diff --git a/ansible/controller-playbook.yml b/ansible/controller-playbook.yml new file mode 100644 index 00000000..0a3c1558 --- /dev/null +++ b/ansible/controller-playbook.yml @@ -0,0 +1,7 @@ +--- +- hosts: 127.0.0.1 + connection: local + become: yes + roles: + - ssh_users + - ansible_controller diff --git a/ansible/group_vars/all/vars.yml b/ansible/group_vars/all/vars.yml new file mode 100644 index 00000000..ad49290b --- /dev/null +++ b/ansible/group_vars/all/vars.yml @@ -0,0 +1,22 @@ +ssh_users: + agrabeli: + login: agrabeli + comment: Maria Xynou + keys: ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDD0JSwM+t3Uz9lS3Mjoz9oo4vOToWyzboZhYQbP8JY5HvFtAvWanWHnUBO91t6hkgKIMiUqhdCJn26fqkhSGe/bRBaFUocOmuyfcmZoRdi0qzAskmycJsj/w6vWR4x6MYkmJvSeI/MGxjEFt4s2MfOG1tP8CBLUYft9qUleeJa7Jln8c+xbnqB7YngaI190icQHE9NuIB2CXvzbmo3tLtHNMagEwI7VoBDj6mxzTxBd9JhuhF4w5uGxxm0Gp1hzk+15obNnaBS+Anr7jXz8FPwwxCH+XhBZxB1PPpcIayKrf9iLyGtwmhkdDoWCqYAr1mue3LxFso+TZF4bwE4Cjt1 agrabelh@agrabelh"] + art: + login: art + comment: Arturo Filasto + keys: ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsibU0nsQFFIdolD1POzXOws4VetV0ZNByINRzY8Hx0 arturo@ooni.org"] + majakomel: + login: majakomel + comment: Maja Komel + keys: + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7gWQL4h/IyMbwDuMIXbTVmNEm8Yx19Ftt0P2e3OyWctSMH7WGaHc6b0dGoGh6Y4x0Kpw5h0iHWshP8Rg0pckNG9LeDjLY9nLR3Jv66ogFQtFi1DAlg4CXe369N70rBN9iurndgXjShW9OV+bY+MOlW8Fmmm67Vg0xFiYuYzjgUOpl4ofkbLGAQ7sJRBzpDV6TqHhGfOdYMDJyfFvurVz0oSyEZPFFRv4Css9iVk7BGsBukCCpUuax8akEeEjxWWCvjYXva7OA0jHKayfPAroZx/OJh01rhFe7wxlu5JwUKOcevvAZqeHh6200C82ijZOCN+Qq9yvxOH+OgzhnQwnoetIbGFgnb4CkDxo7dVLc/DFyObznC4f26f5D1OyPMUX8AEarEVdEPwsEfD2ePQr6qek0XWCWtYvGklb+GRLk9Yn0VL1qwvgrtstHdeXsKONTPKRxaCjWHu18dQaG2qOUnZ+St6SHeL49CN9aav2azNI/YKoQ9SGR4D23XeBRsW8=" + mehul: + login: mehul + comment: Mehul Gulati + keys: + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEZSA9TKUaYWG8gfnMoyDZO2S6vsy87xma4R/EzNpveZiOZTYSNn+UDL8NpQRuH5YgdWuQV2E7sKw/PIYA0lC/QTiq8Btqf6sEK5YWXtQy+yn9q5kB/rmi8zjaz0FUNigRrjL+26ao+c7NKpgmR+TRqbRd5VeJ46PuFD5M3c+MBeUoF1PT0zfioQFJ1mQoXwVix0n260clEXQDp4t0GZuNpWGTS+YTuJZ2vl6TDZtt8jrnENd99QArr2KU+NMTq8T2KYcPeQOoYsm7v/1TBkbv9UStllhjdE7HZSivPT8oRkF2YZYgytDxtCZG8i5iCK+vbNn6QmZMjuXPoBUeW+Njm70tlsirrKpUX+QiogA2qljxPD9st2eUkA7cATyOBkK7WLh1HYv2xyKpPtkkaELG+EHjmaVjVdyVAgUYwqg+MbIw1OyDpNmMZcW3iOpGpflXPMmLjKNMhee0//G7NxcGfwmIMbIiBkeofOnWDrMo+0PRULFtn6C7aA7ddirck+k=" + +admin_usernames: [ art, majakomel, mehul ] +non_admin_usernames: [ agrabeli ] diff --git a/ansible/roles/ansible_controller/tasks/main.yml b/ansible/roles/ansible_controller/tasks/main.yml new file mode 100644 index 00000000..c5a0c2e2 --- /dev/null +++ b/ansible/roles/ansible_controller/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- name: install base deps + ansible.builtin.apt: + name: + - "awscli" + - "etckeeper" + - "git" + - "python3-dnspython" + - "python3-boto3" + - "tmux" + - "vim" + state: "latest" + update_cache: "yes" + +- name: set the hostname + ansible.builtin.hostname: + name: "ansible-controller" + +- name: clone devops repo into /srv/devops + ansible.builtin.git: + repo: "https://github.com/ooni/devops.git" + dest: /srv/devops diff --git a/ansible/roles/ssh_users/tasks/main.yml b/ansible/roles/ssh_users/tasks/main.yml new file mode 100644 index 00000000..cabc6734 --- /dev/null +++ b/ansible/roles/ssh_users/tasks/main.yml @@ -0,0 +1,65 @@ +--- +- name: create admin users + tags: ssh_users + user: + name: "{{ item }}" + group: "admin" + comment: "{{ ssh_users[item].comment }}" + shell: /bin/bash + state: present + with_items: "{{ admin_usernames }}" + +- name: create non-admin users + tags: ssh_users + user: + name: "{{ item }}" + group: "users" + comment: "{{ ssh_users[item].comment }}" + shell: /bin/bash + state: present + with_items: "{{ non_admin_usernames }}" + +- name: create .ssh dir for admin users + tags: ssh_users + file: + path: "/home/{{item}}/.ssh" + state: directory + owner: "{{item}}" + group: "admin" + mode: 0700 + with_items: "{{ admin_usernames }}" + +- name: create .ssh dir for non-admin users + tags: ssh_users + file: + path: "/home/{{item}}/.ssh" + state: directory + owner: "{{item}}" + group: "users" + mode: 0700 + with_items: "{{ non_admin_usernames }}" + +- name: create .ssh/authorized_keys for each user + tags: ssh_users + template: + src: authorized_keys + dest: "/home/{{item}}/.ssh/authorized_keys" + owner: "{{item}}" + mode: 0400 + with_items: "{{ admin_usernames | union(non_admin_usernames) }}" + +- name: list all users currently on the system + shell: "getent passwd | awk -F: '$3 > 1000 {print $1}'" + register: user_list + +- name: remove any stale users + user: + name: "{{ item }}" + state: "absent" + remove: yes + with_items: user_list.stdout_lines + when: "item != 'nobody' and item not in (admin_usernames | union(non_admin_usernames))" + + +- name: sudoers.d/80-admins + template: src=sudoers dest=/etc/sudoers.d/80-admins owner=root group=root mode=0440 validate='visudo -cf %s' diff --git a/ansible/roles/ssh_users/templates/authorized_keys b/ansible/roles/ssh_users/templates/authorized_keys new file mode 100644 index 00000000..6ac054e8 --- /dev/null +++ b/ansible/roles/ssh_users/templates/authorized_keys @@ -0,0 +1,5 @@ +# managed by ansible +# see roles/ssh_users/templates/authorized_keys +{% for k in ssh_users[item]['keys'] %} +{{ k }} +{% endfor %} diff --git a/ansible/roles/ssh_users/templates/sudoers b/ansible/roles/ssh_users/templates/sudoers new file mode 100644 index 00000000..35f19537 --- /dev/null +++ b/ansible/roles/ssh_users/templates/sudoers @@ -0,0 +1,4 @@ +# ansible-managed in roles/ssh_users/templates/sudoers +{% for username in admin_usernames %} +{{ ssh_users[username].login }} ALL=(ALL:ALL) NOPASSWD: ALL +{% endfor %}