From 473492f5e38ee9265d5302c63f0c91d54f06b5ee Mon Sep 17 00:00:00 2001 From: "pulsar89.5" Date: Mon, 10 Oct 2022 11:20:20 +0200 Subject: [PATCH] feat: Create role --- README.md | 44 ++++++++++++++++++- defaults/main.yml | 17 ++++++++ meta/main.yml | 2 +- tasks/configuration.yml | 84 +++++++++++++++++++++++++++++++++++++ tasks/installation.yml | 42 +++++++++++++++++++ tasks/main.yml | 10 +++++ templates/authorized_key.j2 | 5 +++ templates/bash_aliases.j2 | 13 ++++++ templates/id_ed25519.j2 | 1 + templates/ssh_config.j2 | 3 ++ templates/sudoers.j2 | 3 ++ 11 files changed, 221 insertions(+), 3 deletions(-) create mode 100644 defaults/main.yml create mode 100644 tasks/configuration.yml create mode 100644 tasks/installation.yml create mode 100644 tasks/main.yml create mode 100644 templates/authorized_key.j2 create mode 100644 templates/bash_aliases.j2 create mode 100644 templates/id_ed25519.j2 create mode 100644 templates/ssh_config.j2 create mode 100644 templates/sudoers.j2 diff --git a/README.md b/README.md index 3edfbf7..b93dd21 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,43 @@ -# role_modele +# role_users -Modèle \ No newline at end of file +Deploy users, groups, sudoers and ssh authorized_keys. + +## inventory.yml + +```yaml +--- + +all: + hosts: + host1.ykn.local: +``` + +## host_vars/host1.ykn.local.yml + +```yaml +--- + +users: [] + - name: ansible + comment: "Ansible user" + update_password: on_create + password_lock: true + append: true + shell: /bin/bash + groups: ["sudo"] + extras: + authorized_keys: + - ssh-ed25519 ansible + - ssh-ed25519 bot_ansible + sudoers: ansible ALL=(ALL) NOPASSWD:ALL + - name: flast + comment: First LAST + password: + password_lock: false + shell: /bin/bash + groups: ["sudo", "adm"] + extras: + authorized_keys: + - ssh-ed25519 flast@computer1 + - ssh-ed25519 flast@computer2 +``` diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..c70cb6d --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,17 @@ +--- +# defaults file for users + +users: [] +# Example: +# - name: ansible +# comment: "Ansible user" +# update_password: on_create +# password_lock: true +# append: true +# shell: /bin/bash +# groups: ["sudo"] +# extras: +# authorized_keys: +# - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNxxMmKSUHibYrlwyhx6UzyEAIPrghuQ/2fiCvcGAfh ansible +# - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPerG1LAvNuuwuMnlExCyfsRwGqrM1U3C/aUtuXqhyu bot_ansible +# sudoers: ansible ALL=(ALL) NOPASSWD:ALL diff --git a/meta/main.yml b/meta/main.yml index c58bebf..c35869f 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ galaxy_info: namespace: ykn author: pulsar89.5 - description: Rôle modèle + description: Deploy users, groups, sudoers and ssh authorized_keys license: GPL-3.0-or-later diff --git a/tasks/configuration.yml b/tasks/configuration.yml new file mode 100644 index 0000000..82ad138 --- /dev/null +++ b/tasks/configuration.yml @@ -0,0 +1,84 @@ +--- +# tasks file for users + +- name: Deploy sudoers configuration + ansible.builtin.template: + src: sudoers.j2 + dest: /etc/sudoers.d/{{ user.name }} + owner: root + group: root + mode: u=rw,g=,o= + when: user.get('extras', {}).get('sudoers') + become: true + loop: "{{ users }}" + loop_control: + loop_var: user + label: "{{ user.name }}" + +- name: Deploy bash_aliases + ansible.builtin.template: + src: bash_aliases.j2 + dest: "~{{ user.name }}/.bash_aliases" + owner: "{{ user.name }}" + group: "{{ user.group | default(user.name) }}" + mode: u=rw,g=,o= + become: true + loop: "{{ users }}" + loop_control: + loop_var: user + label: "{{ user.name }}" + +- name: Create ssh directory + ansible.builtin.file: + state: directory + path: "~{{ user.name }}/.ssh" + owner: "{{ user.name }}" + group: "{{ user.group | default(user.name) }}" + mode: u=rwX,g=rX,o=rX + become: true + loop: "{{ users }}" + loop_control: + loop_var: user + label: "{{ user.name }}" + +- name: Deploy SSH configuration + ansible.builtin.template: + src: ssh_config.j2 + dest: "~{{ user.name }}/.ssh/config" + owner: "{{ user.name }}" + group: "{{ user.group | default(user.name) }}" + mode: u=rw,g=r,o=r + when: