-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add users, groups, authorized_keys, and dot files
- Loading branch information
Showing
17 changed files
with
431 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# Users and ssh-configAnsible roles | ||
This repo contains 2 roles: | ||
|
||
- **users**: Add users and configure `.bashrc` and `authorized_keys` | ||
- **ssh-config**: Configures a user's `~/.ssh/config` | ||
|
||
Both roles make use of the same _users_ variable and are created to give users the freedom to add their own configuration outside of Ansible. | ||
|
||
Detailed configuration can be found in the README files inside the role's folders. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
[ssh_connection] | ||
|
||
[defaults] | ||
retry_files_enabled = False | ||
retry_files_save_path = /tmp/ | ||
inventory=./hosts | ||
host_key_checking=False | ||
gathering = smart | ||
#stdout_callback=unixy | ||
stdout_callback=debug | ||
|
||
[privilege_escalation] | ||
become=True | ||
become_method=sudo | ||
become_user=root | ||
#become_ask_pass=False | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
--- | ||
user_groups: | ||
- name: mygroup | ||
gid: 700 | ||
- name: mysecondgroup | ||
gid: 702 | ||
state: absent | ||
|
||
|
||
users: | ||
- name: remember | ||
state: present | ||
password: "blabla" | ||
groups: | ||
- mygroup | ||
uid: 1100 | ||
keys: | ||
- file: key1 | ||
state: present | ||
shell_lines: | ||
- line: "testline" | ||
state: present | ||
- line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" | ||
state: present | ||
- line: "alias ls='ls lah'" | ||
state: present | ||
ssh_config: | ||
- ServerAliveInterval: 10 | ||
- name: test | ||
keys: | ||
- file: key2 | ||
state: absent | ||
shell_lines: | ||
- line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" | ||
state: present |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
10.106.116.157 ssh_short_name=host1 ansible_user=root | ||
10.106.116.139 ssh_short_name=host2 ansible_user=root | ||
34.242.108.38 ssh_short_name=freebsd1 ansible_user=ec2-user ansible_python_interpreter=/usr/local/bin/python2.7 |
89 changes: 89 additions & 0 deletions
89
add-users-groups-authorized_keys-dot-files/roles/ssh-config/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
# ssh-config | ||
Ansible role to configure a user's `~/.ssh/config` file. This will add a | ||
configuration in the ssh config file for each host in the inventory. | ||
|
||
**NOTE: this role works in conjunction with the _users_ variable** | ||
|
||
## Variables | ||
|
||
| _variable name_ | Description | | ||
| ---: |--- | | ||
| ssh_short_name | host identifier name in the ssh config.<br>This should be added to the _host variables_ | | ||
| ssh_config | name of the key in the *users* variable. Contains a list of | ||
key/value items| | ||
|
||
## Example: | ||
|
||
**Host inventory** | ||
``` | ||
10.106.116.157 ssh_short_name=host1 | ||
10.106.116.139 ssh_short_name=host2 | ||
``` | ||
|
||
**Variables** | ||
populate the *ssh_config* key. | ||
``` | ||
users: | ||
- name: remember | ||
state: present | ||
password: "blabla" | ||
groups: | ||
- mygroup | ||
uid: 1100 | ||
keys: | ||
- file: key1 | ||
state: present | ||
shell_lines: | ||
- line: "testline" | ||
state: present | ||
- line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" | ||
state: present | ||
- line: "alias ls='ls lah'" | ||
state: present | ||
ssh_config: | ||
- ServerAliveInterval: 10 | ||
``` | ||
|
||
**Result:** | ||
``` | ||
# BEGIN ANSIBLE MANAGED BLOCK | ||
Host host1 | ||
Hostname 10.106.116.157 | ||
RemoteForward /home/remember/.gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent | ||
RemoteForward /home/remember/.gnupg/S.gpg-agent.ssh $HOME/.gnupg/S.gpg-agent.ssh | ||
ServerAliveInterval 10 | ||
Host host2 | ||
Hostname 10.106.116.139 | ||
RemoteForward /home/remember/.gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent | ||
RemoteForward /home/remember/.gnupg/S.gpg-agent.ssh $HOME/.gnupg/S.gpg-agent.ssh | ||
ServerAliveInterval 10 | ||
# END ANSIBLE MANAGED BLOCK | ||
``` | ||
|
||
**Break down** | ||
|
||
The host identifier is populated with the `ssh_short_name` host variable. | ||
``` | ||
Host host1 | ||
``` | ||
|
||
The `Hostname` is populated with the `inventory_hostname` variable | ||
``` | ||
Hostname 10.106.116.139 | ||
``` | ||
|
||
These lines are added by default: | ||
``` | ||
RemoteForward /home/remember/.gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent | ||
RemoteForward /home/remember/.gnupg/S.gpg-agent.ssh $HOME/.gnupg/S.gpg-agent.ssh | ||
``` | ||
|
||
Everything below this is populated with the key/values defined in the | ||
`ssh_config` list of the `users` variable | ||
|
||
``` | ||
ServerAliveInterval 10 | ||
``` | ||
|
||
|
Empty file.
