diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index bcf224f..05b55f6 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -7,6 +7,7 @@ - prerequisites - server-apt-repos - server-basic + - users - system-sysctl-gateway - git-repos - service-haveged diff --git a/roles/ffmwu-server/meta/main.yml b/roles/ffmwu-server/meta/main.yml deleted file mode 100644 index 069cff8..0000000 --- a/roles/ffmwu-server/meta/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -dependencies: -- { role: ffmwu-prereqs } -- { role: packages, server_pkg_repo_list: "{{meshing_pkg_repo_list}}", - server_pkg_pkg_list: "{{meshing_pkg_pkg_list}}", - server_pkg_pip_list: "{{meshing_pkg_pip_list}}", - really_do: "{{ansible_managed_server}}" } diff --git a/roles/ffmwu-server/tasks/main.yml b/roles/ffmwu-server/tasks/main.yml deleted file mode 100644 index 07e8678..0000000 --- a/roles/ffmwu-server/tasks/main.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -# we don't want to disrupt servers where this role is manually maintained! -# thus: warning and block statement - -- name: full-stop if server role is manually maintained on this server - debug: msg="server role skipped to not disrupt manual maintenance - set ansible_managed_server to True to enable ansible control" - when: (not ansible_managed_server is defined) or (not ansible_managed_server) - -- block: - - name: ensure needed system users are present - user: name=admin comment="Freifunk MWU Admin" shell=/bin/bash state=present - - - name: ensure all wanted ssh keys exclusively - authorized_key: exclusive=True state=present user=admin - key={{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }} - - - name: ensure vim is default editor - alternatives: name=editor path=/usr/bin/vim.basic - - - name: set timezone to Europe/Berlin - timezone: name=Europe/Berlin - - when: (ansible_managed_server is defined) and (ansible_managed_server) -# end block diff --git a/roles/ffmwu-server/vars/main.yml b/roles/ffmwu-server/vars/main.yml deleted file mode 100644 index 47c6b33..0000000 --- a/roles/ffmwu-server/vars/main.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- - -# for package role ::::::::::::::::::::::::::::::::::::::::::::::::: - -# not def: server_pkg_repo_list - -server_pkg_pkg_list: -- software-properties-common -- apt-transport-https -- man-db -- mosh -- ntp -- sudo -- sysfsutils -- vim -- vnstat -- vnstati - -# not def: server_pkg_pip_list - -# for tasks :::::::::::::::::::::::::::::::::::::::::::::::::::::::: - -mwu_s_admin_keys: | - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA2ProGXZXgOu1qAkY1COL4vvIdMpBAi/eg7/SvQRUrm1H8typyJHJPOvaMO8ozm9r4HQ7hZRL6Mf25IhTx9HFvlKwEbMpqUrIudBV/r07E0q4fjWWEY3OTUjSOUkArviKnYzhM8zYD9pSq6gXcCBXVGgNZsIEIeESvct/p8gB2dPI0DB81HEimCWHu1ge6KqClukxQZtmszT8rQZKWFK/yJkEBdAJtfcZSJg0IhqfJ7Zhuu4qPc8uAy7EkdsaidbU09tWVxdhHD27JAh3gFr62f+L4D9OKhl96sopEqkJmsYQe9GgjoUiKYD4DAvOWU3MmNsgc6xwRmgsaYcQaHVZEy/uF2XCLN1Ahq6UI6R/RDrMkxNVR+AF6BKagPGiId9UTNWM1BvARAMBjakptW6rU3Bwb8In3vItQT9rhG6RQcCBuAqLphXXqlGNsPDeY1E/T9uYRfeS6MIE+3VwuC2Q/NVWMXa2np9JgCjC29ur1w1+BiBeU3iwv+shHqq0zoNyX/EizkPuG8IyK1MrVY1sOUVcQzFFV+PMn8DMWgJpm0eeXJyxa3KBTovtINsFCWfDWtojkB0aC5/XKZAbVC4pOKNRROctRpcdLERNqV9dZ5TkIriB1N2/Z48hjQPimjlFrR8+v1pt37YP/2lvAbOf1sTysu8ey9pFTt7jiiTR5NM= kaba - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9iZOonZ/WGmtgpZgs9vibpq6HJhpvuciBa8vzjysIYYiqNGgLvtZxw/2Af0/ykTdsP09A28RVGJXel6u8I2b16a0e+H2yBbUn8pXFow8xODPXezN0J/U7CDb8mRF9SkBJEzqVt1ndchJWU/qTi/nqbPfNaurB8EXkIDGcmDiCci25RVBDUvSSQBP+XIxQICJgeJ66CYcrD1Sry65H8tVSsWr6+fruNFZQRYyxAFu/7wW3J/RfFJQJFF9WNRzspChsjYRqrYdZCCx6GZ0qQxK4hwqfVbv3cPjZGFfcLrQaOCUMIiDUVEVmmdp0phE7eYDYewxD2Yaw1+fIJ+hWal6F moritz@wwwserv.de - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAgwquzleAfo0ZccCikwh9aD0cBA0XrvEmQIB06XUUyn kokel - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGom9IEjz5utkAWg2wSm0uk+JC0A2tFlz2coAAvA2/An prisma@oimelmobil - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD4s/bIf+tU8/3ClsC3D6Rw7+9lr6Jmt0E1e6S+UVlKGJU9cvYNSQGSKpm7lCaIVUe+j4I4BES/Bkj+ZXvKIpUGTx7R/YnwO+95pS/oiu73QyBORnTeuBfCtz5eQJurD/9Z9OV5VtkleKVGSVwTeiBV+aKD1CrKYLiu5PGxyZsv981TZ6G2uxO3VG+M2OXd0ARV6/Lb5Aw8Xw9bHA4WqVKE6RFVb8va/E+O0hZO0q0ww57P3pfrReSozkZAv7tk/o4wTl+4sPMWhvi/X+KBvHkeiz5lo6eFSZfXzmCTvO8Xb6T8fgMf6fYWUr9+DpmYvjZ5/bBPojbhkQ09JyEirocueYxBqZM7riOeVYG7I941TIWiBpeACv+eGZMFYYNhb8zLW4/Oozk1CKs0Axb3B227+HXWkuB3lh2GKPQBS6lgRWsoCrHGzH1HGLDlt1ucAOwQgI5gJFY+SEjAe7pW+namiR33QaWqoksozwqJCK/1sRB2YUkW5wQ8+YW1hBoudly8sYXxBnwhXygduCmzGAhlTyUN2oLr8X+5UW2jo6jdON1WH8mENfPJc4OSEU1ZHOzeg0d5/48GzrIWWDE9wJzjagLYLA9vK763gM16Y0tG7ZXA5x2UfS1FGM5Yv+jcn0qagBS/bAI27Sa4ZuXXrrBpzzUrEcf/34w63X003PQi3Q== ungenannter@niki - ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAEo1sehLaRTeibVbUVuwRQyw7Zi58AzfqGwwRVUKejBWVDqZrFdxP6BpK9BqeVSo46n+Z5RJtOFU+F7wTsMPdRnbwHO/ZOljWV/RoKrNU3ZMRZnI3WWGT4u6zrmkO3rdLshLk8Z5lGIKJQg/vaqUbsHHgPI5BmDxfVyXM70M3922lx41w== juventas - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTwobxZo1wyRFUDZ32jM9AvCDUMTghSDAQMdffOrOaD8AAvVuaFzR6/yNvPHUhMOIb4CQPnaXGiTYumXRXRJrA9X2AgMSRuubySrpwkqRIje9HvQ1WfDdo4OWPYj/ArAlgxUqmLAyEjolmM8TY2aRvCPCrtE39oFfx5eCfLGkh0hn6wOGN7Gz8bh8P9n10ihYLrHhQsjEplXOX28b+9UojjjZX0Sfwk82u+/8f1y3ebT6kcPQx5OKqWU2GGbLgOOptkrguSu+vmF4KyxR9ayEqY2OpNdr7G+xp+4DC1pJhnIWq+GbcsH8xQVMDZPYaUjJQOiduRB0U5CqclSc22d39 belzebub diff --git a/roles/server-basic/vars/main.yml b/roles/server-basic/vars/main.yml index a94f7d8..3624da3 100644 --- a/roles/server-basic/vars/main.yml +++ b/roles/server-basic/vars/main.yml @@ -8,7 +8,6 @@ packages: - mlocate - mosh - python3-yaml - - sudo - sysfsutils - unattended-upgrades - vim diff --git a/roles/users/README.md b/roles/users/README.md new file mode 100644 index 0000000..bedcdca --- /dev/null +++ b/roles/users/README.md @@ -0,0 +1,21 @@ +# Ansible role users + +Diese Ansible role konfiguriert System- und Admin-Benutzer. + +- installiert sudo +- stellt sicher, dass gewünschte Benutzer angelegt sind +- erstellt pro Benutzer eine sudoers Datei unter /etc/sudoers.d + +## Benötigte Variablen + +- Liste `system_users` # Pro Listeneintrag ein dict für System-Benutzer + - `name` # Benutzername + - `comment` + - `shell` + - `home` + - `state` + - `ssh_keys` # Erwartet