Add role users

playbooks/gateways.yml

@@ -7,6 +7,7 @@
     - prerequisites
     - server-apt-repos
     - server-basic
+    - users
     - system-sysctl-gateway
     - git-repos
     - service-haveged

roles/ffmwu-server/meta/main.yml

@@ -1,7 +0,0 @@
----
-dependencies:
-- { role: ffmwu-prereqs }
-- { role: packages, server_pkg_repo_list: "{{meshing_pkg_repo_list}}",
-                    server_pkg_pkg_list: "{{meshing_pkg_pkg_list}}",
-                    server_pkg_pip_list: "{{meshing_pkg_pip_list}}",
-                    really_do: "{{ansible_managed_server}}" }

roles/ffmwu-server/tasks/main.yml

@@ -1,25 +0,0 @@
----
-
-# we don't want to disrupt servers where this role is manually maintained!
-# thus: warning and block statement
-
-- name: full-stop if server role is manually maintained on this server
-  debug: msg="server role skipped to not disrupt manual maintenance - set ansible_managed_server to True to enable ansible control"
-  when: (not ansible_managed_server is defined) or (not ansible_managed_server)
-
-- block:
-  - name: ensure needed system users are present
-    user: name=admin comment="Freifunk MWU Admin" shell=/bin/bash state=present
-
-  - name: ensure all wanted ssh keys exclusively
-    authorized_key: exclusive=True state=present user=admin
-                key={{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}
-
-  - name: ensure vim is default editor
-    alternatives: name=editor path=/usr/bin/vim.basic
-
-  - name: set timezone to Europe/Berlin
-    timezone: name=Europe/Berlin
-
-  when: (ansible_managed_server is defined) and (ansible_managed_server)
-# end block