44 changes: 44 additions & 0 deletions
44
add-users-groups-authorized_keys-dot-files/roles/ssh-config/tasks/main.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
--- | ||
- name: Check if user has ~/.ssh/config | ||
stat: | ||
path: "/home/{{ item.name }}/.ssh/config" | ||
with_items: "{{ users }}" | ||
register: sshconfig | ||
|
||
|
||
- name: Create ~/.ssh/config when absent | ||
file: | ||
path: "/home/{{ item.item.name }}/.ssh/config" | ||
owner: "{{ item.item.name }}" | ||
group: "{{ item.item.name }}" | ||
mode: 0600 | ||
state: touch | ||
when: item.stat.exists == False | ||
with_items: | ||
- "{{ sshconfig.results }}" | ||
no_log: True | ||
|
||
|
||
- name: Configure ~/.ssh/config | ||
blockinfile: | ||
path: "/home/{{ item.0.name }}/.ssh/config" | ||
owner: "{{ item.0.name }}" | ||
group: "{{ item.0.name }}" | ||
mode: 0600 | ||
marker: "# {mark} ANSIBLE MANAGED BLOCK" | ||
content: | | ||
{% for host in groups['all'] -%} | ||
Host {{ hostvars[host]['ssh_short_name'] }} | ||
Hostname {{ hostvars[host]['inventory_hostname'] }} | ||
RemoteForward /home/{{ item.0.name }}/.gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent | ||
RemoteForward /home/{{ item.0.name }}/.gnupg/S.gpg-agent.ssh $HOME/.gnupg/S.gpg-agent.ssh | ||
{% for k,v in item.1.items() %} | ||
{% if k|lower != "host" and k|lower != "hostname" %} | ||
{{k}} {{v}} | ||
{% endif %} | ||
{% endfor %} | ||
{% endfor %} | ||
with_subelements: | ||
- "{{ users }}" | ||
- ssh_config | ||
- skip_missing: true |
109 changes: 109 additions & 0 deletions
109
add-users-groups-authorized_keys-dot-files/roles/users/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,109 @@ | ||
# Users | ||
Ansible roles to create/configure users on Linux/FreeBSD. | ||
|
||
## Variables | ||
| user_groups | | | | ||
| ---: |--- |--- | | ||
| name | name of the group | Data type | | ||
| gid | Optionally set the group ID | int | | ||
| state | whether the group shoud be created or removed | present/absent | | ||
|
||
|
||
| users | | | | ||
| ---: |---| ---| | ||
| _variable name_ | Description | Data type | | ||
| name | username | string | | ||
| state | whether the user should be created or removed | present/absent | | ||
| password | string of an encrypted value(1) | string | | ||
| groups | additional groups the user should belong to | list | | ||
| uid | optionally specify a user id | int | | ||
| keys | list of dictionaries | list | | ||
| shell_lines | list of dictionaries | list | | ||
|
||
(1) https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module | ||
## Default variables | ||
The default shells depending on the OS are: | ||
|
||
- Linux: `/bin/bash` | ||
- FreeBSD: `/bin/cshrc` | ||
|
||
This is defined in the `defaults` section of the **users** role | ||
|
||
|
||
## Example inventory | ||
``` | ||
user_groups: | ||
- name: mygroup | ||
gid: 700 | ||
users: | ||
- name: remember | ||
state: present | ||
password: "blabla" | ||
groups: | ||
- mygroup | ||
uid: 1100 | ||
keys: | ||
- file: key1 | ||
state: present | ||
shell_lines: | ||
- line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" | ||
state: present | ||
- line: "alias ls='ls lah'" | ||
state: present | ||
- name: test | ||
keys: | ||
- file: key2 | ||
state: absent | ||
shell_lines: | ||
- line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" | ||
state: absent | ||
``` | ||
## Using the Role | ||
### Example Playbook | ||
``` | ||
--- | ||
- name: Manage user configuration | ||
hosts: all | ||
remote_user: root | ||
roles: | ||
- users | ||
``` | ||
### Configure a user's ssh keys | ||
For every user a directory matching the username should be created under the _keys_ folder in the role's _files_ folder. In this folder the user's ssh keys can be stored. | ||
