From 546fa6555d0cba300486f035ae8ca7fecc30d345 Mon Sep 17 00:00:00 2001
From: Johannes Christ <jc@jchri.st>
Date: Wed, 10 Apr 2024 21:34:40 +0200
Subject: Add a users role

The new `pydis-users` role allows us to manage user accounts and move
away from the root user setup script, eventually locking down SSH access
to the root user.

Joe, Chris and me have been added as users.
---
 ansible/.gitattributes                      |   1 +
 ansible/playbook.yml                        |   1 +
 ansible/roles/pydis-users/defaults/main.yml |   2 ++
 ansible/roles/pydis-users/tasks/main.yml    |  27 +++++++++++++++++++++++++++
 ansible/roles/pydis-users/vars/main.yml     | Bin 0 -> 1011 bytes
 5 files changed, 31 insertions(+)
 create mode 100644 ansible/.gitattributes
 create mode 100644 ansible/roles/pydis-users/defaults/main.yml
 create mode 100644 ansible/roles/pydis-users/tasks/main.yml
 create mode 100644 ansible/roles/pydis-users/vars/main.yml

(limited to 'ansible')

diff --git a/ansible/.gitattributes b/ansible/.gitattributes
new file mode 100644
index 0000000..923ae1a
--- /dev/null
+++ b/ansible/.gitattributes
@@ -0,0 +1 @@
+roles/pydis-users/vars/main.yml filter=git-crypt diff=git-crypt
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
index 2ada9c6..7881bf4 100644
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -2,6 +2,7 @@
   hosts: all
   roles:
     - common
+    - pydis-users
     - ufw
     - prometheus-node-exporter
     - wireguard
diff --git a/ansible/roles/pydis-users/defaults/main.yml b/ansible/roles/pydis-users/defaults/main.yml
new file mode 100644
index 0000000..4170b63
--- /dev/null
+++ b/ansible/roles/pydis-users/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+pydis_users__users: []
diff --git a/ansible/roles/pydis-users/tasks/main.yml b/ansible/roles/pydis-users/tasks/main.yml
new file mode 100644
index 0000000..8378af8
--- /dev/null
+++ b/ansible/roles/pydis-users/tasks/main.yml
@@ -0,0 +1,27 @@
+---
+- name: Create users
+  ansible.builtin.user:
+    name: "{{ item.key }}"
+    groups: "{{ item.value.groups | default(omit) }}"
+    password: "{{ item.value.hashed_password | default(omit) }}"
+    shell: /bin/bash
+    state: present
+  loop_control:
+    label: "{{ item.key }}"
+  loop: "{{ pydis_users__users | dict2items }}"
+  tags:
+    - role::pydis-users
+
+- name: Manage authorized keys
+  ansible.posix.authorized_key:
+    comment: Ansible managed
+    exclusive: true
+    key: "{{ item.value.ssh_key }}"
+    key_options: "{{ item.value.ssh_key_options | default(omit) }}"
+    user: "{{ item.key }}"
+    state: present
+  loop_control:
+    label: "{{ item.key }}"
+  loop: "{{ pydis_users__users | dict2items }}"
+  tags:
+    - role::pydis-users
diff --git a/ansible/roles/pydis-users/vars/main.yml b/ansible/roles/pydis-users/vars/main.yml
new file mode 100644
index 0000000..ef918e6
Binary files /dev/null and b/ansible/roles/pydis-users/vars/main.yml differ
-- 
cgit v1.2.3