From e4f94a3ab645d9a53edd28b592491eed68c40cc8 Mon Sep 17 00:00:00 2001 From: Someone Date: Fri, 4 Oct 2024 13:42:33 +0200 Subject: [PATCH] [roles/base/ansible/setup] set role defaults, install sudo, create remote-management-user + env --- .../setup/files/default/authorized_keys | 8 ++ .../base/ansible/setup/files/default/sudoers | 61 +++++++++++ .../setup/files/default/sudoers.d.ansible | 9 ++ roles/base/ansible/setup/tasks/main.yml | 101 ++++++++++++++++++ 4 files changed, 179 insertions(+) create mode 100644 roles/base/ansible/setup/files/default/authorized_keys create mode 100644 roles/base/ansible/setup/files/default/sudoers create mode 100644 roles/base/ansible/setup/files/default/sudoers.d.ansible create mode 100644 roles/base/ansible/setup/tasks/main.yml diff --git a/roles/base/ansible/setup/files/default/authorized_keys b/roles/base/ansible/setup/files/default/authorized_keys new file mode 100644 index 0000000..5d71d13 --- /dev/null +++ b/roles/base/ansible/setup/files/default/authorized_keys @@ -0,0 +1,8 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG5GnAMN6EfWmBWZUnVkHSBh5rLskXi+3vUju3k7H7OO somesible_provisioner.2020-12 diff --git a/roles/base/ansible/setup/files/default/sudoers b/roles/base/ansible/setup/files/default/sudoers new file mode 100644 index 0000000..fd8ac61 --- /dev/null +++ b/roles/base/ansible/setup/files/default/sudoers @@ -0,0 +1,61 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# +# This file MUST be edited with the 'visudo' command as root. +# +# Please consider adding local content in /etc/sudoers.d/ instead of +# directly modifying this file. +# +# See the man page for details on how to write a sudoers file. +# +Defaults env_reset +Defaults mail_badpass +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +# This fixes CVE-2005-4890 and possibly breaks some versions of kdesu +# (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532) +Defaults use_pty + +# This preserves proxy settings from user environments of root +# equivalent users (group sudo) +#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy" + +# This allows running arbitrary commands, but so does ALL, and it means +# different sudoers have their choice of editor respected. +#Defaults:%sudo env_keep += "EDITOR" + +# Completely harmless preservation of a user preference. +#Defaults:%sudo env_keep += "GREP_COLOR" + +# While you shouldn't normally run git as root, you need to with etckeeper +#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*" + +# Per-user preferences; root won't have sensible values for them. +#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME" + +# "sudo scp" or "sudo rsync" should be able to use your SSH agent. +#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK" + +# Ditto for GPG agent +#Defaults:%sudo env_keep += "GPG_AGENT_INFO" + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# User privilege specification +root ALL=(ALL:ALL) ALL + +# Allow members of group sudo to execute any command +%sudo ALL=(ALL:ALL) NOPASSWD: ALL + +# See sudoers(5) for more information on "@include" directives: + +@includedir /etc/sudoers.d diff --git a/roles/base/ansible/setup/files/default/sudoers.d.ansible b/roles/base/ansible/setup/files/default/sudoers.d.ansible new file mode 100644 index 0000000..48fe0c4 --- /dev/null +++ b/roles/base/ansible/setup/files/default/sudoers.d.ansible @@ -0,0 +1,9 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +ansible ALL=(ALL:ALL) NOPASSWD: ALL diff --git a/roles/base/ansible/setup/tasks/main.yml b/roles/base/ansible/setup/tasks/main.yml new file mode 100644 index 0000000..02e801c --- /dev/null +++ b/roles/base/ansible/setup/tasks/main.yml @@ -0,0 +1,101 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# sudo-user for remote provisioning and periodic local provisioning. +# +--- +- name: install sudo + apt: + pkg: + - acl + - sudo + state: present + policy_rc_d: 101 + tags: "online" + ignore_errors: "{{ignore_online_errors | bool}}" + + +- name: create ansible public-files dir + file: + path: "/opt/somesible" + state: directory + mode: 0755 + owner: "root" + group: "root" + + +- name: create ansible user + user: + name: "ansible" + uid: 609 + home: "/var/ansible" + shell: "/bin/bash" + createhome: no + system: yes + group: "root" + state: present + + +- name: create ansible user's homedir + file: + path: "/var/ansible" + state: directory + mode: 0700 + owner: "ansible" + group: "root" + + +- name: add ansible to sudoers + copy: + src: "{{item}}" + dest: "/etc/sudoers.d/ansible" + mode: 0440 + owner: "root" + group: "root" + validate: /usr/sbin/visudo -cf %s + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/sudoers.d.ansible" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/sudoers.d.ansible" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/sudoers.d.ansible" + - "default/sudoers.d.ansible" + + +- name: override default sudoers file + copy: + src: "{{item}}" + dest: "/etc/sudoers" + mode: 0440 + owner: "root" + group: "root" + validate: /usr/sbin/visudo -cf %s + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/sudoers" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/sudoers" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/sudoers" + - "default/sudoers" + + +- name: set ansible .ssh-dir permissions + file: + path: "/var/ansible/.ssh" + state: directory + mode: 0700 + owner: "ansible" + group: "root" + + +- name: copy authorized_keys + copy: + src: "{{item}}" + dest: "/var/ansible/.ssh/authorized_keys" + mode: 0600 + owner: "ansible" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/authorized_keys" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/authorized_keys" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/authorized_keys" + - "default/authorized_keys" -- 2.43.0