aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Johannes Christ <[email protected]>2024-04-10 21:34:40 +0200
committerGravatar jchristgit <[email protected]>2024-04-13 08:53:01 +0200
commit546fa6555d0cba300486f035ae8ca7fecc30d345 (patch)
tree5d5debc27b264a6dbed6edd9e9c24ce65ae57704
parentCopy root bashrc from skel (diff)
Add a users role
The new `pydis-users` role allows us to manage user accounts and move away from the root user setup script, eventually locking down SSH access to the root user. Joe, Chris and me have been added as users.
-rw-r--r--.github/workflows/lint-ansible.yaml1
-rw-r--r--.pre-commit-config.yaml2
-rw-r--r--ansible/.gitattributes1
-rw-r--r--ansible/playbook.yml1
-rw-r--r--ansible/roles/pydis-users/defaults/main.yml2
-rw-r--r--ansible/roles/pydis-users/tasks/main.yml27
-rw-r--r--ansible/roles/pydis-users/vars/main.ymlbin0 -> 1011 bytes
7 files changed, 33 insertions, 1 deletions
diff --git a/.github/workflows/lint-ansible.yaml b/.github/workflows/lint-ansible.yaml
index 217967b..5359008 100644
--- a/.github/workflows/lint-ansible.yaml
+++ b/.github/workflows/lint-ansible.yaml
@@ -22,6 +22,7 @@ jobs:
run: |
cd ansible
echo "$VAULT_PASSWORD" > vault_passwords
+ grep -R GITCRYPT --files-with-matches . | xargs rm
ansible-lint --offline
env:
VAULT_PASSWORD: "${{ secrets.vault-password }}"
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 8229e8b..b133272 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,4 +1,4 @@
-exclude: (secrets?\.ya?ml)|(ghcr-pull-secrets\.yaml)$
+exclude: (secrets?\.ya?ml)|(ghcr-pull-secrets\.yaml)|pydis-users/vars/main.yml$
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
diff --git a/ansible/.gitattributes b/ansible/.gitattributes
new file mode 100644
index 0000000..923ae1a
--- /dev/null
+++ b/ansible/.gitattributes
@@ -0,0 +1 @@
+roles/pydis-users/vars/main.yml filter=git-crypt diff=git-crypt
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
index 2ada9c6..7881bf4 100644
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -2,6 +2,7 @@
hosts: all
roles:
- common
+ - pydis-users
- ufw
- prometheus-node-exporter
- wireguard
diff --git a/ansible/roles/pydis-users/defaults/main.yml b/ansible/roles/pydis-users/defaults/main.yml
new file mode 100644
index 0000000..4170b63
--- /dev/null
+++ b/ansible/roles/pydis-users/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+pydis_users__users: []
diff --git a/ansible/roles/pydis-users/tasks/main.yml b/ansible/roles/pydis-users/tasks/main.yml
new file mode 100644
index 0000000..8378af8
--- /dev/null
+++ b/ansible/roles/pydis-users/tasks/main.yml
@@ -0,0 +1,27 @@
+---
+- name: Create users
+ ansible.builtin.user:
+ name: "{{ item.key }}"
+ groups: "{{ item.value.groups | default(omit) }}"
+ password: "{{ item.value.hashed_password | default(omit) }}"
+ shell: /bin/bash
+ state: present
+ loop_control:
+ label: "{{ item.key }}"
+ loop: "{{ pydis_users__users | dict2items }}"
+ tags:
+ - role::pydis-users
+
+- name: Manage authorized keys
+ ansible.posix.authorized_key:
+ comment: Ansible managed
+ exclusive: true
+ key: "{{ item.value.ssh_key }}"
+ key_options: "{{ item.value.ssh_key_options | default(omit) }}"
+ user: "{{ item.key }}"
+ state: present
+ loop_control:
+ label: "{{ item.key }}"
+ loop: "{{ pydis_users__users | dict2items }}"
+ tags:
+ - role::pydis-users
diff --git a/ansible/roles/pydis-users/vars/main.yml b/ansible/roles/pydis-users/vars/main.yml
new file mode 100644
index 0000000..ef918e6
--- /dev/null
+++ b/ansible/roles/pydis-users/vars/main.yml
Binary files differ