diff options
| author |  Johannes Christ <[email protected]> | 2024-04-10 21:34:40 +0200 |
|---|---|---|
| committer | jchristgit <[email protected]> | 2024-04-13 08:53:01 +0200 |
| commit | 546fa6555d0cba300486f035ae8ca7fecc30d345 (patch) | |
| tree | 5d5debc27b264a6dbed6edd9e9c24ce65ae57704 | |
| parent | Copy root bashrc from skel (diff) | |
Add a users role
The new `pydis-users` role allows us to manage user accounts and move
away from the root user setup script, eventually locking down SSH access
to the root user.
Joe, Chris and me have been added as users.
| -rw-r--r-- | .github/workflows/lint-ansible.yaml | 1 | ||||
| -rw-r--r-- | .pre-commit-config.yaml | 2 | ||||
| -rw-r--r-- | ansible/.gitattributes | 1 | ||||
| -rw-r--r-- | ansible/playbook.yml | 1 | ||||
| -rw-r--r-- | ansible/roles/pydis-users/defaults/main.yml | 2 | ||||
| -rw-r--r-- | ansible/roles/pydis-users/tasks/main.yml | 27 | ||||
| -rw-r--r-- | ansible/roles/pydis-users/vars/main.yml | bin | 0 -> 1011 bytes |
7 files changed, 33 insertions, 1 deletions
diff --git a/.github/workflows/lint-ansible.yaml b/.github/workflows/lint-ansible.yaml index 217967b..5359008 100644 --- a/.github/workflows/lint-ansible.yaml +++ b/.github/workflows/lint-ansible.yaml @@ -22,6 +22,7 @@ jobs: run: | cd ansible echo "$VAULT_PASSWORD" > vault_passwords + grep -R GITCRYPT --files-with-matches . | xargs rm ansible-lint --offline env: VAULT_PASSWORD: "${{ secrets.vault-password }}" diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8229e8b..b133272 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,4 +1,4 @@ -exclude: (secrets?\.ya?ml)|(ghcr-pull-secrets\.yaml)$ +exclude: (secrets?\.ya?ml)|(ghcr-pull-secrets\.yaml)|pydis-users/vars/main.yml$ repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.5.0 diff --git a/ansible/.gitattributes b/ansible/.gitattributes new file mode 100644 index 0000000..923ae1a --- /dev/null +++ b/ansible/.gitattributes @@ -0,0 +1 @@ +roles/pydis-users/vars/main.yml filter=git-crypt diff=git-crypt diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 2ada9c6..7881bf4 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -2,6 +2,7 @@ hosts: all roles: - common + - pydis-users - ufw - prometheus-node-exporter - wireguard diff --git a/ansible/roles/pydis-users/defaults/main.yml b/ansible/roles/pydis-users/defaults/main.yml new file mode 100644 index 0000000..4170b63 --- /dev/null +++ b/ansible/roles/pydis-users/defaults/main.yml @@ -0,0 +1,2 @@ +--- +pydis_users__users: [] diff --git a/ansible/roles/pydis-users/tasks/main.yml b/ansible/roles/pydis-users/tasks/main.yml new file mode 100644 index 0000000..8378af8 --- /dev/null +++ b/ansible/roles/pydis-users/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Create users + ansible.builtin.user: + name: "{{ item.key }}" + groups: "{{ item.value.groups | default(omit) }}" + password: "{{ item.value.hashed_password | default(omit) }}" + shell: /bin/bash + state: present + loop_control: + label: "{{ item.key }}" + loop: "{{ pydis_users__users | dict2items }}" + tags: + - role::pydis-users + +- name: Manage authorized keys + ansible.posix.authorized_key: + comment: Ansible managed + exclusive: true + key: "{{ item.value.ssh_key }}" + key_options: "{{ item.value.ssh_key_options | default(omit) }}" + user: "{{ item.key }}" + state: present + loop_control: + label: "{{ item.key }}" + loop: "{{ pydis_users__users | dict2items }}" + tags: + - role::pydis-users diff --git a/ansible/roles/pydis-users/vars/main.yml b/ansible/roles/pydis-users/vars/main.yml Binary files differnew file mode 100644 index 0000000..ef918e6 --- /dev/null +++ b/ansible/roles/pydis-users/vars/main.yml |