slococo
/
ansible-playground
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

Update local_accounts role
ci/woodpecker/push/lint Pipeline was successful Details
ci/woodpecker/push/test Pipeline failed Details

This commit is contained in:
Santiago Lo Coco 2024-04-15 21:44:21 +02:00
parent 8f6e5f93c2
commit 1d65cf897f
6 changed files with 64 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
slococo/playground/README.md
View File

@ -26,7 +26,7 @@ This role configures multiple local user accounts on the target host as specifie
- `groups`: List of groups the user belongs to (optional) - `groups`: List of groups the user belongs to (optional)
- `passwordless`: Enable or disable passwordless authentication (optional) - `passwordless`: Enable or disable passwordless authentication (optional)
- `local_accounts_pk_path`: Path to the private key on the Ansible control node (optional) - `local_accounts_key_path`: Path to the private key on the Ansible control node (optional)
### Usage ### Usage

5
slococo/playground/roles/local_accounts/README.md
View File

@ -22,8 +22,9 @@ local_accounts_list:
home: # Home directory path for the local user (optional, default: "/home/{{ name }}") home: # Home directory path for the local user (optional, default: "/home/{{ name }}")
groups: # List of groups the local user belongs to (optional, default: its own group) groups: # List of groups the local user belongs to (optional, default: its own group)
passwordless: # Boolean value indicating whether SSH key pairs should be generated for passwordless authentication (optional, default: false) passwordless: # Boolean value indicating whether SSH key pairs should be generated for passwordless authentication (optional, default: false)
local_accounts_pk_path: # Path to the private key on the Ansible control node (optional, default: "/tmp") local_accounts_key_path: # Path to the private and public keys on the Ansible control node (optional, default: "/tmp")
local_accounts_key_type: # Type of the private key used for SSH authentication (optional, default: "ed25519")
``` ```
Example Playbook Example Playbook

2
slococo/playground/roles/local_accounts/defaults/main.yml
View File

@ -1,2 +1,4 @@
--- ---
local_accounts_list: [] local_accounts_list: []
local_accounts_key_path: "/tmp"
local_accounts_key_type: "ed25519"

11
slococo/playground/roles/local_accounts/meta/argument_specs.yml
View File

@ -33,15 +33,20 @@ argument_specs:
groups: groups:
type: list type: list
required: false required: false
default: "" default: "{{ name if name is defined else '' }}"
description: The primary group for the local user. description: The primary group for the local user.
passwordless: passwordless:
type: bool type: bool
required: false required: false
default: false default: false
description: Boolean value indicating whether SSH key pairs should be generated for passwordless authentication. description: Boolean value indicating whether SSH key pairs should be generated for passwordless authentication.
local_accounts_pk_path: local_accounts_key_path:
type: str type: str
required: false required: false
default: /tmp default: /tmp
description: "Path to the private key on the Ansible control node. If not provided, the default path will be /tmp." description: "Path to the private and public keys on the Ansible control node."
local_accounts_key_type:
type: str
required: false
default: "ed25519"
description: "Type of the private key used for SSH authentication. Options include 'ed25519', 'rsa', etc."

34
slococo/playground/roles/local_accounts/tasks/main.yml
View File

@ -5,25 +5,28 @@
shell: "{{ item.shell }}" shell: "{{ item.shell }}"
uid: "{{ item.userid }}" uid: "{{ item.userid }}"
expires: "{{ (((item.expiry_date + ' 00:00:00') | to_datetime).strftime('%s')) if item.expiry_date is defined else omit }}" expires: "{{ (((item.expiry_date + ' 00:00:00') | to_datetime).strftime('%s')) if item.expiry_date is defined else omit }}"