eine Liste wie z.B. `ssh_keys_admin_team` +- Liste `admin_users` # Pro Listeneintrag ein dict für Admin-Benutzer +- Liste `ssh_keys_admin_team` # Pro Listeneintrag ein dict für Public Keys + - `name` + `ssh_public_key` diff --git a/roles/users/defaults/main.yml b/roles/users/defaults/main.yml new file mode 100644 index 0000000..b1227cd --- /dev/null +++ b/roles/users/defaults/main.yml @@ -0,0 +1,6 @@ +--- +system_users: + +admin_users: + +ssh_keys_admin_team: diff --git a/roles/users/files/belzebub.pub b/roles/users/files/belzebub.pub new file mode 100644 index 0000000..11ab802 --- /dev/null +++ b/roles/users/files/belzebub.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTwobxZo1wyRFUDZ32jM9AvCDUMTghSDAQMdffOrOaD8AAvVuaFzR6/yNvPHUhMOIb4CQPnaXGiTYumXRXRJrA9X2AgMSRuubySrpwkqRIje9HvQ1WfDdo4OWPYj/ArAlgxUqmLAyEjolmM8TY2aRvCPCrtE39oFfx5eCfLGkh0hn6wOGN7Gz8bh8P9n10ihYLrHhQsjEplXOX28b+9UojjjZX0Sfwk82u+/8f1y3ebT6kcPQx5OKqWU2GGbLgOOptkrguSu+vmF4KyxR9ayEqY2OpNdr7G+xp+4DC1pJhnIWq+GbcsH8xQVMDZPYaUjJQOiduRB0U5CqclSc22d39 belzebub diff --git a/roles/users/files/juventas.pub b/roles/users/files/juventas.pub new file mode 100644 index 0000000..b5848cf --- /dev/null +++ b/roles/users/files/juventas.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAEo1sehLaRTeibVbUVuwRQyw7Zi58AzfqGwwRVUKejBWVDqZrFdxP6BpK9BqeVSo46n+Z5RJtOFU+F7wTsMPdRnbwHO/ZOljWV/RoKrNU3ZMRZnI3WWGT4u6zrmkO3rdLshLk8Z5lGIKJQg/vaqUbsHHgPI5BmDxfVyXM70M3922lx41w== juventas diff --git a/roles/users/files/kaba.pub b/roles/users/files/kaba.pub new file mode 100644 index 0000000..192123c --- /dev/null +++ b/roles/users/files/kaba.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA2ProGXZXgOu1qAkY1COL4vvIdMpBAi/eg7/SvQRUrm1H8typyJHJPOvaMO8ozm9r4HQ7hZRL6Mf25IhTx9HFvlKwEbMpqUrIudBV/r07E0q4fjWWEY3OTUjSOUkArviKnYzhM8zYD9pSq6gXcCBXVGgNZsIEIeESvct/p8gB2dPI0DB81HEimCWHu1ge6KqClukxQZtmszT8rQZKWFK/yJkEBdAJtfcZSJg0IhqfJ7Zhuu4qPc8uAy7EkdsaidbU09tWVxdhHD27JAh3gFr62f+L4D9OKhl96sopEqkJmsYQe9GgjoUiKYD4DAvOWU3MmNsgc6xwRmgsaYcQaHVZEy/uF2XCLN1Ahq6UI6R/RDrMkxNVR+AF6BKagPGiId9UTNWM1BvARAMBjakptW6rU3Bwb8In3vItQT9rhG6RQcCBuAqLphXXqlGNsPDeY1E/T9uYRfeS6MIE+3VwuC2Q/NVWMXa2np9JgCjC29ur1w1+BiBeU3iwv+shHqq0zoNyX/EizkPuG8IyK1MrVY1sOUVcQzFFV+PMn8DMWgJpm0eeXJyxa3KBTovtINsFCWfDWtojkB0aC5/XKZAbVC4pOKNRROctRpcdLERNqV9dZ5TkIriB1N2/Z48hjQPimjlFrR8+v1pt37YP/2lvAbOf1sTysu8ey9pFTt7jiiTR5NM= kaba diff --git a/roles/users/files/kokel.pub b/roles/users/files/kokel.pub new file mode 100644 index 0000000..05f2c37 --- /dev/null +++ b/roles/users/files/kokel.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAgwquzleAfo0ZccCikwh9aD0cBA0XrvEmQIB06XUUyn kokel diff --git a/roles/users/files/moritz.pub b/roles/users/files/moritz.pub new file mode 100644 index 0000000..2f50c18 --- /dev/null +++ b/roles/users/files/moritz.