot: "/var/www/acme" # MySQL mysql_root_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 62316565376333396465333931356163343363663063636233653536373033396230626639613964 - 3037613839373833646234626236643430393364643131610a333539373533663434373935376130 - 65323365313465316635646465376665616132653832316362363535366563363863636530313666 - 3036393134386131310a643734363261633166636263343538313533393738323934303137343163 - 39636637643035616236663364663562366133613233313139623937313531343564 + $ANSIBLE_VAULT;1.1;AES256 + 62316565376333396465333931356163343363663063636233653536373033396230626639613964 + 3037613839373833646234626236643430393364643131610a333539373533663434373935376130 + 65323365313465316635646465376665616132653832316362363535366563363863636530313666 + 3036393134386131310a643734363261633166636263343538313533393738323934303137343163 + 39636637643035616236663364663562366133613233313139623937313531343564 ## WEBAPPS # Dokuwiki @@ -27,13 +27,13 @@ dokuwiki_webroot: "/var/www/dokuwiki" # Gitea gitea_mysql_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 62353264353465316661353738666161313036373761666163663733656461316536636334386335 - 6161386630663739363439383237343065333239613134610a383036373735326536386464343164 - 31346337636665356630336234306534646362386663633734353166373761316139313734306630 - 3364306566323666310a323034303434613237643665643637633430353437316339356463646331 - 33353062343164396465326365653561626363343961326363633231303736316436643935646161 - 3933353234613430373930663832643934613233383635613433 + $ANSIBLE_VAULT;1.1;AES256 + 62353264353465316661353738666161313036373761666163663733656461316536636334386335 + 6161386630663739363439383237343065333239613134610a383036373735326536386464343164 + 31346337636665356630336234306534646362386663633734353166373761316139313734306630 + 3364306566323666310a323034303434613237643665643637633430353437316339356463646331 + 33353062343164396465326365653561626363343961326363633231303736316436643935646161 + 3933353234613430373930663832643934613233383635613433 gitea_app_name: "9iron Gitea" gitea_disable_registration: "false" gitea_root_directory: "/cold/gitea-repositories/" @@ -42,32 +42,32 @@ gitea_webroot: "/var/www/gitea" gitea_admin_username: "salt" gitea_admin_email: "rehashedsalt@cock.li" gitea_admin_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 35613039646236306236363930353231303331633765303039373736626666666530323433356466 - 3062633166313332643039613561303431613735396339650a376664373137643439303465376365 - 35313266376539366134343562626164616666306338343538663361393964626565303331383234 - 3565646664333966650a323530356664366262653763363439613534303764366436376634373639 - 62303264653836656162366362316461656363353539343632616462626231643632 + $ANSIBLE_VAULT;1.1;AES256 + 35613039646236306236363930353231303331633765303039373736626666666530323433356466 + 3062633166313332643039613561303431613735396339650a376664373137643439303465376365 + 35313266376539366134343562626164616666306338343538663361393964626565303331383234 + 3565646664333966650a323530356664366262653763363439613534303764366436376634373639 + 62303264653836656162366362316461656363353539343632616462626231643632 # Grafana grafana_mysql_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 65376335363732633132326630323161393861323833323631613630343262383137656138356262 - 3730386139393739373738626535376636666135646463350a623331333032346434343465666234 - 38393539623437376133363063633238383031326431653737346564323837343265653431633962 - 6665346237666165330a643635653863356633623535383063366632336437313730626233346664 - 33303465616532313339393634386166363162393661393037323835323035386663 + $ANSIBLE_VAULT;1.1;AES256 + 65376335363732633132326630323161393861323833323631613630343262383137656138356262 + 3730386139393739373738626535376636666135646463350a623331333032346434343465666234 + 38393539623437376133363063633238383031326431653737346564323837343265653431633962 + 6665346237666165330a643635653863356633623535383063366632336437313730626233346664 + 33303465616532313339393634386166363162393661393037323835323035386663 grafana_url: "monitor.9iron.club" grafana_webroot: "/var/www/grafana" # Nextcloud nextcloud_mysql_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 37633035633563646266346264333636393931323664313166633133653461646333643731636661 - 3966666665396239346662613764353333393038663762340a313236396331623061376462356437 - 66373234633939393034353439393465663131303661393164303335336435653734613064663964 - 