Setup controller (#69)

This contains the local playbook to be executed on the controller host
to setup all the user accounts and install all the required packages.

The ssh_users role we should then declare it in the meta as a dep for
any other playbook we run on remote hosts so we can always ensure
everyone has access to hosts they should have access to.

This is the last piece needed to close:
#67

ansible/controller-playbook.yml

@@ -0,0 +1,7 @@
+---
+- hosts: 127.0.0.1
+  connection: local
+  become: yes
+  roles:
+    - ssh_users
+    - ansible_controller

ansible/group_vars/all/vars.yml

@@ -0,0 +1,22 @@
+ssh_users:
+  agrabeli:
+    login: agrabeli
+    comment: Maria Xynou
+    keys: ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDD0JSwM+t3Uz9lS3Mjoz9oo4vOToWyzboZhYQbP8JY5HvFtAvWanWHnUBO91t6hkgKIMiUqhdCJn26fqkhSGe/bRBaFUocOmuyfcmZoRdi0qzAskmycJsj/w6vWR4x6MYkmJvSeI/MGxjEFt4s2MfOG1tP8CBLUYft9qUleeJa7Jln8c+xbnqB7YngaI190icQHE9NuIB2CXvzbmo3tLtHNMagEwI7VoBDj6mxzTxBd9JhuhF4w5uGxxm0Gp1hzk+15obNnaBS+Anr7jXz8FPwwxCH+XhBZxB1PPpcIayKrf9iLyGtwmhkdDoWCqYAr1mue3LxFso+TZF4bwE4Cjt1 agrabelh@agrabelh"]
+  art:
+    login: art
+    comment: Arturo Filasto
+    keys: ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsibU0nsQFFIdolD1POzXOws4VetV0ZNByINRzY8Hx0 [email protected]"]
+  majakomel:
+    login: majakomel
+    comment: Maja Komel
+    keys:
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7gWQL4h/IyMbwDuMIXbTVmNEm8Yx19Ftt0P2e3OyWctSMH7WGaHc6b0dGoGh6Y4x0Kpw5h0iHWshP8Rg0pckNG9LeDjLY9nLR3Jv66ogFQtFi1DAlg4CXe369N70rBN9iurndgXjShW9OV+bY+MOlW8Fmmm67Vg0xFiYuYzjgUOpl4ofkbLGAQ7sJRBzpDV6TqHhGfOdYMDJyfFvurVz0oSyEZPFFRv4Css9iVk7BGsBukCCpUuax8akEeEjxWWCvjYXva7OA0jHKayfPAroZx/OJh01rhFe7wxlu5JwUKOcevvAZqeHh6200C82ijZOCN+Qq9yvxOH+OgzhnQwnoetIbGFgnb4CkDxo7dVLc/DFyObznC4f26f5D1OyPMUX8AEarEVdEPwsEfD2ePQr6qek0XWCWtYvGklb+GRLk9Yn0VL1qwvgrtstHdeXsKONTPKRxaCjWHu18dQaG2qOUnZ+St6SHeL49CN9aav2azNI/YKoQ9SGR4D23XeBRsW8="
+  mehul:
+    login: mehul
+    comment: Mehul Gulati
+    keys:
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEZSA9TKUaYWG8gfnMoyDZO2S6vsy87xma4R/EzNpveZiOZTYSNn+UDL8NpQRuH5YgdWuQV2E7sKw/PIYA0lC/QTiq8Btqf6sEK5YWXtQy+yn9q5kB/rmi8zjaz0FUNigRrjL+26ao+c7NKpgmR+TRqbRd5VeJ46PuFD5M3c+MBeUoF1PT0zfioQFJ1mQoXwVix0n260clEXQDp4t0GZuNpWGTS+YTuJZ2vl6TDZtt8jrnENd99QArr2KU+NMTq8T2KYcPeQOoYsm7v/1TBkbv9UStllhjdE7HZSivPT8oRkF2YZYgytDxtCZG8i5iCK+vbNn6QmZMjuXPoBUeW+Njm70tlsirrKpUX+QiogA2qljxPD9st2eUkA7cATyOBkK7WLh1HYv2xyKpPtkkaELG+EHjmaVjVdyVAgUYwqg+MbIw1OyDpNmMZcW3iOpGpflXPMmLjKNMhee0//G7NxcGfwmIMbIiBkeofOnWDrMo+0PRULFtn6C7aA7ddirck+k="
+
+admin_usernames: [ art, majakomel, mehul ]
+non_admin_usernames: [ agrabeli ]