|
||
``` | ||
├── files | ||
│ └── keys | ||
│ ├── remember | ||
│ │ └── key1.pub | ||
│ └── test | ||
│ └── key2.pub | ||
``` | ||
The name of the file holding the key should match the name in the _users_ variable | ||
|
||
``` | ||
keys: | ||
- file: key1 | ||
state: present | ||
``` | ||
|
||
### Configure a user's shell | ||
This role allows you to add or remove lines to a user's `.bashrc` or `cshrc` file. Since this is not based on a template that overwrites the complete file, users can still add their own configuration too. | ||
|
||
Add items to the **shell_lines** key in the **users** variable. Each item exists of a _line_ and _state_ key. | ||
|
||
Example: | ||
``` | ||
shell_lines: | ||
- line: "testline" | ||
state: absent | ||
- line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh" | ||
state: present | ||
- line: "alias ls='ls lah'" | ||
state: present | ||
``` | ||
|
||
|
||
|
4 changes: 4 additions & 0 deletions
4
add-users-groups-authorized_keys-dot-files/roles/users/defaults/main.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
default_freebsd_shell: "/bin/csh" | ||
default_linux_shell: "/bin/bash" | ||
default_shell_lines: | ||
- SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh |
1 change: 1 addition & 0 deletions
1
add-users-groups-authorized_keys-dot-files/roles/users/files/keys/remember/key1.pub
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMfztaQoo3Alf4Ie4ZrSEkhojOcKl8VRdoRiYb/7FL3IS/5IcSKcan/MGJlRht3ibwJBx9/CY8wZivHgNKCqtbZWGepfOtgWOqI4ROo4sELmRgV8PZUACjCSfaOkOdvCJEjhw3n+aI5jmK9IUA+mwdXkZj/NckNDZAQ+FRqwR6sX7svM4TF/zEI70JvO3xnDgCuC2PgiztVFfMqbWl33NgkG3kWkJ+JarF2pNsxO/+82s/hoC4P+dpZD1PHhJC7OxUiAHe5nwF7heQh9DUBQxJBhitn7C3XqlxEf7Kx3/kO9CUJVDaxS84UUnfUPc0u1iYpE+5ypqkDSyj3yQNpwXf |
1 change: 1 addition & 0 deletions
1
add-users-groups-authorized_keys-dot-files/roles/users/files/keys/test/key2.pub
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMfztaQoo3Alf4Ie4ZrSEkhojOcKl8VRdoRiYb/7FL3IS/5IcSKcan/MGJlRht3ibwJBx9/CY8wZivHgNKCqtbZWGepfOtgWOqI4ROo4sELmRgV8PZUACjCSfaOkOdvCJEjhw3n+aI5jmK9IUA+mwdXkZj/NckNDZAQ+FRqwR6sX7svM4TF/zEI70JvO3xnDgCuC2PgiztVFfMqbWl33NgkG3kWkJ+JarF2pNsxO/+82s/hoC4P+dpZD1PHhJC7OxUiAHe5nwF7heQh9DUBQxJBhitn7C3XqlxEf7Kx3/kO9CUJVDaxS84UUnfUPc0u1iYpE+5ypqkDSyj3yQNpwXd |
4 changes: 4 additions & 0 deletions
4
add-users-groups-authorized_keys-dot-files/roles/users/tasks/main.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
--- | ||
- include_tasks: set_facts.yml | ||
- include_tasks: users.yml | ||
- include_tasks: ssh_config.yml |
8 changes: 8 additions & 0 deletions
8
add-users-groups-authorized_keys-dot-files/roles/users/tasks/set_facts.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
- set_fact: | ||
default_shell: "{{ default_freebsd_shell }}" | ||
when: ansible_os_family == 'FreeBSD' | ||
|
||
- set_fact: | ||
default_shell: "{{ default_linux_shell }}" | ||
when: ansible_os_family == 'Debian' | ||
|
20 changes: 20 additions & 0 deletions
20
add-users-groups-authorized_keys-dot-files/roles/users/tasks/ssh_config.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
- name: Ensure .ssh folder is created | ||
file: | ||
path: "/home/{{item.name}}/.ssh" | ||
state: directory | ||
mode: 0700 | ||
owner: "{{ item.name }}" | ||
group: "{{ item.name }}" | ||
with_items: | ||
- "{{ users }}" | ||
|
||
|
||
- name: Configure authorized_keys | ||
authorized_key: | ||
user: "{{ item.0.name }}" | ||
key: "{{ lookup('file', 'keys/' + item.0.name + '/' + item.1.file + '.pub') }}" | ||
state: "{{ item.1.state | default('present') }}" | ||
with_subelements: | ||
- "{{ users }}" | ||
- keys | ||
|
Oops, something went wrong.