diff --git a/.ansible-lint b/.ansible-lint index 2a59016..9cf1499 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,6 +6,8 @@ skip_list: mock_roles: - slococo.playground.ssh_config - slococo.playground.local_accounts + - slococo.playground_nodeps.ssh_config + - slococo.playground_nodeps.local_accounts exclude_paths: - converge.yml diff --git a/.gitignore b/.gitignore index 8d5b691..b99f7fc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ .vscode -inventory +/inventory ansible.cfg test.sh diff --git a/slococo/playground_nodeps/LICENSE.md b/slococo/playground_nodeps/LICENSE.md new file mode 100644 index 0000000..bf0d822 --- /dev/null +++ b/slococo/playground_nodeps/LICENSE.md @@ -0,0 +1,20 @@ +The MIT License (MIT) + +Copyright (c) 2024 Santiago Lo Coco. + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/slococo/playground_nodeps/README.md b/slococo/playground_nodeps/README.md new file mode 100644 index 0000000..8c9bd5b --- /dev/null +++ b/slococo/playground_nodeps/README.md @@ -0,0 +1,102 @@ +# Ansible Collection - slococo.playground_nodeps + +## Overview + +This Ansible collection contains two roles: `local_accounts` and `ssh_config`. These roles are designed to automate the configuration of local user accounts and SSH daemon settings on target hosts. + +## Requirements + +- Ansible version supporting collections (`ansible-core` > 2.12) + +## Role: local_accounts + +### Description + +This role configures multiple local user accounts on the target host as specified in a list of dictionaries variable. + +### Variables + +- `local_users`: List of dictionaries defining each local user account with the following fields: + - `name`: Username + - `shell`: Login shell for the user + - `userid`: User ID + - `expiry_date`: Expiry date for the account (optional) + - `home`: Path for the home directory (optional) + - `groups`: List of groups the user belongs to (optional) + - `passwordless`: Enable or disable passwordless authentication (optional) + +- `local_accounts_key_path`: Path to the private key on the Ansible control node (optional) + +### Usage + +Include the `local_accounts` role in your playbook and define the `local_users` variable accordingly. + +```yaml +- name: Configure local accounts + hosts: target_hosts + roles: + - role: slococo.playground_nodeps.local_accounts + vars: + local_accounts_list: + - name: local_adm + shell: /bin/bash + userid: 38000087 + - name: local_log + shell: /bin/sh + userid: 38000088 + expiry_date: "2024-12-31" +``` + +## Role: ssh_config + +### Description + +This role ensures the SSH daemon on the target host has specific options configured. + +### Variables + +- `ssh_config_options`: Dictionary containing SSH configuration options. Each option is a key-value pair where the key represents the SSH option as found in `/etc/ssh/sshd_config`, and the value represents the desired value for that option. + +Example: + +```yaml +ssh_config_options: + PasswordAuthentication: 'yes' +``` + +### Usage + +Include the `ssh_config` role in your playbook. + +```yaml +- name: Configure SSH + hosts: target_hosts + roles: + - role: slococo.playground_nodeps.ssh_config +``` + +### SSH Configuration + +The role ensures the following SSH options are configured with the specified values: + +- `PasswordAuthentication`: yes +- `PermitEmptyPasswords`: no +- `PermitRootLogin`: no + +## Molecule testing + +This collection includes Molecule tests to ensure the correctness of the roles. Molecule is a testing framework for Ansible roles. + +### Prerequisites + +Before running the Molecule tests, ensure that Molecule is installed. You can find installation instructions in the [official Molecule documentation](https://molecule.readthedocs.io/en/latest/installation.html). + +### Running tests + +Once Molecule is installed, you can run the tests by executing the following command in the root directory of the collection: + +```bash +molecule test +``` + +This command will run both roles (`local_accounts` and `ssh_config`) in a Docker container, simulating real-world scenarios. diff --git a/slococo/playground_nodeps/galaxy.yml b/slococo/playground_nodeps/galaxy.yml new file mode 100644 index 0000000..e8137fa --- /dev/null +++ b/slococo/playground_nodeps/galaxy.yml @@ -0,0 +1,22 @@ +namespace: slococo +name: playground_nodeps +version: 1.0.0 +readme: README.md + +authors: + - Santiago Lo Coco + +description: This collection contains roles to manage SSH settings and create local user accounts. + +license: + - MIT +license_file: LICENSE.md + +tags: + - users + - ssh + - config + - tools + +repository: https://git.slc.ar/slococo/ansible-playground +issues: https://git.slc.ar/slococo/ansible-playground/issues diff --git a/slococo/playground_nodeps/meta/runtime.yml b/slococo/playground_nodeps/meta/runtime.yml new file mode 100644 index 0000000..ce6befd --- /dev/null +++ b/slococo/playground_nodeps/meta/runtime.yml @@ -0,0 +1,2 @@ +--- +requires_ansible: ">=2.14.0" diff --git a/slococo/playground_nodeps/molecule/default/converge.yml b/slococo/playground_nodeps/molecule/default/converge.yml new file mode 100644 index 0000000..1ade7db --- /dev/null +++ b/slococo/playground_nodeps/molecule/default/converge.yml @@ -0,0 +1,3 @@ +--- +- name: Include a playbook from a collection + ansible.builtin.import_playbook: slococo.playground_nodeps.main diff --git a/slococo/playground_nodeps/molecule/default/molecule.yml b/slococo/playground_nodeps/molecule/default/molecule.yml new file mode 100644 index 0000000..dbaded1 --- /dev/null +++ b/slococo/playground_nodeps/molecule/default/molecule.yml @@ -0,0 +1,21 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: instance + image: "slococo/dam-testing:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + cgroupns_mode: host + privileged: true + pre_build_image: true +provisioner: + name: ansible + config_options: + defaults: + remote_tmp: /tmp + playbooks: + converge: ${MOLECULE_PLAYBOOK:-converge.yml} diff --git a/slococo/playground_nodeps/playbooks/main.yml b/slococo/playground_nodeps/playbooks/main.yml new file mode 100644 index 0000000..f5c0277 --- /dev/null +++ b/slococo/playground_nodeps/playbooks/main.yml @@ -0,0 +1,18 @@ +- name: Configure SSH and add user accounts + hosts: all + become: true + gather_facts: true + + roles: + - role: slococo.playground_nodeps.ssh_config + - role: slococo.playground_nodeps.local_accounts + vars: + local_accounts_list: + - name: local_adm + shell: /bin/bash + userid: 38000087 + - name: local_log + shell: /bin/sh + userid: 38000088 + expiry_date: '2024-12-31' + passwordless: true diff --git a/slococo/playground_nodeps/roles/local_accounts/README.md b/slococo/playground_nodeps/roles/local_accounts/README.md new file mode 100644 index 0000000..883e78b --- /dev/null +++ b/slococo/playground_nodeps/roles/local_accounts/README.md @@ -0,0 +1,47 @@ +local_accounts +========= + +An Ansible Role to create local user accounts. + +Requirements +------------ + +- Ansible 2.12.0 or later +- This role requires elevated privileges. Make sure to set `become: true` when using this role. + +Role Variables +-------------- + +```yaml +local_accounts_list: + - name: # Username for the local user (required) + shell: # Shell for the local user (required) + userid: # User ID for the local user (required) + expiry_date: # Expiry date for the local user in the format 'YYYY-MM-DD' (optional, default: never) + home: # Home directory path for the local user (optional, default: "/home/{{ name }}") + groups: # List of groups the local user belongs to (optional, default: its own group) + passwordless: # Boolean value indicating whether SSH key pairs should be generated for passwordless authentication (optional, default: false) + +local_accounts_key_path: # Path to the private and public keys on the Ansible control node (optional, default: "/tmp") +local_accounts_key_type: # Type of the private key used for SSH authentication (optional, default: "ed25519") +``` + +Example Playbook +---------------- + +```yaml + - hosts: servers + vars: + local_accounts_list: + - name: test_user1 + shell: /bin/bash + userid: 1001 + + roles: + - { role: slococo.playground_nodeps.local_accounts, become: true } +``` + +License +------- + +MIT diff --git a/slococo/playground_nodeps/roles/local_accounts/defaults/main.yml b/slococo/playground_nodeps/roles/local_accounts/defaults/main.yml new file