From 3456ee756e4ca90768493d8021f985e59c0a6611 Mon Sep 17 00:00:00 2001 From: L3D Date: Fri, 16 Feb 2024 18:00:07 +0100 Subject: [PATCH] update docs and adding password option for user ansible --- README.md | 2 ++ requirements.yml | 8 +++++ roles/admin/README.md | 52 +++++++++++++++--------------- roles/admin/defaults/main.yml | 7 ++-- roles/admin/tasks/user_ansible.yml | 4 +-- roles/admin/vars/main.yml | 2 +- roles/sshd/README.md | 35 +++++++++----------- roles/sshd/defaults/main.yml | 1 + roles/sshd/vars/main.yml | 2 +- roles/user/README.md | 40 ++++++++++++----------- roles/user/defaults/main.yml | 7 ++-- roles/user/tasks/user_ansible.yml | 3 +- roles/user/vars/main.yml | 2 +- 13 files changed, 90 insertions(+), 75 deletions(-) create mode 100644 requirements.yml diff --git a/README.md b/README.md index 4ebe897..0fff5ca 100644 --- a/README.md +++ b/README.md @@ -2,3 +2,5 @@ Ansible Collection to mamage Users, Groups and SSH Keys Work in progress! + +Requirements: See requirements.yml diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..010abf3 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,8 @@ +--- +collections: + - name: "community.general" + version: ">=8.3.0" + - name: "ansible.posix" + version: ">=1.5.4" + - name: "community.crypto" + version: ">=2.17.1" diff --git a/roles/admin/README.md b/roles/admin/README.md index 4b6f563..d969346 100644 --- a/roles/admin/README.md +++ b/roles/admin/README.md @@ -16,19 +16,20 @@ There are two variables to define users. The ``l3d_users__default_users`` is men + The dictionary-variable for your host_vars to set your host-specific users and admins is: ``l3d_users__local_users``. The Option of these directory-variables are the following. -| option | values | description | -| ------ | ------ | --- | -| name | string | The user you want to create | -| state | ``present`` | Create or delete user | -| shell | ``/bin/bash`` | The Shell of the User | -| create_home | ``true`` | create a user home *(needed to store ssh keys)* | -| admin | ``false`` | enable it to give the user superpowers | -| admin_commands | string or list | Commands that are allows to be run as admin, eg. 'ALL' or specific script | -| admin_nopassword | false | Need no Password for sudo | -| pubkeys | string or lookup | see examples | -| exklusive_pubkeys | ``true`` | delete all undefined ssh keys | -| password | password hash | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) | -| remove | ``false`` | completly remove user if state is absent | +| option | values | required | description | +| ------ | ------ | --- | --- | +| ``name`` | *string* | ``required`` | The user you want to create | +| ``state`` | ``present`` | - | Create or delete user | +| ``shell`` | ``/bin/bash`` | - | The Shell of the User | +| ``create_home`` | ``true`` | - | create a user home *(needed to store ssh keys)* | +| ``admin | ``false`` | - | enable it to give the user superpowers | +| ``admin_commands`` | *string or list* | - | Commands that are allows to be run as admin, eg. 'ALL' or specific script | +| ``admin_nopassword`` | ``false`` | - | Need no Password for sudo | +| ``admin_ansible_login`` | ``true`` | - |if ``admin: true`` and ``l3d_users__create_ansible: true`` your ssh keys will be added to ansible user | +| ``pubkeys`` | string or lookup | - | see examples | +| ``exklusive_pubkeys`` | ``true`` | - | delete all undefined ssh keys | +| ``password`` | password hash | - | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) | +| ``remove`` | ``false`` | - | completly remove user if ``state: absent`` | ### Other @@ -36,35 +37,34 @@ The Option of these directory-variables are the following. | --- | --- | --- | | ``l3d_users__create_ansible`` | ``true`` | Create an Ansible User | | ``l3d_users__ansible_user_state`` | ``present`` | Ansible user state | +| ``l3d_users__ansible_user_command`` | ``ALL`` | Commans with superpower for ansible user | +| ``l3d_users__ansible_user_nopassword`` | ``true`` | Allow superpowers without password for ansible user | | ``submodules_versioncheck`` | ``false`` | Optionaly enable simple versionscheck of this role | Example Playbook ----------------- ```yaml -- name: Create System with User and Passwords +- name: Create superpowers for admins hosts: example.com roles: - - {role: l3d.users.user, tags: 'user'} + - {role: l3d.users.admin, tags: 'admin'} vars: l3d_users__local_users: - name: 'alice' state: 'present' - shell: '/bin/bash' - create_home: true admin: true admin_commands: 'ALL' - pubkeys: | - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvvXN33GwkTF4ZOwPgF21Un4R2z9hWUuQt1qIfzQyhC - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAG65EdcM+JLv0gnzT9LcqVU47Pkw0SqiIg7XipXENi8 - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJz7zEvUVgJJJsIgfG3izsqYcM22IaKz4jGVUbNRL2PX - exklusive_pubkeys: true + admin_nopassword: false + pubkeys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}" - name: 'bob' state: 'present' admin: false - pubkeys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}" - + - name: 'backup' + state: 'present' + admin: true + admin_commands: '/opt/backupscript.sh' + admin_nopassword: true + admin_ansible_login: false l3d_users__create_ansible: true - l3d_users__set_ansible_ssh_keys: true - l3d_users__ansible_ssh_keys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}" submodules_versioncheck: true ``` diff --git a/roles/admin/defaults/main.yml b/roles/admin/defaults/main.yml index 5897709..f146ba4 100644 --- a/roles/admin/defaults/main.yml +++ b/roles/admin/defaults/main.yml @@ -1,6 +1,6 @@ --- # create users -l3d_users__default_users: {} +l3d_users__default_users: [] # - name: 'alice' # state: 'present' # shell: '/bin/bash' @@ -14,6 +14,7 @@ l3d_users__default_users: {} # admin: true # admin_commands: 'ALL' # admin_nopassword: false +# admin_ansible_login: true # - name: 'bob' # state: 'present' # shell: '/bin/zsh' @@ -21,7 +22,7 @@ l3d_users__default_users: {} # pubkeys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}" # exklusive_pubkeys: false -l3d_users__local_users: {} +l3d_users__local_users: [] # - name: 'charlie' # state: 'present' # admin: false @@ -29,6 +30,8 @@ l3d_users__local_users: {} l3d_users__create_ansible: true l3d_users__ansible_user_state: 'present' +l3d_users__ansible_user_command: 'ALL' +l3d_users__ansible_user_nopassword: true # run simple versionscheck submodules_versioncheck: false diff --git a/roles/admin/tasks/user_ansible.yml b/roles/admin/tasks/user_ansible.yml index 43eab15..71d103c 100644 --- a/roles/admin/tasks/user_ansible.yml +++ b/roles/admin/tasks/user_ansible.yml @@ -3,8 +3,8 @@ become: true community.general.sudoers: name: 'ansible_superpowers' - commands: 'ALL' - nopassword: true + commands: "{{ l3d_users__ansible_user_command }}" + nopassword: "{{ l3d_users__ansible_user_nopassword | bool }}" user: 'ansible' state: "{{ l3d_users__ansible_user_state | ternary('present', 'absent') }}" validation: 'required' diff --git a/roles/admin/vars/main.yml b/roles/admin/vars/main.yml index bb8ba42..475a3bd 100644 --- a/roles/admin/vars/main.yml +++ b/roles/admin/vars/main.yml @@ -1,3 +1,3 @@ --- -playbook_version_number: 4 +playbook_version_number: 5 playbook_version_path: 'l3d.users.admin.version' diff --git a/roles/sshd/README.md b/roles/sshd/README.md index 12e504e..e7ff2ea 100644 --- a/roles/sshd/README.md +++ b/roles/sshd/README.md @@ -3,8 +3,6 @@ Ansible role l3d.users.sshd to Manage SSHD Configuration of the system and which Accounts are allowed to login. -# WORK IN PROGRESS - There are two variables to define users. The ``l3d_users__default_users`` is ment to put to your group_vars to define a default for your system. The ``l3d_users__local_users`` could be put in your host_vars to define host-specific user and admin roles. Variables: @@ -16,19 +14,20 @@ There are two variables to define users. The ``l3d_users__default_users`` is men + The dictionary-variable for your host_vars to set your host-specific users and admins is: ``l3d_users__local_users``. The Option of these directory-variables are the following. -| option | values | description | -| ------ | ------ | --- | -| name | string | The user you want to create | -| state | ``present`` | Create or delete user | -| shell | ``/bin/bash`` | The Shell of the User | -| create_home | ``true`` | create a user home *(needed to store ssh keys)* | -| admin | ``false`` | enable it to give the user superpowers | -| admin_commands | string or list | Commands that are allows to be run as admin, eg. 