roles/ffmwu-server/vars/main.yml

@@ -1,30 +0,0 @@
----
-
-# for package role :::::::::::::::::::::::::::::::::::::::::::::::::
-
-# not def: server_pkg_repo_list
-
-server_pkg_pkg_list:
-- software-properties-common
-- apt-transport-https
-- man-db
-- mosh
-- ntp
-- sudo
-- sysfsutils
-- vim
-- vnstat
-- vnstati
-
-# not def: server_pkg_pip_list
-
-# for tasks ::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-
-mwu_s_admin_keys: |
-    ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA2ProGXZXgOu1qAkY1COL4vvIdMpBAi/eg7/SvQRUrm1H8typyJHJPOvaMO8ozm9r4HQ7hZRL6Mf25IhTx9HFvlKwEbMpqUrIudBV/r07E0q4fjWWEY3OTUjSOUkArviKnYzhM8zYD9pSq6gXcCBXVGgNZsIEIeESvct/p8gB2dPI0DB81HEimCWHu1ge6KqClukxQZtmszT8rQZKWFK/yJkEBdAJtfcZSJg0IhqfJ7Zhuu4qPc8uAy7EkdsaidbU09tWVxdhHD27JAh3gFr62f+L4D9OKhl96sopEqkJmsYQe9GgjoUiKYD4DAvOWU3MmNsgc6xwRmgsaYcQaHVZEy/uF2XCLN1Ahq6UI6R/RDrMkxNVR+AF6BKagPGiId9UTNWM1BvARAMBjakptW6rU3Bwb8In3vItQT9rhG6RQcCBuAqLphXXqlGNsPDeY1E/T9uYRfeS6MIE+3VwuC2Q/NVWMXa2np9JgCjC29ur1w1+BiBeU3iwv+shHqq0zoNyX/EizkPuG8IyK1MrVY1sOUVcQzFFV+PMn8DMWgJpm0eeXJyxa3KBTovtINsFCWfDWtojkB0aC5/XKZAbVC4pOKNRROctRpcdLERNqV9dZ5TkIriB1N2/Z48hjQPimjlFrR8+v1pt37YP/2lvAbOf1sTysu8ey9pFTt7jiiTR5NM= kaba
-    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9iZOonZ/WGmtgpZgs9vibpq6HJhpvuciBa8vzjysIYYiqNGgLvtZxw/2Af0/ykTdsP09A28RVGJXel6u8I2b16a0e+H2yBbUn8pXFow8xODPXezN0J/U7CDb8mRF9SkBJEzqVt1ndchJWU/qTi/nqbPfNaurB8EXkIDGcmDiCci25RVBDUvSSQBP+XIxQICJgeJ66CYcrD1Sry65H8tVSsWr6+fruNFZQRYyxAFu/7wW3J/RfFJQJFF9WNRzspChsjYRqrYdZCCx6GZ0qQxK4hwqfVbv3cPjZGFfcLrQaOCUMIiDUVEVmmdp0phE7eYDYewxD2Yaw1+fIJ+hWal6F moritz@wwwserv.de
-    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAgwquzleAfo0ZccCikwh9aD0cBA0XrvEmQIB06XUUyn kokel
-    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGom9IEjz5utkAWg2wSm0uk+JC0A2tFlz2coAAvA2/An prisma@oimelmobil
-    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD4s/bIf+tU8/3ClsC3D6Rw7+9lr6Jmt0E1e6S+UVlKGJU9cvYNSQGSKpm7lCaIVUe+j4I4BES/Bkj+ZXvKIpUGTx7R/YnwO+95pS/oiu73QyBORnTeuBfCtz5eQJurD/9Z9OV5VtkleKVGSVwTeiBV+aKD1CrKYLiu5PGxyZsv981TZ6G2uxO3VG+M2OXd0ARV6/Lb5Aw8Xw9bHA4WqVKE6RFVb8va/E+O0hZO0q0ww57P3pfrReSozkZAv7tk/o4wTl+4sPMWhvi/X+KBvHkeiz5lo6eFSZfXzmCTvO8Xb6T8fgMf6fYWUr9+DpmYvjZ5/bBPojbhkQ09JyEirocueYxBqZM7riOeVYG7I941TIWiBpeACv+eGZMFYYNhb8zLW4/Oozk1CKs0Axb3B227+HXWkuB3lh2GKPQBS6lgRWsoCrHGzH1HGLDlt1ucAOwQgI5gJFY+SEjAe7pW+namiR33QaWqoksozwqJCK/1sRB2YUkW5wQ8+YW1hBoudly8sYXxBnwhXygduCmzGAhlTyUN2oLr8X+5UW2jo6jdON1WH8mENfPJc4OSEU1ZHOzeg0d5/48GzrIWWDE9wJzjagLYLA9vK763gM16Y0tG7ZXA5x2UfS1FGM5Yv+jcn0qagBS/bAI27Sa4ZuXXrrBpzzUrEcf/34w63X003PQi3Q== ungenannter@niki
-    ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAEo1sehLaRTeibVbUVuwRQyw7Zi58AzfqGwwRVUKejBWVDqZrFdxP6BpK9BqeVSo46n+Z5RJtOFU+F7wTsMPdRnbwHO/ZOljWV/RoKrNU3ZMRZnI3WWGT4u6zrmkO3rdLshLk8Z5lGIKJQg/vaqUbsHHgPI5BmDxfVyXM70M3922lx41w== juventas
-    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTwobxZo1wyRFUDZ32jM9AvCDUMTghSDAQMdffOrOaD8AAvVuaFzR6/yNvPHUhMOIb4CQPnaXGiTYumXRXRJrA9X2AgMSRuubySrpwkqRIje9HvQ1WfDdo4OWPYj/ArAlgxUqmLAyEjolmM8TY2aRvCPCrtE39oFfx5eCfLGkh0hn6wOGN7Gz8bh8P9n10ihYLrHhQsjEplXOX28b+9UojjjZX0Sfwk82u+/8f1y3ebT6kcPQx5OKqWU2GGbLgOOptkrguSu+vmF4KyxR9ayEqY2OpNdr7G+xp+4DC1pJhnIWq+GbcsH8xQVMDZPYaUjJQOiduRB0U5CqclSc22d39 belzebub

roles/server-basic/vars/main.yml

@@ -8,7 +8,6 @@ packages:
   - mlocate
   - mosh
   - python3-yaml
-  - sudo
   - sysfsutils
   - unattended-upgrades
   - vim