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9iZOonZ/WGmtgpZgs9vibpq6HJhpvuciBa8vzjysIYYiqNGgLvtZxw/2Af0/ykTdsP09A28RVGJXel6u8I2b16a0e+H2yBbUn8pXFow8xODPXezN0J/U7CDb8mRF9SkBJEzqVt1ndchJWU/qTi/nqbPfNaurB8EXkIDGcmDiCci25RVBDUvSSQBP+XIxQICJgeJ66CYcrD1Sry65H8tVSsWr6+fruNFZQRYyxAFu/7wW3J/RfFJQJFF9WNRzspChsjYRqrYdZCCx6GZ0qQxK4hwqfVbv3cPjZGFfcLrQaOCUMIiDUVEVmmdp0phE7eYDYewxD2Yaw1+fIJ+hWal6F moritz@wwwserv.de diff --git a/roles/users/files/prisma.pub b/roles/users/files/prisma.pub new file mode 100644 index 0000000..74a0197 --- /dev/null +++ b/roles/users/files/prisma.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGom9IEjz5utkAWg2wSm0uk+JC0A2tFlz2coAAvA2/An prisma@oimelmobil diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml new file mode 100644 index 0000000..dfd20ad --- /dev/null +++ b/roles/users/tasks/main.yml @@ -0,0 +1,49 @@ +--- +- name: ensure sudo is installed + package: + name: "sudo" + state: present + +- name: ensure system users are present + user: + name: "{{ item.name }}" + comment: "{{ item.comment }}" + shell: "{{ item.shell }}" + home: "{{ item.home }}" + state: "{{ item.state }}" + with_items: "{{ system_users }}" + +- name: ensure ssh config directory is present + file: + path: "{{ item.home }}/.ssh" + state: directory + owner: "{{ item.name }}" + group: "{{ item.name }}" + mode: '0700' + with_items: "{{ system_users }}" + +- name: configure ssh public keys + template: + src: "authorized_keys.j2" + dest: "{{ item.home }}/.ssh/authorized_keys" + owner: "{{ item.name }}" + group: "{{ item.name }}" + mode: '0600' + with_items: "{{ system_users }}" + +- name: configure passwordless sudo access + template: + src: "sudoers.j2" + dest: "/etc/sudoers.d/{{ item.name }}" + owner: root + group: root + mode: '0440' + validate: "/usr/sbin/visudo -cf %s" + with_items: "{{ system_users }}" + +- name: remove admin lines from /etc/sudoers + lineinfile: + path: "/etc/sudoers" + state: absent + regexp: '^admin\s' + validate: "/usr/sbin/visudo -cf %s" diff --git a/roles/users/templates/authorized_keys.j2 b/roles/users/templates/authorized_keys.j2 new file mode 100644 index 0000000..3e13f38 --- /dev/null +++ b/roles/users/templates/authorized_keys.j2 @@ -0,0 +1,3 @@ +{% for key in item.ssh_keys %} +{{ key.ssh_public_key }} +{% endfor %} diff --git a/roles/users/templates/sudoers.j2 b/roles/users/templates/sudoers.j2 new file mode 100644 index 0000000..ed70701 --- /dev/null +++ b/roles/users/templates/sudoers.j2 @@ -0,0 +1,2 @@ +# {{ ansible_managed }} +admin ALL=NOPASSWD: ALL diff --git a/roles/users/vars/main.yml b/roles/users/vars/main.yml new file mode 100644 index 0000000..77cc653 --- /dev/null +++ b/roles/users/vars/main.yml @@ -0,0 +1,24 @@ +--- +system_users: + - name: "admin" + comment: "Freifunk Admin Account" + shell: "/bin/bash" + home: "/home/admin" + state: "present" + ssh_keys: "{{ ssh_keys_admin_team }}" + +admin_users: + +ssh_keys_admin_team: + - name: kaba + ssh_public_key: "{{ lookup('file', 'kaba.pub') }}" + - name: moritz + ssh_public_key: "{{ lookup('file', 'moritz.pub') }}" + - name: juventas + ssh_public_key: "{{ lookup('file', 'juventas.pub') }}" + - name: prisma + ssh_public_key: "{{ lookup('file', 'prisma.pub') }}" + - name: kokel + ssh_public_key: "{{ lookup('file', 'kokel.pub') }}" + - name: belzebub + ssh_public_key: "{{ lookup('file', 'belzebub.pub') }}"