'ALL' or specific script | -| admin_nopassword | false | Need no Password for sudo | -| pubkeys | string or lookup | see examples | -| exklusive_pubkeys | ``true`` | delete all undefined ssh keys | -| password | password hash | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) | -| remove | ``false`` | completly remove user if state is absent | +| option | values | required | description | +| ------ | ------ | --- | --- | +| ``name`` | *string* | ``required`` | The user you want to create | +| ``state`` | ``present`` | - | Create or delete user | +| ``shell`` | ``/bin/bash`` | - | The Shell of the User | +| ``create_home`` | ``true`` | - | create a user home *(needed to store ssh keys)* | +| ``admin | ``false`` | - | enable it to give the user superpowers | +| ``admin_commands`` | *string or list* | - | Commands that are allows to be run as admin, eg. 'ALL' or specific script | +| ``admin_nopassword`` | ``false`` | - | Need no Password for sudo | +| ``admin_ansible_login`` | ``true`` | - |if ``admin: true`` and ``l3d_users__create_ansible: true`` your ssh keys will be added to ansible user | +| ``pubkeys`` | string or lookup | - | see examples | +| ``exklusive_pubkeys`` | ``true`` | - | delete all undefined ssh keys | +| ``password`` | password hash | - | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) | +| ``remove`` | ``false`` | - | completly remove user if ``state: absent`` | There is a third directory-variable called ``l3d_users__ssh_login: []`` which only support ``name`` and ``state`` for users, that sould be able to login on that system. @@ -36,7 +35,6 @@ There is a third directory-variable called ``l3d_users__ssh_login: []`` which on | name | default value | description | | --- | --- | --- | -| ``submodules_versioncheck`` | ``false`` | Optionaly enable simple versionscheck of this role | | ``l3d_users__limit_login`` | ``true`` | Only allow SSH login for specified users | | ``l3d_users__sshd_port`` | ``22`` | Port for SSH | | ``l3d_users__sshd_password_authentication`` | ``false`` | Allow login with Password | @@ -54,10 +52,7 @@ There is a third directory-variable called ``l3d_users__ssh_login: []`` which on | ``l3d_users__sshd_manage_macs`` | ``true`` | Manage Used MACs | | ``l3d_users__sshd_macs`` | ``['hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512']`` | Used MACs | | ``l3d_users__sshd_xforwarding`` |``true`` | Enable X-Forwarding | - -# run simple versionscheck -submodules_versioncheck: false - +| ``submodules_versioncheck`` | ``false`` | Optionaly enable simple versionscheck of this role | Example Playbook ----------------- diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index 5d7c35d..fc728a0 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -14,6 +14,7 @@ l3d_users__default_users: [] # admin: true # admin_commands: 'ALL' # admin_nopassword: false +# admin_ansible_login: true # - name: 'bob' # state: 'present' # shell: '/bin/zsh' diff --git a/roles/sshd/vars/main.yml b/roles/sshd/vars/main.yml index e4c873c..1efa857 100644 --- a/roles/sshd/vars/main.yml +++ b/roles/sshd/vars/main.yml @@ -1,5 +1,5 @@ --- -playbook_version_number: 2 +playbook_version_number: 3 playbook_version_path: 'l3d.users.sshd.version' l3d_users_sshd__service_var_path: diff --git a/roles/user/README.md b/roles/user/README.md index ca7da02..8d776cf 100644 --- a/roles/user/README.md +++ b/roles/user/README.md @@ -15,29 +15,31 @@ There are two variables to define users. The ``l3d_users__default_users`` is men + The dictionary-variable for your host_vars to set your host-specific users and admins is: ``l3d_users__local_users``. The Option of these directory-variables are the following. -| option | values | description | -| ------ | ------ | --- | -| name | string | The user you want to create | -| state | ``present`` | Create or delete user | -| shell | ``/bin/bash`` | The Shell of the User | -| create_home | ``true`` | create a user home *(needed to store ssh keys)* | -| admin | ``false`` | enable it to give the user superpowers | -| admin_commands | string or list | Commands that are allows to be run as admin, eg. 