ansible/roles/ansible_controller/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: install base deps
+  ansible.builtin.apt:
+    name:
+      - "awscli"
+      - "etckeeper"
+      - "git"
+      - "python3-dnspython"
+      - "python3-boto3"
+      - "tmux"
+      - "vim"
+    state: "latest"
+    update_cache: "yes"
+
+- name: set the hostname
+  ansible.builtin.hostname:
+    name: "ansible-controller"
+
+- name: clone devops repo into /srv/devops
+  ansible.builtin.git:
+    repo: "https://github.com/ooni/devops.git"
+    dest: /srv/devops

ansible/roles/ssh_users/tasks/main.yml

@@ -0,0 +1,65 @@
+---
+- name: create admin users
+  tags: ssh_users
+  user:
+    name: "{{ item }}"
+    group: "admin"
+    comment: "{{ ssh_users[item].comment }}"
+    shell: /bin/bash
+    state: present
+  with_items: "{{ admin_usernames }}"
+
+- name: create non-admin users
+  tags: ssh_users
+  user:
+    name: "{{ item }}"
+    group: "users"
+    comment: "{{ ssh_users[item].comment }}"
+    shell: /bin/bash
+    state: present
+  with_items: "{{ non_admin_usernames }}"
+
+- name: create .ssh dir for admin users
+  tags: ssh_users
+  file:
+    path: "/home/{{item}}/.ssh"
+    state: directory
+    owner: "{{item}}"
+    group: "admin"
+    mode: 0700
+  with_items: "{{ admin_usernames }}"
+
+- name: create .ssh dir for non-admin users
+  tags: ssh_users
+  file:
+    path: "/home/{{item}}/.ssh"
+    state: directory
+    owner: "{{item}}"
+    group: "users"
+    mode: 0700
+  with_items: "{{ non_admin_usernames }}"
+
+- name: create .ssh/authorized_keys for each user
+  tags: ssh_users
+  template:
+    src: authorized_keys
+    dest: "/home/{{item}}/.ssh/authorized_keys"
+    owner: "{{item}}"
+    mode: 0400
+  with_items: "{{ admin_usernames | union(non_admin_usernames) }}"
+
+- name: list all users currently on the system
+  shell: "getent passwd | awk -F: '$3 > 1000 {print $1}'"
+  register: user_list
+
+- name: remove any stale users
+  user:
+    name: "{{ item }}"
+    state: "absent"
+    remove: yes
+  with_items: user_list.stdout_lines
+  when: "item != 'nobody' and item not in (admin_usernames | union(non_admin_usernames))"
+
+
+- name: sudoers.d/80-admins
+  template: src=sudoers dest=/etc/sudoers.d/80-admins owner=root group=root mode=0440 validate='visudo -cf %s'

ansible/roles/ssh_users/templates/authorized_keys

@@ -0,0 +1,5 @@
+# managed by ansible
+# see roles/ssh_users/templates/authorized_keys
+{% for k in ssh_users[item]['keys'] %}
+{{ k }}
+{% endfor %}

ansible/roles/ssh_users/templates/sudoers

@@ -0,0 +1,4 @@
+# ansible-managed in roles/ssh_users/templates/sudoers
+{% for username in admin_usernames %}
+{{ ssh_users[username].login }} ALL=(ALL:ALL) NOPASSWD: ALL
+{% endfor %}