ooni · hellais · Jul 3, 2024 · Jul 3, 2024 · Jul 3, 2024 · Jul 3, 2024
diff --git a/ansible/controller-playbook.yml b/ansible/controller-playbook.yml
@@ -0,0 +1,7 @@
+---
+- hosts: 127.0.0.1
+  connection: local
+  become: yes
+  roles:
+    - ssh_users
+    - ansible_controller
diff --git a/ansible/group_vars/all/vars.yml b/ansible/group_vars/all/vars.yml
@@ -0,0 +1,22 @@
+ssh_users:
+  agrabeli:
+    login: agrabeli
+    comment: Maria Xynou
+    keys: ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDD0JSwM+t3Uz9lS3Mjoz9oo4vOToWyzboZhYQbP8JY5HvFtAvWanWHnUBO91t6hkgKIMiUqhdCJn26fqkhSGe/bRBaFUocOmuyfcmZoRdi0qzAskmycJsj/w6vWR4x6MYkmJvSeI/MGxjEFt4s2MfOG1tP8CBLUYft9qUleeJa7Jln8c+xbnqB7YngaI190icQHE9NuIB2CXvzbmo3tLtHNMagEwI7VoBDj6mxzTxBd9JhuhF4w5uGxxm0Gp1hzk+15obNnaBS+Anr7jXz8FPwwxCH+XhBZxB1PPpcIayKrf9iLyGtwmhkdDoWCqYAr1mue3LxFso+TZF4bwE4Cjt1 agrabelh@agrabelh"]
+  art:
+    login: art
+    comment: Arturo Filasto
+    keys: ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsibU0nsQFFIdolD1POzXOws4VetV0ZNByINRzY8Hx0 [email protected]"]
+  majakomel:
+    login: majakomel
+    comment: Maja Komel
+    keys:
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7gWQL4h/IyMbwDuMIXbTVmNEm8Yx19Ftt0P2e3OyWctSMH7WGaHc6b0dGoGh6Y4x0Kpw5h0iHWshP8Rg0pckNG9LeDjLY9nLR3Jv66ogFQtFi1DAlg4CXe369N70rBN9iurndgXjShW9OV+bY+MOlW8Fmmm67Vg0xFiYuYzjgUOpl4ofkbLGAQ7sJRBzpDV6TqHhGfOdYMDJyfFvurVz0oSyEZPFFRv4Css9iVk7BGsBukCCpUuax8akEeEjxWWCvjYXva7OA0jHKayfPAroZx/OJh01rhFe7wxlu5JwUKOcevvAZqeHh6200C82ijZOCN+Qq9yvxOH+OgzhnQwnoetIbGFgnb4CkDxo7dVLc/DFyObznC4f26f5D1OyPMUX8AEarEVdEPwsEfD2ePQr6qek0XWCWtYvGklb+GRLk9Yn0VL1qwvgrtstHdeXsKONTPKRxaCjWHu18dQaG2qOUnZ+St6SHeL49CN9aav2azNI/YKoQ9SGR4D23XeBRsW8="
+  mehul:
+    login: mehul
+    comment: Mehul Gulati
+    keys:
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEZSA9TKUaYWG8gfnMoyDZO2S6vsy87xma4R/EzNpveZiOZTYSNn+UDL8NpQRuH5YgdWuQV2E7sKw/PIYA0lC/QTiq8Btqf6sEK5YWXtQy+yn9q5kB/rmi8zjaz0FUNigRrjL+26ao+c7NKpgmR+TRqbRd5VeJ46PuFD5M3c+MBeUoF1PT0zfioQFJ1mQoXwVix0n260clEXQDp4t0GZuNpWGTS+YTuJZ2vl6TDZtt8jrnENd99QArr2KU+NMTq8T2KYcPeQOoYsm7v/1TBkbv9UStllhjdE7HZSivPT8oRkF2YZYgytDxtCZG8i5iCK+vbNn6QmZMjuXPoBUeW+Njm70tlsirrKpUX+QiogA2qljxPD9st2eUkA7cATyOBkK7WLh1HYv2xyKpPtkkaELG+EHjmaVjVdyVAgUYwqg+MbIw1OyDpNmMZcW3iOpGpflXPMmLjKNMhee0//G7NxcGfwmIMbIiBkeofOnWDrMo+0PRULFtn6C7aA7ddirck+k="
+
+admin_usernames: [ art, majakomel, mehul ]
+non_admin_usernames: [ agrabeli ]
diff --git a/ansible/roles/ansible_controller/tasks/main.yml b/ansible/roles/ansible_controller/tasks/main.yml
@@ -0,0 +1,22 @@
+---
+- name: install base deps
+  ansible.builtin.apt:
+    name:
+      - "awscli"
+      - "etckeeper"
+      - "git"
+      - "python3-dnspython"