'ALL' or specific script | -| admin_nopassword | false | Need no Password for sudo | -| pubkeys | string or lookup | see examples | -| exklusive_pubkeys | ``true`` | delete all undefined ssh keys | -| password | password hash | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) | -| remove | ``false`` | completly remove user if state is absent | +| option | values | required | description | +| ------ | ------ | --- | --- | +| ``name`` | *string* | ``required`` | The user you want to create | +| ``state`` | ``present`` | - | Create or delete user | +| ``shell`` | ``/bin/bash`` | - | The Shell of the User | +| ``create_home`` | ``true`` | - | create a user home *(needed to store ssh keys)* | +| ``admin | ``false`` | - | enable it to give the user superpowers | +| ``admin_commands`` | *string or list* | - | Commands that are allows to be run as admin, eg. 'ALL' or specific script | +| ``admin_nopassword`` | ``false`` | - | Need no Password for sudo | +| ``admin_ansible_login`` | ``true`` | - | if ``admin: true`` and ``l3d_users__create_ansible: true`` your ssh keys will be added to ansible user | +| ``pubkeys`` | string or lookup | - | see examples | +| ``exklusive_pubkeys`` | ``true`` | - | delete all undefined ssh keys | +| ``password`` | password hash | - | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) | +| ``remove`` | ``false`` | - | completly remove user if ``state: absent`` | -### Other +### Other Variables | name | default value | description | | --- | --- | --- | -| l3d_users__create_ansible | ``true`` | Create User ansible | -| l3d_users__ansible_user_state | ``present`` | Create or delete user ansible | -| l3d_users__set_ansible_ssh_keys | ``false`` | Set SSH Keys for User ansible | -| l3d_users__ansible_ssh_keys | | SSH public Keys. One per line or as lookup | -| submodules_versioncheck | ``false`` | Optionaly enable simple versionscheck of this role | +| ``l3d_users__create_ansible`` | ``true`` | Create User ansible | +| ``l3d_users__ansible_user_state`` | ``present`` | Create or delete user ansible | +| ``l3d_users__set_ansible_ssh_keys`` | ``false`` | Set SSH Keys for User ansible | +| ``l3d_users__ansible_ssh_keys`` | | SSH public Keys. One per line or as lookup | +| ``l3d_users__ansible_user_password`` | | Set optional Password for Ansible User, see [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) | +| ``submodules_versioncheck`` | ``false`` | Optionaly enable simple versionscheck of this role | Example Playbook ----------------- diff --git a/roles/user/defaults/main.yml b/roles/user/defaults/main.yml index 5661a94..f7f3d72 100644 --- a/roles/user/defaults/main.yml +++ b/roles/user/defaults/main.yml @@ -1,6 +1,6 @@ --- # create users -l3d_users__default_users: {} +l3d_users__default_users: [] # - name: 'alice' # state: 'present' # shell: '/bin/bash' @@ -14,6 +14,7 @@ l3d_users__default_users: {} # admin: true # admin_commands: 'ALL' # admin_nopassword: false +# admin_ansible_login: true # - name: 'bob' # state: 'present' # shell: '/bin/zsh' @@ -21,7 +22,7 @@ l3d_users__default_users: {} # pubkeys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}" # exklusive_pubkeys: false -l3d_users__local_users: {} +l3d_users__local_users: [] # - name: 'charlie' # state: 'present' # admin: false @@ -32,5 +33,7 @@ l3d_users__create_ansible: true l3d_users__ansible_user_state: 'present' l3d_users__set_ansible_ssh_keys: false l3d_users__ansible_ssh_keys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}" +l3d_users__ansible_user_password: '' + # run simple versionscheck submodules_versioncheck: false diff --git a/roles/user/tasks/user_ansible.yml b/roles/user/tasks/user_ansible.yml index 1ec5fdc..8b7d2a8 100644 --- a/roles/user/tasks/user_ansible.yml +++ b/roles/user/tasks/user_ansible.yml @@ -13,6 +13,7 @@ shell: '/bin/bash' group: 'ansible' state: "{{ l3d_users__ansible_user_state | ternary('present', 'absent') }}" + password: "{{ l3d_users__ansible_user_password }}" create_home: true - name: Set dedicated SSH keys for User ansible and drop all other keys @@ -31,6 +32,6 @@ state: "{{ l3d_users__ansible_user_state | ternary('present', 'absent') }}" key: "{{ item.pubkeys | default() }}" loop: "{{ _l3d_users__merged_users }}" - when: item.admin | default(false) | bool + when: item.admin | default(false) | bool and item.admin_ansible_login | default(true) | bool loop_control: label: "user: ['{{ item.name }}']" diff --git a/roles/user/vars/main.yml b/roles/user/vars/main.yml index 2a92e18..71d22b4 100644 --- a/roles/user/vars/main.yml +++ b/roles/user/vars/main.yml @@ -1,3 +1,3 @@ --- -playbook_version_number: 6 +playbook_version_number: 7 playbook_version_path: 'l3d.users.user.version'