user.get('extras', {}).get('ssh_config') + become: true + loop: "{{ users }}" + loop_control: + loop_var: user + label: "{{ user.name }}" + +- name: Deploy SSH private keys + ansible.builtin.template: + src: id_ed25519.j2 + dest: "~{{ user.name }}/.ssh/id_ed25519" + owner: "{{ user.name }}" + group: "{{ user.group | default(user.name) }}" + mode: u=rw,g=,o= + when: user.get('extras', {}).get('id_ed25519') + become: true + loop: "{{ users }}" + loop_control: + loop_var: user + label: "{{ user.name }}" + +- name: Deploy authorized SSH keys + ansible.builtin.template: + src: authorized_key.j2 + dest: "~{{ user.name }}/.ssh/authorized_keys" + owner: "{{ user.name }}" + group: "{{ user.group | default(user.name) }}" + mode: u=rw,g=r,o=r + when: user.get('extras', {}).get('authorized_keys') + become: true + loop: "{{ users }}" + loop_control: + loop_var: user + label: "{{ user.name }}" diff --git a/tasks/installation.yml b/tasks/installation.yml new file mode 100644 index 0000000..8669e49 --- /dev/null +++ b/tasks/installation.yml @@ -0,0 +1,42 @@ +--- +# tasks file for users + +- name: Build users list + ansible.builtin.set_fact: + users: "{{ users + specific }}" + when: specific | length > 0 + loop: "{{ lookup('ansible.builtin.varnames', '^users.+', wantlist=True) }}" + vars: + specific: "{{ lookup('ansible.builtin.vars', item, default='') }}" + +- name: Create groups with the users name + ansible.builtin.group: + name: "{{ item.name }}" + when: user.group is undefined + become: true + loop: "{{ users }}" + loop_control: + label: "{{ item.name }}" + +- name: Create other groups + ansible.builtin.group: + name: "{{ item.1 }}" + become: true + loop: "{{ users | subelements('groups', skip_missing=True) }}" + loop_control: + label: "{{ item.1 }}" + +- name: Create users + ansible.builtin.user: + name: "{{ item.name }}" + comment: "{{ item.comment | default(omit) }}" + password: "{{ item.password | default(omit) }}" + password_lock: "{{ item.password_lock | default(omit) }}" + home: "{{ item.home | default(omit) }}" + shell: "{{ item.shell | default(omit) }}" + group: "{{ item.group | default(item.name) }}" + groups: "{{ item.groups | default(omit) }}" + become: true + loop: "{{ users }}" + loop_control: + label: "{{ item.name }}" diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..95f0714 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,10 @@ +--- +# tasks file for users + +- name: Import creation tasks + ansible.builtin.import_tasks: + file: installation.yml + +- name: Import configuration tasks + ansible.builtin.import_tasks: + file: configuration.yml diff --git a/templates/authorized_key.j2 b/templates/authorized_key.j2 new file mode 100644 index 0000000..a5b1c1a --- /dev/null +++ b/templates/authorized_key.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +{% for key in user.extras.authorized_keys %} +{{ key }} +{% endfor %} diff --git a/templates/bash_aliases.j2 b/templates/bash_aliases.j2 new file mode 100644 index 0000000..6b90e69 --- /dev/null +++ b/templates/bash_aliases.j2 @@ -0,0 +1,13 @@ +# {{ ansible_managed }} + +## BEGIN common +PS1='${debian_chroot:+($debian_chroot)}\[\033[38;5;99m\]\u@\h\[\033[00m\]:\[\033[38;5;141m\]\w\[\033[00m\]\$ ' +alias ls='ls --color=auto -lah --group-directories-first' +alias df='df -h --exclude-type=tmpfs --exclude-type=devtmpfs' +## END common +{% if user.get('extras', {}).get('bash_aliases', '') | length > 0 %} + +## BEGIN user +{{ user.extras.bash_aliases }} +## END user +{% endif %} diff --git a/templates/id_ed25519.j2 b/templates/id_ed25519.j2 new file mode 100644 index 0000000..b364a8b --- /dev/null +++ b/templates/id_ed25519.j2 @@ -0,0 +1 @@ +{{ user.extras.id_ed25519 }} diff --git a/templates/ssh_config.j2 b/templates/ssh_config.j2 new file mode 100644 index 0000000..6039869 --- /dev/null +++ b/templates/ssh_config.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} + +{{ user.extras.ssh_config }} diff --git a/templates/sudoers.j2 b/templates/sudoers.j2 new file mode 100644 index 0000000..f0a76dd --- /dev/null +++ b/templates/sudoers.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} + +{{ user.extras.sudoers }}