mode 100644 index 0000000..c769b1f --- /dev/null +++ b/slococo/playground_nodeps/roles/local_accounts/defaults/main.yml @@ -0,0 +1,4 @@ +--- +local_accounts_list: [] +local_accounts_key_path: "/tmp" +local_accounts_key_type: "ed25519" diff --git a/slococo/playground_nodeps/roles/local_accounts/handlers/main.yml b/slococo/playground_nodeps/roles/local_accounts/handlers/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/slococo/playground_nodeps/roles/local_accounts/handlers/main.yml @@ -0,0 +1 @@ +--- diff --git a/slococo/playground_nodeps/roles/local_accounts/meta/argument_specs.yml b/slococo/playground_nodeps/roles/local_accounts/meta/argument_specs.yml new file mode 100644 index 0000000..d88f85c --- /dev/null +++ b/slococo/playground_nodeps/roles/local_accounts/meta/argument_specs.yml @@ -0,0 +1,52 @@ +--- +argument_specs: + main: + short_description: Ansible Role to create local users + options: + local_accounts_list: + type: list + required: true + elements: dict + description: List of dictionaries containing details of local users. + options: + name: + type: str + required: true + description: The username for the local user. + shell: + type: str + required: true + description: The shell for the local user. + userid: + type: int + required: true + description: The user ID for the local user. + expiry_date: + type: str + required: false + description: The expiry date for the local user (in '%Y-%m-%d', e.g. 2024-12-31). + home: + type: path + required: false + default: "{{ '/home/' + name if name is defined else '' }}" + description: The home directory path for the local user. + groups: + type: list + required: false + default: "{{ name if name is defined else '' }}" + description: The primary group for the local user. + passwordless: + type: bool + required: false + default: false + description: Boolean value indicating whether SSH key pairs should be generated for passwordless authentication. + local_accounts_key_path: + type: str + required: false + default: /tmp + description: "Path to the private and public keys on the Ansible control node." + local_accounts_key_type: + type: str + required: false + default: "ed25519" + description: "Type of the private key used for SSH authentication. Options include 'ed25519', 'rsa', etc." diff --git a/slococo/playground_nodeps/roles/local_accounts/meta/main.yml b/slococo/playground_nodeps/roles/local_accounts/meta/main.yml new file mode 100644 index 0000000..4780e85 --- /dev/null +++ b/slococo/playground_nodeps/roles/local_accounts/meta/main.yml @@ -0,0 +1,9 @@ +galaxy_info: + author: Santiago Lo Coco + description: Ansible Role to create local users + company: cloudWerkstatt + license: MIT + min_ansible_version: 2.12.0 + galaxy_tags: ['users', 'creation'] + +dependencies: [] diff --git a/slococo/playground_nodeps/roles/local_accounts/tasks/main.yml b/slococo/playground_nodeps/roles/local_accounts/tasks/main.yml new file mode 100644 index 0000000..17a25d0 --- /dev/null +++ b/slococo/playground_nodeps/roles/local_accounts/tasks/main.yml @@ -0,0 +1,65 @@ +--- +- name: Create local user accounts + ansible.builtin.user: + name: "{{ item.name }}" + shell: "{{ item.shell }}" + uid: "{{ item.userid }}" + expires: "{{ (((item.expiry_date + ' 00:00:00') | to_datetime).strftime('%s')) if item.expiry_date is defined else omit }}" + home: "{{ item.home | default(omit) }}" + groups: "{{ item.groups | default(omit) }}" + generate_ssh_key: "{{ item.passwordless | default(false) }}" + ssh_key_type: "{{ local_accounts_key_type if item.passwordless is defined else omit }}" + loop: "{{ local_accounts_list }}" + +- name: Add some variables to the user accounts + ansible.builtin.set_fact: + local_accounts_list_agg: >- + {{ + local_accounts_list_agg | default([]) + [ + item | combine({ + 'home': item.home | default('/home/' + item.name), + 'local_key_path': local_accounts_key_path | regex_replace('/$', '') + '/id_' + local_accounts_key_type + '_' + item.name, + 'remote_key_path': item.home + '/.ssh/id_' + local_accounts_key_type + }) + ] + }} + loop: "{{ local_accounts_list }}" + when: item.passwordless | default(false) | bool + +- name: Read generated public SSH keys + ansible.builtin.slurp: + src: "{{ remote_key_path }}.pub" + loop: "{{ local_accounts_list_agg | default([]) }}" + register: public_keys + when: not ansible_check_mode + +- name: Read generated private SSH keys + ansible.builtin.slurp: + src: "{{ remote_key_path }}" + loop: "{{ local_accounts_list_agg | default([]) }}" + register: private_keys + when: not ansible_check_mode + +- name: Add public keys to authorized_keys for passwordless authentication + ansible.builtin.lineinfile: + path: "{{ item.item.home }}/.ssh/authorized_keys" + regexp: "^{{ item.content | b64decode }}" + line: "{{ item.content | b64decode }}" + owner: "{{ item.item.name }}" + group: "{{ item.item.name }}" + mode: '0600' + state: present + create: true + loop: "{{ public_keys.results | default([]) }}" + when: not ansible_check_mode + +- name: Copy private keys to control node + ansible.builtin.copy: + content: "{{ item.content | b64decode }}" + dest: "{{ item.item.local_key_path }}" + mode: '0600' + loop: "{{ private_keys.results | default([]) }}" + delegate_to: localhost + run_once: true + become: false + when: not ansible_check_mode diff --git a/slococo/playground_nodeps/roles/local_accounts/tests/inventory b/slococo/playground_nodeps/roles/local_accounts/tests/inventory new file mode 100644 index 0000000..2fbb50c --- /dev/null +++ b/slococo/playground_nodeps/roles/local_accounts/tests/inventory @@ -0,0 +1 @@ +localhost diff --git a/slococo/playground_nodeps/roles/local_accounts/tests/test.yml b/slococo/playground_nodeps/roles/local_accounts/tests/test.yml new file mode 100644 index 0000000..adf7fbc --- /dev/null +++ b/slococo/playground_nodeps/roles/local_accounts/tests/test.yml @@ -0,0 +1,52 @@ +--- +- name: Test the local_accounts role + hosts: localhost + connection: local + gather_facts: false + become: true + + vars: + local_accounts_list: + - name: test_user1 + shell: /bin/bash + userid: 1001 + - name: test_user2 + shell: /bin/zsh + userid: 1002 + expiry_date: '2024-12-31' + home: /home/test_user2_another + groups: ['docker', 'root'] + passwordless: true + + roles: + - slococo.playground_nodeps.local_accounts + + tasks: + - name: Ensure all the users are present with the correct values + ansible.builtin.user: + name: "{{ item.name }}" + shell: "{{ item.shell }}" + uid: "{{ item.userid }}" + expires: "{{ (((item.expiry_date + ' 00:00:00') | to_datetime).strftime('%s')) if item.expiry_date is defined else omit }}" + home: "{{ item.home | default('/home/' + item.name) }}" + groups: "{{ item.groups | default(omit) }}" + state: present + loop: "{{ local_accounts_list }}" + + - name: Ensure SSH key pair was created for each user + ansible.builtin.file: + path: "{{ item.remote_key_path }}" + loop: "{{ local_accounts_list_agg | default([]) }}" + + - name: Test SSH connection for each user + ansible.builtin.shell: > + ssh -T -i {{ item.local_key_path }} + -o StrictHostKeyChecking=no + -o BatchMode=yes + -o ConnectTimeout=5 + {{ item.name }}@localhost + loop: "{{ local_accounts_list_agg | default([]) }}" + ignore_errors: true + register: ssh_results + changed_when: false + failed_when: ssh_results.rc != 0 diff --git a/slococo/playground_nodeps/roles/local_accounts/vars/main.yml b/slococo/playground_nodeps/roles/local_accounts/vars/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/slococo/playground_nodeps/roles/local_accounts/vars/main.yml @@ -0,0 +1 @@ +--- diff --git a/slococo/playground_nodeps/roles/ssh_config/README.md b/slococo/playground_nodeps/roles/ssh_config/README.md new file mode 100644 index 0000000..6891813 --- /dev/null +++ b/slococo/playground_nodeps/roles/ssh_config/README.md @@ -0,0 +1,37 @@ +ssh_config +========= + +An Ansible Role to manage SSH configuration on Linux systems. + +## Requirements + +- Ansible 2.12.0 or later +- This role requires elevated privileges. Make sure to set `become: true` when using this role. + +## Role Variables + +```yaml +ssh_config_options: + PasswordAuthentication: 'yes' # Allow password authentication (default: yes) + PermitEmptyPasswords: 'no' # Permit users to have empty passwords (default: no) + PermitRootLogin: 'no' # Permit root login (default: no) + # Add more SSH options as needed +``` + +Example Playbook +---------------- + +```yaml + - hosts: servers + vars: + sshd_options: + PasswordAuthentication: 'no' + + roles: + - { role: slococo.playground_nodeps.ssh_config, become: true } +``` + +License +------- + +MIT diff --git a/slococo/playground_nodeps/roles/ssh_config/defaults/main.yml b/slococo/playground_nodeps/roles/ssh_config/defaults/main.yml new file mode 100644 index 0000000..bc21625 --- /dev/null +++ b/slococo/playground_nodeps/roles/ssh_config/defaults/main.yml @@ -0,0 +1,5 @@ +--- +ssh_config_options: + PasswordAuthentication: 'yes' + PermitEmptyPasswords: 'no' + PermitRootLogin: 'no' diff --git a/slococo/playground_nodeps/roles/ssh_config/handlers/main.yml b/slococo/playground_nodeps/roles/ssh_config/handlers/main.yml new file mode 100644 index 0000000..2235115 --- /dev/null +++ b/slococo/playground_nodeps/roles/ssh_config/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart SSH service + ansible.builtin.service: + name: sshd + state: restarted diff --git a/slococo/playground_nodeps/roles/ssh_config/meta/argument_specs.yml b/slococo/playground_nodeps/roles/ssh_config/meta/argument_specs.yml new file mode 100644 index 0000000..0e1c2b3 --- /dev/null +++ b/slococo/playground_nodeps/roles/ssh_config/meta/argument_specs.yml @@ -0,0 +1,13 @@ +--- +argument_specs: + main: + short_description: Ansible Role to manage SSH configuration + options: + ssh_config_options: + type: dict + required: false + default: + PasswordAuthentication: 'yes' + PermitEmptyPasswords: 'no' + PermitRootLogin: 'no' + description: Dictionary containing SSH configuration options to be set. diff --git a/slococo/playground_nodeps/roles/ssh_config/meta/main.yml b/slococo/playground_nodeps/roles/ssh_config/meta/main.yml new file mode 100644 index 0000000..3fed228 --- /dev/null +++ b/slococo/playground_nodeps/roles/ssh_config/meta/main.yml @@ -0,0 +1,9 @@ +galaxy_info: + author: Santiago Lo Coco + description: Ansible Role to manage SSH configuration + company: cloudWerkstatt + license: MIT + min_ansible_version: 2.12.0 + galaxy_tags: ['ssh', 'config'] + +dependencies: [] diff --git a/slococo/playground_nodeps/roles/ssh_config/tasks/main.yml b/slococo/playground_nodeps/roles/ssh_config/tasks/main.yml new file mode 100644 index 0000000..bf705ec --- /dev/null +++ b/slococo/playground_nodeps/roles/ssh_config/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: Check SSH daemon configuration + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^{{ item.key }}" + line: "{{ item.key }} {{ item.value }}" + state: present + validate: "sshd -t -f %s" + mode: '0644' + loop: "{{ ssh_config_options | dict2items }}" + notify: Restart SSH service diff --git a/slococo/playground_nodeps/roles/ssh_config/tests/inventory b/slococo/playground_nodeps/roles/ssh_config/tests/inventory new file mode 100644 index 0000000..2fbb50c --- /dev/null +++ b/slococo/playground_nodeps/roles/ssh_config/tests/inventory @@ -0,0 +1 @@ +localhost diff --git a/slococo/playground_nodeps/roles/ssh_config/tests/test.yml b/slococo/playground_nodeps/roles/ssh_config/tests/test.yml new file mode 100644 index 0000000..219561d --- /dev/null +++ b/slococo/playground_nodeps/roles/ssh_config/tests/test.yml @@ -0,0 +1,30 @@ +--- +- name: Test the ssh_config role + hosts: localhost + connection: local + gather_facts: false + become: true + + vars: + ssh_config_options: + PasswordAuthentication: 'no' + + roles: + - role: slococo.playground_nodeps.ssh_config + + tasks: + - name: Check SSH daemon configuration + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^{{ item.key }}" + line: "{{ item.key }} {{ item.value }}" + state: present + mode: '0644' + loop: "{{ ssh_config_options | dict2items }}" + check_mode: true + register: ssh_config_result + + - name: Fail if any change occurred + ansible.builtin.fail: + msg: "A change occurred in SSH daemon configuration." + when: ssh_config_result.changed and not ansible_check_mode diff --git a/slococo/playground_nodeps/roles/ssh_config/vars/main.yml b/slococo/playground_nodeps/roles/ssh_config/vars/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/slococo/playground_nodeps/roles/ssh_config/vars/main.yml @@ -0,0 +1 @@ +---