roles/users/README.md

@@ -0,0 +1,21 @@
+# Ansible role users
+
+Diese Ansible role konfiguriert System- und Admin-Benutzer.
+
+- installiert sudo
+- stellt sicher, dass gewünschte Benutzer angelegt sind
+- erstellt pro Benutzer eine sudoers Datei unter /etc/sudoers.d
+
+## Benötigte Variablen
+
+- Liste `system_users` # Pro Listeneintrag ein dict für System-Benutzer
+  - `name` # Benutzername
+  - `comment`
+  - `shell`
+  - `home`
+  - `state`
+  - `ssh_keys` # Erwartet eine Liste wie z.B. `ssh_keys_admin_team`
+- Liste `admin_users` # Pro Listeneintrag ein dict für Admin-Benutzer
+- Liste `ssh_keys_admin_team` # Pro Listeneintrag ein dict für Public Keys
+  - `name`
+    `ssh_public_key`

roles/users/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+system_users:
+
+admin_users:
+
+ssh_keys_admin_team:

roles/users/files/belzebub.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTwobxZo1wyRFUDZ32jM9AvCDUMTghSDAQMdffOrOaD8AAvVuaFzR6/yNvPHUhMOIb4CQPnaXGiTYumXRXRJrA9X2AgMSRuubySrpwkqRIje9HvQ1WfDdo4OWPYj/ArAlgxUqmLAyEjolmM8TY2aRvCPCrtE39oFfx5eCfLGkh0hn6wOGN7Gz8bh8P9n10ihYLrHhQsjEplXOX28b+9UojjjZX0Sfwk82u+/8f1y3ebT6kcPQx5OKqWU2GGbLgOOptkrguSu+vmF4KyxR9ayEqY2OpNdr7G+xp+4DC1pJhnIWq+GbcsH8xQVMDZPYaUjJQOiduRB0U5CqclSc22d39 belzebub

roles/users/files/juventas.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAEo1sehLaRTeibVbUVuwRQyw7Zi58AzfqGwwRVUKejBWVDqZrFdxP6BpK9BqeVSo46n+Z5RJtOFU+F7wTsMPdRnbwHO/ZOljWV/RoKrNU3ZMRZnI3WWGT4u6zrmkO3rdLshLk8Z5lGIKJQg/vaqUbsHHgPI5BmDxfVyXM70M3922lx41w== juventas

roles/users/files/kaba.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA2ProGXZXgOu1qAkY1COL4vvIdMpBAi/eg7/SvQRUrm1H8typyJHJPOvaMO8ozm9r4HQ7hZRL6Mf25IhTx9HFvlKwEbMpqUrIudBV/r07E0q4fjWWEY3OTUjSOUkArviKnYzhM8zYD9pSq6gXcCBXVGgNZsIEIeESvct/p8gB2dPI0DB81HEimCWHu1ge6KqClukxQZtmszT8rQZKWFK/yJkEBdAJtfcZSJg0IhqfJ7Zhuu4qPc8uAy7EkdsaidbU09tWVxdhHD27JAh3gFr62f+L4D9OKhl96sopEqkJmsYQe9GgjoUiKYD4DAvOWU3MmNsgc6xwRmgsaYcQaHVZEy/uF2XCLN1Ahq6UI6R/RDrMkxNVR+AF6BKagPGiId9UTNWM1BvARAMBjakptW6rU3Bwb8In3vItQT9rhG6RQcCBuAqLphXXqlGNsPDeY1E/T9uYRfeS6MIE+3VwuC2Q/NVWMXa2np9JgCjC29ur1w1+BiBeU3iwv+shHqq0zoNyX/EizkPuG8IyK1MrVY1sOUVcQzFFV+PMn8DMWgJpm0eeXJyxa3KBTovtINsFCWfDWtojkB0aC5/XKZAbVC4pOKNRROctRpcdLERNqV9dZ5TkIriB1N2/Z48hjQPimjlFrR8+v1pt37YP/2lvAbOf1sTysu8ey9pFTt7jiiTR5NM= kaba