3332313764623133630a393731613236373837316437653265636663666261383135636662373566 - 61373135303632336237333836353764646639633735323566346366623766646266 + $ANSIBLE_VAULT;1.1;AES256 + 37633035633563646266346264333636393931323664313166633133653461646333643731636661 + 3966666665396239346662613764353333393038663762340a313236396331623061376462356437 + 66373234633939393034353439393465663131303661393164303335336435653734613064663964 + 3332313764623133630a393731613236373837316437653265636663666261383135636662373566 + 61373135303632336237333836353764646639633735323566346366623766646266 nextcloud_tarbz2: "https://download.nextcloud.com/server/releases/nextcloud-18.0.0.tar.bz2" nextcloud_url: "nc.9iron.club" nextcloud_webroot: "/var/www/nextcloud" diff --git a/roles/user/defaults/main.yml b/roles/user/defaults/main.yml new file mode 100644 index 0000000..5eb903b --- /dev/null +++ b/roles/user/defaults/main.yml @@ -0,0 +1,4 @@ +# vim:ft=ansible: +user_username: salt +user_shell: /bin/bash +user_password: "!" diff --git a/roles/user/tasks/main.yml b/roles/user/tasks/main.yml index 6f0da51..1c57408 100644 --- a/roles/user/tasks/main.yml +++ b/roles/user/tasks/main.yml @@ -2,39 +2,24 @@ # vim:ft=ansible: --- - name: Assure user salt - vars: - salt_pass: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 37666131343936663962386535343939373161343337383436613961303637376136633736353533 - 3366623536646563383563373265313134663464396231370a303033353661336436386561366139 - 30393536393634653566646636366436656435623534626266343632313336336336346131383361 - 3366343932383930350a383637646261373135376138633533306530306339316235353262356135 - 34626466363266616265653064333365663663306330666632343864373335626265323230633331 - 33623431633665353964623437636231623366383733626266353162633762373035376638663936 - 62383065653836366431316461663862393130653761643937376565366435646665313961663534 - 64303363653631653433343361616635373966326433663466636164613062343561333036613937 - 35616666633737356331653632323639373330396433366639326466373639313630 user: - name: salt - shell: /bin/bash - password: "{{ salt_pass }}" + name: "{{ user_username }}" + shell: "{{ user_shell }}" + password: "{{ user_password }}" groups: sudo append: yes become: yes - name: Bootstrap user block: - - name: Authorize dsk-cstm-0 for user salt + - name: Configure SSH keys authorized_key: - user: salt - state: present + user: "{{ user_username }}" manage_dir: yes - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc03Q21k7rDuIbZ91dIMOSAM7EpT75YFzOoYL6CfHLZbRDsYTVgUSHYL9lfgGiW9CYL9Gp8QT9eLzIdfgn4e8OMMuoW1jayM9nj6iY3tmWlinuzs535j04Us/aY1Gka+f0qf/vJfRAwO0VN92xmLxW4pQMD/r5DKQ3yppvohnAAPeOhoFeLbEPiBgb1ktNxtQF9GdIOdDIEE+dV0UA07dJskTdJGG9Zbff7VEcQXknhaLdclye+BHlNkRv+MvFu4jPnBNttPiM4TSBgOD88U68M6MsYBJ+2e+7cTiO2DWy9bTtAnhWHD468fdS3S9h62l2lsrGBa5dRpc8RCpPXFo/ Salt@tungsten-qemu" - - name: Authorize lap-th-e560-0 for user salt - authorized_key: - user: salt - state: present - manage_dir: yes - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyOzdOFNONNhr++/2L3iSN04JsLwYHkapslDMEImI0x4chvdfdA9OkEOZHP5EoMUG6uWL3xZZdQ9Egp931oHDc4W5ylPQ1VtqQ2vcyffCfBTOEaUeEgw2tHBDngMqBgTajMSFvTbaC7JNSIdcGP1KTCCYZ3f8DPjVmG8FAKq1kDnCyI4sXHQswi/AbIBrOsWSW+qjrQdD/jU7T2LPQbU9FB+afinDizhGXUzkmbRkOD5z/YsyrWDfaKhGS4EwJpZbEwT7ocnCaQSa74xYLwUlBONhg3u2wq00mrh7vc2WbeGB7VoCsojPIj5r6KoCKzRBVog2HLQ4W7QqfSW/nXR21 salt@iridium" + key: "{{ item.key }}" + state: "{{ item.state }}" + loop: + - { key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc03Q21k7rDuIbZ91dIMOSAM7EpT75YFzOoYL6CfHLZbRDsYTVgUSHYL9lfgGiW9CYL9Gp8QT9eLzIdfgn4e8OMMuoW1jayM9nj6iY3tmWlinuzs535j04Us/aY1Gka+f0qf/vJfRAwO0VN92xmLxW4pQMD/r5DKQ3yppvohnAAPeOhoFeLbEPiBgb1ktNxtQF9GdIOdDIEE+dV0UA07dJskTdJGG9Zbff7VEcQXknhaLdclye+BHlNkRv+MvFu4jPnBNttPiM4TSBgOD88U68M6MsYBJ+2e+7cTiO2DWy9bTtAnhWHD468fdS3S9h62l2lsrGBa5dRpc8RCpPXFo/ salt@dsk-cstm-0", state: present } + - { key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyOzdOFNONNhr++/2L3iSN04JsLwYHkapslDMEImI0x4chvdfdA9OkEOZHP5EoMUG6uWL3xZZdQ9Egp931oHDc4W5ylPQ1VtqQ2vcyffCfBTOEaUeEgw2tHBDngMqBgTajMSFvTbaC7JNSIdcGP1KTCCYZ3f8DPjVmG8FAKq1kDnCyI4sXHQswi/AbIBrOsWSW+qjrQdD/jU7T2LPQbU9FB+afinDizhGXUzkmbRkOD5z/YsyrWDfaKhGS4EwJpZbEwT7ocnCaQSa74xYLwUlBONhg3u2wq00mrh7vc2WbeGB7VoCsojPIj5r6KoCKzRBVog2HLQ4W7QqfSW/nXR21 salt@lap-th-e560-0", state: present } - name: Check for dotfile initialization stat: path=$HOME/.dotfiles register: p @@ -76,4 +61,4 @@ state: absent when: not p.stat.exists become: yes - become_user: salt + become_user: "{{ user_username }}"