home: "{{ item.home | default(omit) }}" home: "{{ item.home | default('/home/' + item.name) }}"
groups: "{{ item.groups | default(omit) }}" groups: "{{ item.groups | default(omit) }}"
loop: "{{ local_accounts_list }}" loop: "{{ local_accounts_list }}"
- name: Add home - name: Add key_path to the user accoounts
ansible.builtin.set_fact: ansible.builtin.set_fact:
accounts_with_home: "{{ accounts_with_home | default([]) + [item | combine({'home': item.home | default('/home/' + item.name)})] }}" local_accounts_list_agg: >-
{{
local_accounts_list_agg | default([]) + [
item | combine({
'key_path': local_accounts_key_path | regex_replace('/$', '') + '/id_' + local_accounts_key_type + '_' + item.name
})
]
}}
loop: "{{ local_accounts_list }}" loop: "{{ local_accounts_list }}"
when: item.passwordless | default(false) | bool
- name: Determine key path
ansible.builtin.set_fact:
key_path: "{{ (local_accounts_pk_path | default('/tmp')) | regex_replace('/$', '') }}/id_rsa"
- name: Generate SSH key pairs for local users - name: Generate SSH key pairs for local users
community.crypto.openssh_keypair: community.crypto.openssh_keypair:
path: "{{ key_path }}_{{ item.name }}" path: "{{ item.key_path }}"
type: ed25519 type: "{{ local_accounts_key_type }}"
loop: "{{ accounts_with_home }}" loop: "{{ local_accounts_list_agg | default([]) }}"
when: item.passwordless | default(false) | bool
delegate_to: localhost delegate_to: localhost
run_once: true run_once: true
become: false become: false
@ -35,15 +38,14 @@
owner: "{{ item.name }}" owner: "{{ item.name }}"
group: "{{ item.name }}" group: "{{ item.name }}"
mode: '0700' mode: '0700'
loop: "{{ accounts_with_home }}" loop: "{{ local_accounts_list_agg | default([]) }}"
when: item.passwordless | default(false) | bool
- name: Copy public keys to authorized_keys for passwordless authentication - name: Copy public keys to authorized_keys for passwordless authentication
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ lookup('file', key_path + '_' + item.name + '.pub') }}" content: "{{ lookup('file', item.key_path + '.pub') }}"
dest: "{{ item.home }}/.ssh/authorized_keys" dest: "{{ item.home }}/.ssh/authorized_keys"
owner: "{{ item.name }}" owner: "{{ item.name }}"
group: "{{ item.name }}" group: "{{ item.name }}"
mode: '0600' mode: '0600'
loop: "{{ accounts_with_home }}" loop: "{{ local_accounts_list_agg | default([]) }}"
when: not ansible_check_mode and item.passwordless | default(false) | bool when: not ansible_check_mode

33
slococo/playground/roles/local_accounts/tests/test.yml
View File

@ -16,6 +16,37 @@
expiry_date: '2024-12-31' expiry_date: '2024-12-31'
home: /home/test_user2_another home: /home/test_user2_another
groups: ['docker', 'root'] groups: ['docker', 'root']
passwordless: true
roles: roles:
- role: slococo.playground.local_accounts - slococo.playground.local_accounts
tasks:
- name: Ensure all the users are present with the correct values
ansible.builtin.user:
name: "{{ item.name }}"
shell: "{{ item.shell }}"
uid: "{{ item.userid }}"
expires: "{{ (((item.expiry_date + ' 00:00:00') | to_datetime).strftime('%s')) if item.expiry_date is defined else omit }}"
home: "{{ item.home | default('/home/' + item.name) }}"
groups: "{{ item.groups | default(omit) }}"
state: present
loop: "{{ local_accounts_list }}"
- name: Ensure SSH key pair was created for each user
ansible.builtin.file:
path: "{{ item.key_path }}"
loop: "{{ local_accounts_list_agg | default([]) }}"
- name: Test SSH connection for each user
ansible.builtin.shell: >
ssh -T -i {{ item.key_path }}
-o StrictHostKeyChecking=no
-o BatchMode=yes
-o ConnectTimeout=5
{{ item.name }}@localhost
loop: "{{ local_accounts_list_agg | default([]) }}"
ignore_errors: true
register: ssh_results
changed_when: false
failed_when: ssh_results.rc != 0