roles/users/files/kokel.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAgwquzleAfo0ZccCikwh9aD0cBA0XrvEmQIB06XUUyn kokel

roles/users/files/moritz.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9iZOonZ/WGmtgpZgs9vibpq6HJhpvuciBa8vzjysIYYiqNGgLvtZxw/2Af0/ykTdsP09A28RVGJXel6u8I2b16a0e+H2yBbUn8pXFow8xODPXezN0J/U7CDb8mRF9SkBJEzqVt1ndchJWU/qTi/nqbPfNaurB8EXkIDGcmDiCci25RVBDUvSSQBP+XIxQICJgeJ66CYcrD1Sry65H8tVSsWr6+fruNFZQRYyxAFu/7wW3J/RfFJQJFF9WNRzspChsjYRqrYdZCCx6GZ0qQxK4hwqfVbv3cPjZGFfcLrQaOCUMIiDUVEVmmdp0phE7eYDYewxD2Yaw1+fIJ+hWal6F moritz@wwwserv.de

roles/users/files/prisma.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGom9IEjz5utkAWg2wSm0uk+JC0A2tFlz2coAAvA2/An prisma@oimelmobil

roles/users/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+- name: ensure sudo is installed
+  package:
+    name: "sudo"
+    state: present
+
+- name: ensure system users are present
+  user:
+    name: "{{ item.name }}"
+    comment: "{{ item.comment }}"
+    shell: "{{ item.shell }}"
+    home: "{{ item.home }}"
+    state: "{{ item.state }}"
+  with_items: "{{ system_users }}"
+
+- name: ensure ssh config directory is present
+  file:
+    path: "{{ item.home }}/.ssh"
+    state: directory
+    owner: "{{ item.name }}"
+    group: "{{ item.name }}"
+    mode: '0700'
+  with_items: "{{ system_users }}"
+
+- name: configure ssh public keys
+  template:
+    src: "authorized_keys.j2"
+    dest: "{{ item.home }}/.ssh/authorized_keys"
+    owner: "{{ item.name }}"
+    group: "{{ item.name }}"
+    mode: '0600'
+  with_items: "{{ system_users }}"
+
+- name: configure passwordless sudo access
+  template:
+    src: "sudoers.j2"
+    dest: "/etc/sudoers.d/{{ item.name }}"
+    owner: root
+    group: root
+    mode: '0440'
+    validate: "/usr/sbin/visudo -cf %s"
+  with_items: "{{ system_users }}"
+
+- name: remove admin lines from /etc/sudoers
+  lineinfile:
+    path: "/etc/sudoers"
+    state: absent
+    regexp: '^admin\s'
+    validate: "/usr/sbin/visudo -cf %s"

roles/users/templates/authorized_keys.j2

@@ -0,0 +1,3 @@
+{% for key in item.ssh_keys %}
+{{ key.ssh_public_key }}
+{% endfor %}

roles/users/templates/sudoers.j2

@@ -0,0 +1,2 @@
+# {{ ansible_managed }}
+admin ALL=NOPASSWD: ALL

roles/users/vars/main.yml

@@ -0,0 +1,24 @@
+---
+system_users:
+  - name: "admin"
+    comment: "Freifunk Admin Account"
+    shell: "/bin/bash"
+    home: "/home/admin"
+    state: "present"
+    ssh_keys: "{{ ssh_keys_admin_team }}"
+
+admin_users:
+
+ssh_keys_admin_team:
+  - name: kaba
+    ssh_public_key: "{{ lookup('file', 'kaba.pub') }}"
+  - name: moritz
+    ssh_public_key: "{{ lookup('file', 'moritz.pub') }}"
+  - name: juventas
+    ssh_public_key: "{{ lookup('file', 'juventas.pub') }}"
+  - name: prisma
+    ssh_public_key: "{{ lookup('file', 'prisma.pub') }}"
+  - name: kokel
+    ssh_public_key: "{{ lookup('file', 'kokel.pub') }}"
+  - name: belzebub
+    ssh_public_key: "{{ lookup('file', 'belzebub.pub') }}"