Update local_accounts role

2024-04-15 21:44:21 +02:00 · 2024-04-15 21:44:21 +02:00 · 1d65cf897f
parent 8f6e5f93c2
commit 1d65cf897f
6 changed files with 64 additions and 23 deletions
--- a/slococo/playground/README.md
+++ b/slococo/playground/README.md
@ -26,7 +26,7 @@ This role configures multiple local user accounts on the target host as specifie
  - `groups`: List of groups the user belongs to (optional)
  - `passwordless`: Enable or disable passwordless authentication (optional)

- `local_accounts_pk_path`: Path to the private key on the Ansible control node (optional)
+- `local_accounts_key_path`: Path to the private key on the Ansible control node (optional)

 ### Usage

--- a/slococo/playground/roles/local_accounts/README.md
+++ b/slococo/playground/roles/local_accounts/README.md
@ -22,8 +22,9 @@ local_accounts_list:
    home:                  # Home directory path for the local user (optional, default: "/home/{{ name }}")
    groups:                # List of groups the local user belongs to (optional, default: its own group)
    passwordless:          # Boolean value indicating whether SSH key pairs should be generated for passwordless authentication (optional, default: false)
-    
-local_accounts_pk_path:    # Path to the private key on the Ansible control node (optional, default: "/tmp")
+
+local_accounts_key_path:    # Path to the private and public keys on the Ansible control node (optional, default: "/tmp")
+local_accounts_key_type:    # Type of the private key used for SSH authentication (optional, default: "ed25519")
 ```

 Example Playbook
--- a/slococo/playground/roles/local_accounts/defaults/main.yml
+++ b/slococo/playground/roles/local_accounts/defaults/main.yml
@ -1,2 +1,4 @@
 ---
 local_accounts_list: []
+local_accounts_key_path: "/tmp"
+local_accounts_key_type: "ed25519"
--- a/slococo/playground/roles/local_accounts/meta/argument_specs.yml
+++ b/slococo/playground/roles/local_accounts/meta/argument_specs.yml
@ -33,15 +33,20 @@ argument_specs:
          groups:
            type: list
            required: false
-            default: ""
+            default: "{{ name if name is defined else '' }}"
            description: The primary group for the local user.
          passwordless:
            type: bool
            required: false
            default: false
            description: Boolean value indicating whether SSH key pairs should be generated for passwordless authentication.
-      local_accounts_pk_path:
+      local_accounts_key_path:
        type: str
        required: false
        default: /tmp
-        description: "Path to the private key on the Ansible control node. If not provided, the default path will be /tmp."
+        description: "Path to the private and public keys on the Ansible control node."
+      local_accounts_key_type:
+        type: str
+        required: false
+        default: "ed25519"
+        description: "Type of the private key used for SSH authentication. Options include 'ed25519', 'rsa', etc."
--- a/slococo/playground/roles/local_accounts/tasks/main.yml
+++ b/slococo/playground/roles/local_accounts/tasks/main.yml
@ -5,25 +5,28 @@
    shell: "{{ item.shell }}"
    uid: "{{ item.userid }}"
    expires: "{{ (((item.expiry_date + ' 00:00:00') | to_datetime).strftime('%s')) if item.expiry_date is defined else omit }}"
-    home: "{{ item.home | default(omit) }}"
+    home: "{{ item.home | default('/home/' + item.name) }}"
    groups: "{{ item.groups | default(omit) }}"
  loop: "{{ local_accounts_list }}"

- name: Add home
+- name: Add key_path to the user accoounts
  ansible.builtin.set_fact:
-    accounts_with_home: "{{ accounts_with_home | default([]) + [item | combine({'home': item.home | default('/home/' + item.name)})] }}"
+    local_accounts_list_agg: >-
+      {{
+      local_accounts_list_agg | default([]) + [
+        item | combine({
+          'key_path': local_accounts_key_path | regex_replace('/$', '') + '/id_' + local_accounts_key_type + '_' + item.name
+        })
+      ]
+      }}
  loop: "{{ local_accounts_list }}"
-
- name: Determine key path
-  ansible.builtin.set_fact:
-    key_path: "{{ (local_accounts_pk_path | default('/tmp')) | regex_replace('/$', '') }}/id_rsa"
+  when: item.passwordless | default(false) | bool

 - name: Generate SSH key pairs for local users
  community.crypto.openssh_keypair:
-    path: "{{ key_path }}_{{ item.name }}"
-    type: ed25519
-  loop: "{{ accounts_with_home }}"
-  when: item.passwordless | default(false) | bool
+    path: "{{ item.key_path }}"
+    type: "{{ local_accounts_key_type }}"
+  loop: "{{ local_accounts_list_agg | default([]) }}"
  delegate_to: localhost
  run_once: true
  become: false
@ -35,15 +38,14 @@
    owner: "{{ item.name }}"
    group: "{{ item.name }}"
    mode: '0700'
-  loop: "{{ accounts_with_home }}"
-  when: item.passwordless | default(false) | bool
+  loop: "{{ local_accounts_list_agg | default([]) }}"

 - name: Copy public keys to authorized_keys for passwordless authentication
  ansible.builtin.copy:
-    content: "{{ lookup('file', key_path + '_' + item.name + '.pub') }}"
+    content: "{{ lookup('file', item.key_path + '.pub') }}"
    dest: "{{ item.home }}/.ssh/authorized_keys"
    owner: "{{ item.name }}"
    group: "{{ item.name }}"
    mode: '0600'
-  loop: "{{ accounts_with_home }}"
-  when: not ansible_check_mode and item.passwordless | default(false) | bool
+  loop: "{{ local_accounts_list_agg | default([]) }}"
+  when: not ansible_check_mode
--- a/slococo/playground/roles/local_accounts/tests/test.yml
+++ b/slococo/playground/roles/local_accounts/tests/test.yml
@ -16,6 +16,37 @@
        expiry_date: '2024-12-31'
        home: /home/test_user2_another
        groups: ['docker', 'root']
+        passwordless: true

  roles:
-    - role: slococo.playground.local_accounts
+    - slococo.playground.local_accounts
+
+  tasks:
+    - name: Ensure all the users are present with the correct values
+      ansible.builtin.user:
+        name: "{{ item.name }}"
+        shell: "{{ item.shell }}"
+        uid: "{{ item.userid }}"
+        expires: "{{ (((item.expiry_date + ' 00:00:00') | to_datetime).strftime('%s')) if item.expiry_date is defined else omit }}"
+        home: "{{ item.home | default('/home/' + item.name) }}"
+        groups: "{{ item.groups | default(omit) }}"
+        state: present
+      loop: "{{ local_accounts_list }}"
+
+    - name: Ensure SSH key pair was created for each user
+      ansible.builtin.file:
+        path: "{{ item.key_path }}"
+      loop: "{{ local_accounts_list_agg | default([]) }}"
+
+    - name: Test SSH connection for each user
+      ansible.builtin.shell: >
+        ssh -T -i {{ item.key_path }}
+          -o StrictHostKeyChecking=no
+          -o BatchMode=yes
+          -o ConnectTimeout=5
+          {{ item.name }}@localhost
+      loop: "{{ local_accounts_list_agg | default([]) }}"
+      ignore_errors: true
+      register: ssh_results
+      changed_when: false
+      failed_when: ssh_results.rc != 0