From 091c5a78a62a6bf138ec604542298c62df42626b Mon Sep 17 00:00:00 2001 From: Ethan Paul Date: Mon, 6 Sep 2021 00:45:55 -0400 Subject: [PATCH] Add playbook for updating existing settings --- playbooks/provision.yaml | 5 ++ playbooks/update.yaml | 161 +++++++++++++++++++++++++++++++++++++++ playbooks/vars | 1 + vars/access.yaml | 3 + vars/sshkeys.yaml | 9 +++ 5 files changed, 179 insertions(+) create mode 100644 playbooks/update.yaml create mode 120000 playbooks/vars create mode 100644 vars/sshkeys.yaml diff --git a/playbooks/provision.yaml b/playbooks/provision.yaml index 6603cac..74ab9cc 100644 --- a/playbooks/provision.yaml +++ b/playbooks/provision.yaml @@ -49,6 +49,7 @@ requirements: "{{ skylab_ansible_venv }}/requirements.txt" state: present + - name: Configure common server settings hosts: all vars_files: @@ -101,6 +102,7 @@ name: "{{ skylab_packages_global + skylab_packages_rocky }}" state: present + - name: Configure SSH hosts: all handlers: @@ -162,3 +164,6 @@ src: motd.j2 dest: /etc/motd mode: 0644 + + +- import_playbook: update.yaml diff --git a/playbooks/update.yaml b/playbooks/update.yaml new file mode 100644 index 0000000..fe37f3f --- /dev/null +++ b/playbooks/update.yaml @@ -0,0 +1,161 @@ +--- +- name: Update system + hosts: all + tags: + - packages + vars_files: + - vars/packages.yaml + tasks: + - name: Update system packages via DNF + when: ansible_distribution == "Rocky" + become: true + ansible.builtin.dnf: + name: "*" + state: latest + +- name: Update unix accounts + hosts: all + tags: + - accounts + - access + vars_files: + - vars/access.yaml + - vars/sshkeys.yaml + tasks: + - name: Create management groups + become: true + ansible.builtin.group: + name: "{{ item.name }}" + gid: "{{ item.gid }}" + state: present + loop: + - "{{ skylab_group }}" + - "{{ skylab_group_admin }}" + - "{{ skylab_group_automation }}" + + - name: Determine existing skylab users + changed_when: false + ansible.builtin.shell: + cmd: 'grep {{ skylab_group.name }} /etc/group | cut --delimiter : --fields 4 | tr "," "\n"' + register: _existing_skylab_accounts + + - name: Delete removed user accounts + become: true + when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid')) + ansible.builtin.user: + name: "{{ item }}" + state: absent + loop: "{{ _existing_skylab_accounts.stdout_lines }}" + + - name: Delete removed user groups + become: true + when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid')) + ansible.builtin.group: + name: "{{ item }}" + state: absent + loop: "{{ _existing_skylab_accounts.stdout_lines }}" + + - name: Delete