+      - "python3-boto3"
+      - "tmux"
+      - "vim"
+    state: "latest"
+    update_cache: "yes"
+
+- name: set the hostname
+  ansible.builtin.hostname:
+    name: "ansible-controller"
+
+- name: clone devops repo into /srv/devops
+  ansible.builtin.git:
+    repo: "https://github.com/ooni/devops.git"
+    dest: /srv/devops
diff --git a/ansible/roles/ssh_users/tasks/main.yml b/ansible/roles/ssh_users/tasks/main.yml
@@ -0,0 +1,65 @@
+---
+- name: create admin users
+  tags: ssh_users
+  user:
+    name: "{{ item }}"
+    group: "admin"
+    comment: "{{ ssh_users[item].comment }}"
+    shell: /bin/bash
+    state: present
+  with_items: "{{ admin_usernames }}"
+
+- name: create non-admin users
+  tags: ssh_users
+  user:
+    name: "{{ item }}"
+    group: "users"
+    comment: "{{ ssh_users[item].comment }}"
+    shell: /bin/bash
+    state: present
+  with_items: "{{ non_admin_usernames }}"
+
+- name: create .ssh dir for admin users
+  tags: ssh_users
+  file:
+    path: "/home/{{item}}/.ssh"
+    state: directory
+    owner: "{{item}}"
+    group: "admin"
+    mode: 0700
+  with_items: "{{ admin_usernames }}"
+
+- name: create .ssh dir for non-admin users
+  tags: ssh_users
+  file:
+    path: "/home/{{item}}/.ssh"
+    state: directory
+    owner: "{{item}}"
+    group: "users"
+    mode: 0700
+  with_items: "{{ non_admin_usernames }}"
+
+- name: create .ssh/authorized_keys for each user
+  tags: ssh_users
+  template:
+    src: authorized_keys
+    dest: "/home/{{item}}/.ssh/authorized_keys"
+    owner: "{{item}}"
+    mode: 0400
+  with_items: "{{ admin_usernames | union(non_admin_usernames) }}"
+
+- name: list all users currently on the system
+  shell: "getent passwd | awk -F: '$3 > 1000 {print $1}'"
+  register: user_list
+
+- name: remove any stale users
+  user:
+    name: "{{ item }}"
+    state: "absent"
+    remove: yes
+  with_items: user_list.stdout_lines
+  when: "item != 'nobody' and item not in (admin_usernames | union(non_admin_usernames))"
+
+
+- name: sudoers.d/80-admins
+  template: src=sudoers dest=/etc/sudoers.d/80-admins owner=root group=root mode=0440 validate='visudo -cf %s'
diff --git a/ansible/roles/ssh_users/templates/authorized_keys b/ansible/roles/ssh_users/templates/authorized_keys
@@ -0,0 +1,5 @@
+# managed by ansible
+# see roles/ssh_users/templates/authorized_keys
+{% for k in ssh_users[item]['keys'] %}
+{{ k }}
+{% endfor %}
diff --git a/ansible/roles/ssh_users/templates/sudoers b/ansible/roles/ssh_users/templates/sudoers
@@ -0,0 +1,4 @@
+# ansible-managed in roles/ssh_users/templates/sudoers
+{% for username in admin_usernames %}
+{{ ssh_users[username].login }} ALL=(ALL:ALL) NOPASSWD: ALL
+{% endfor %}