removed user home directories + become: true + when: item not in (skylab_accounts | items2dict(key_name='name', value_name='uid')) + ansible.builtin.file: + path: "/home/{{ item }}" + state: absent + loop: "{{ _existing_skylab_accounts.stdout_lines }}" + + - name: Create account groups + when: item.targets | intersect(skylab_targets) + become: true + ansible.builtin.group: + name: "{{ item.name }}" + gid: "{{ item.uid }}" + state: present + loop: "{{ skylab_accounts }}" + loop_control: + label: "{{ item.uid }},{{ item.name }}" + + - name: Determine account groups + ansible.builtin.set_fact: + _determined_member_groups: "{{ _determined_member_groups | default({}) | combine({item.name: [ + skylab_group.name, + 'wheel' if (item.admin | default(false) and ansible_distribution == 'Rocky') else '', + 'sudo' if (item.admin | default(false) and ansible_os_family == 'Debian') else '', + skylab_group_admin.name if item.admin | default(false) else '', + skylab_group_automation.name if item.service | default(false) else '', + ]}) }}" + loop: "{{ skylab_accounts }}" + loop_control: + label: "{{ item.uid }},{{ item.name }}" + + - name: Create accounts + when: item.targets | intersect(skylab_targets) + become: true + ansible.builtin.user: + name: "{{ item.name }}" + state: present + uid: "{{ item.uid }}" + group: "{{ item.name }}" + groups: "{{ _determined_member_groups[item.name] }}" + comment: "{{ item.fullname | default('') }}" + system: "{{ item.service | default(false) }}" + generate_ssh_key: false + password: "{{ item.password }}" + loop: "{{ skylab_accounts }}" + loop_control: + label: "{{ item.uid }},{{ item.name }}" + + - name: Ensure proper ownership of user home directories + become: true + ansible.builtin.file: + path: /home/{{ item.name }} + state: directory + group: "{{ item.name }}" + owner: "{{ item.name }}" + mode: 0700 + loop: "{{ skylab_accounts }}" + loop_control: + label: "{{ item.uid }},{{ item.name }}" + + - name: Enforce root password + become: true + ansible.builtin.user: + name: root + password: "{{ skylab_root_password }}" + state: present + + - name: Create SSH directory + become: true + ansible.builtin.file: + path: /home/{{ item.name }}/.ssh + owner: "{{ item.name }}" + group: "{{ item.name }}" + state: directory + mode: 0700 + loop: "{{ skylab_accounts }}" + loop_control: + label: "{{ item.uid }},{{ item.name }}" + + - name: Update authorized keys + become: true + when: item.targets | intersect(skylab_targets) + ansible.builtin.authorized_key: + user: "{{ item.name }}" + key: "{{ skylab_ssh_keys[item.name] | join('\n') }}" + state: present + exclusive: true + loop: "{{ skylab_accounts }}" + loop_control: + label: "{{ item.uid }},{{ item.name }}" + + - name: Enforce ownership of authorized keys + become: true + when: item.targets | intersect(skylab_targets) + ansible.builtin.file: + path: /home/{{ item.name }}/.ssh/authorized_keys + state: file + owner: "{{ item.name }}" + group: "{{ item.name }}" + mode: 0400 + loop: "{{ skylab_accounts }}" + loop_control: + label: "{{ item.uid }},{{ item.name }}" diff --git a/playbooks/vars b/playbooks/vars new file mode 120000 index 0000000..b11f011 --- /dev/null +++ b/playbooks/vars @@ -0,0 +1 @@ +../vars/ \ No newline at end of file diff --git a/vars/access.yaml b/vars/access.yaml index d842c85..43faccd 100644 --- a/vars/access.yaml +++ b/vars/access.yaml @@ -5,6 +5,7 @@ skylab_accounts: fullname: Ethan N. Paul targets: [cloud] admin: true + password: $y$j9T$cWkd9aGj4sNepyJm5NVZl0$yBhFy3cN3syM8r4doGYnsLZhsaTLQVoDIBs2kkXtxY2 - name: ansible uid: 1400 @@ -24,3 +25,5 @@ skylab_group_admin: skylab_group_automation: name: skylab_auto gid: 1202 + +skylab_root_password: $y$j9T$vcNKa2vbTBQLGsU7QZfkM0$4.gw4YqknZJSZJ/uRKFI36G8JtK/MJPsxFdTTmzQoL6 diff --git a/vars/sshkeys.yaml b/vars/sshkeys.yaml new file mode 100644 index 0000000..251ce60 --- /dev/null +++ b/vars/sshkeys.yaml @@ -0,0 +1,9 @@ +--- +skylab_ssh_keys: + enpaul: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDi9rWRC15og/+3Jc3AMHOrlIc2BHaAX9PLbklz3qfFtSOp9bIScMcH5ZR6lyVSgP8RCEjI5HuZejDUJTXUQYfvEJeno//vmxn9Vw66lpMz/FSJ3JcDbjDVI1pe3A8mTOAS+AoVOEzCUOJVZJvdI272Hgf+QRBu+ONQ12u+2XYdVfLFDe7mAG+vEJRBatwb8B7Al+/LUpIrCuPm9PzMBtCMFjWGaqQgnyJYRSPIGxz9231XIjwhHLOQG1R0jLGuS37X+J49Y5JYDaHf9q9KH76GjdO2rOq6aGvwN93Y4Z+D2hMOklhD0Ez/ZE+I3ZUPV0e5pF28gsA6L7gTeqmSGpQaKdwjCUoU12VM70OVxng5p2+7DIc0k2np7rnvd4zybgn9OMM+TIO5M3c6ocDuNsEmRgfS3V99X5oh9qNy35UdBXV08j0wFoUo1KcyGwyNBYzKzvkkvtgJezVKmqSPKeBjMgMX4UsJsMn27Zosk0ZgoUwLFPO9Pg7uShncwgsTnvYDR1ws53PV832gc7A85ud/dC9Fjn6jBsMQaCFbiZktc5J8mv3cugQHQesbq8Y2aNVRu+ECb+KUvAEdPacWdBOkk0IvZ4PvLrAs2xehF6FYVqKVtPlJMaUAAwj9vVx7Nl2HnsSRIrCgxsMOTOhbbp/3NrvM8r6K7zKBzXg2TNgQeQ== enpaul@ph-1 + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8K74AXz6LBYfoXRbY1pKP+1rvi5BpjFOkg1uYuMM+q78toagSREpLrbjvPtoL8fkEFox4T9TUaME08ZP8560R6iRk35extTTiXquflEwvpsF+e9Lv8E712s/1ydJpkYoux1OohE4W5D9DjVMEW1tjXeb+9aDUcVml6YKMpKLpjEIVanyjHMN13XgswKZGoK3mVMnWxE36fbGVVfiFCvMr/BpjqGShRCxmvldzgq76i1BpTKi6omOjvpgRQcUJcDhYcHAUVSlNccgGLmlAPiUillA//pk84yczzH1dQBB6571Ab5ldoUDBU/hJ0W27aeOfrepup4hNuUt2oux+zAn+uetAuAWKU2Kd0Oo6L5IKObbAQLI0CXfyrmHlrYXwTyNMFleeOdw7s9lf2ra3YCYVXfMALdE6pp+HJLBxzg9kMBbTp6zkV7ZKi75AQhyBJA0s4+vRUccBtJit3Tls+aw/3rd9Dt9lLaXkE80khoKsUI0eiuXtPDlurGxkpcTe6Al/lChNA19pdKEUsBmhD6UUvMTYWlApmta/+xf0wDsSyHqJcnIGx8Qdtg3c4j1Ch+WXwbdOwk8XJrL0atWmv2ium1ll/arO2NFBmbwG1LG/lzJ1k/DoAiHrKrb1HdlwDk0O/7xF/zyC2mfVZKO36+g4XlA7wDJc0tB5vIymlEy2rw== enpaul@serico-nox + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHUXG01NQ7IahqBwLx+lqvbnhU5Cynt+Y4xCk2u5pwjU2KwKyRfqc5LUROU4mcFLuA1mP9uoMaYmiJ/rIWvM/A9OVplilCoSKXxWJW09fR/rOPmCn7pOR+CpFXBNOiRR0WoiDeu1D0tifbSuK/qOxKy6Lp9MH20Ma46d89xA57L9LX+B5CrwF9fR2FXIQGojCiFFyByaUgmzuDMi5mCafm3XlqaR1/wcqoA1YwqFFiGR3gVylSbOmB/Q4GnnyLpBbcYAc5AQnbnD4LlM5biEsLNy7vtQj9s0SeloUkzsJ112dNozdwTI/tOWbINVM+o3AH4B2baTQayWK/UrG9sivjHgEz5Jk5A4xAbUWC1MrH7WHo7vevHu4AT+DiPLkmHli9Ztu0DqJuenheJDyRLfWwDPvIpoY9/AsbVZ/UXqRVbfIB4jV00IHneEg4zj0AdWbSHDz55BZ23JItpuU4i37cO9Cbo2tQYqZjgM5VAlZXwhNPUF7pxWJJxGFqiB5MTQM0LZcrmXpToxBPa0BSDmIcjvLP6NQWk1u+Fdjunyx/q9Gmlc3vFtFEz7swWCuKp4DavyUXFeWwSKt4dDRZyPPdSYrKxDPCncSaKeCv+G5sx4RyQLJjpx14tisnnZP0O5b5S6j3PfGzjgnNBhzl/xIzM5moUqPF7R2laOKh9CBdoQ== enpaul@vigil-nox + ansible: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDN/E/zjwCruZf+mboBeBAtNFBInWMvdm6TjwpIg6jVoGgRmYQxEfIcqDSfBTQQ0gbyE3udTdTUDRLRu7ADktzL9J0IepEaYARfz8SANS/Hx2MR0NNy8DArrSFJCOillDA7E7UmNPIPeQl0O76p2ZjEDy6qZnTiW8eOtD7LCzJp4eGJanUPFhag8f4aSNbmiHGR25Zuk82w2/+KrqiI3gO0+jNlnPBf+XHNnFbtUIroupRfxgLdk1OahmkWHTSHkDtXiYrWIISarrHCgVqHTHo1KIX5+MPOH4S5VLB1kaY/O7+g/XlFrAciw8m0zjyBq0ILb+YTSrL9PYnSBtnHAVGJv2bB+TgCfF/nhQGqoqBqqQHFnX0y3JygmDTJMO+aE5wlvI5Laki7EHYPU4fL+Ge76l/dG9j2anw4/iHklbfk1UOxnLvJl593GAlILg1Kd8xx9VfYzVZ7GZym2zq3NI4uQ77T1H4iGoE67zarkn3peKacjX/KARq4weVvs3irHIHibnIuh/TGcS4eiQoNdPxsSA2wRKB6jeuXiV65F1rUDNGs80wcJmsAbZN8/u9Tt0o/Xc+L/LVhV0yrSeBUxzXtlaS+RfcteBXByO3xfC112Cj5grKVki5xWN9AY42Y6JhT3OyiO33dKUMEF/KfiEWWAfvQr/t1CI/rdcEbv3pyUw== enpaul@serico-nox-ansible + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIbXaUzVqDDKDSC1iO/nOmxIcJoOoMvXE+CJRobEdpkkYSBmlPfburJvGMDMQ3O/88OfgBrG5S7HKlbgVPGEII0Vpsk5iwzOk5Tmo03nLz02Ilx1xXYxTrjUSwnexzbHpluHmqunKEIUVTMHpDz2m4UPgZ4ECsGp9/6n6+n//uLeJ4fQUO9x4L+VMbpDrtfpKN7/P6U30XBIb9bZuKznVPtqTmCy/BFkxTkIn9QKqDh5d49FY/xkOjy1K9zTWb78DFzBRf4sGEykrp19N6inL0eRstGSZAKhqL+qdRXOy/7n6l0u+CdXWl9ZFVXRFhVdAhYOgkEvtuqoasK1Fk3OMqP6SflFanuDiFBostfgfrf8SUV+7CFvOuSpEWgTqx/jPFZV4Vr6wx5ZFVs02OzZ6TJFaEHaLvOE/R3iLOiuFcvqVNpvstLiyiigsj1+DwhDJcwOr3DaEsNdUbv0BTI2P03wtHJtBQw5CaVr5zCBDEeUsL0bBVQdq+6d0NT+CPJNxSZlTmmrBBbgkpupxdnmX6VVBYfXnylsE8UZxY1d7yxba3+Wzp2yvlr2MVocwQmMTPEqimIsW0hsQ8iXi1nrDXecSojlDAeu+LBFuaCxO8H59GrrVWVTI2dAPLEcP+stNGLHqKZuh62t5TnmxuMMi0SY6jH7KiKmusD4fYafzrlQ== enpaul@vigil-nox-ansible