Browse Source

Rewrite role

pull/1/head
Lilian Roller 1 year ago
parent
commit
7e225ad5fb
No account linked to committer's email address
5 changed files with 150 additions and 102 deletions
  1. +58
    -20
      README.md
  2. +13
    -2
      defaults/main.yml
  3. +47
    -70
      tasks/main.yml
  4. +25
    -0
      tasks/ssh_user.yml
  5. +7
    -10
      templates/authorized_keys.j2

+ 58
- 20
README.md View File

@@ -1,35 +1,73 @@
role-ssh_authorized_keys
==============================

Ansible Rolle für die SSH Keys
Ansible Rolle to setup users and deploy your ssh keys

Beispiel Konfiguration:
------------

```bash
/host_vars/gw01.ffbsee.net
--------------------------
# all admins of this host
admins:
- mart
- l3d

# all non-admins of this host
user:
- franz
Variables
---------

* ``admins`` (default ``[]``):
A list of ``ssh`` keys allowed to log in as `root`.

* ``accounts`` (defailt ``[]``):
A list of usernames theat will be created on this host, if they don't exisit

* `users` (default `{}`):
A dict of user names mapping to lists of ``ssh`` keys
allowed to log in to the given user account.

* ``ssh_public_key_store`` (default ``ssh_public_keys``):
A directory path where the public key files can be found by ansible.


Files
-----

This role assumes that the *public* parts of all required ``ssh`` keys
can be found within the directory ``ssh_public_key_store``. The file
names must follow the convention: ``username_idalg.pub`` are are matched
by the ``username`` part.


Examples
--------

Alice and Bob may log in and are allowed to become ``root`` with the ``sudo`` command on this host:

# all ssh keys for all admins and users
admin_ssh_keys: 'admin_ssh_keys'
```
admins:
- alice
- bob
```
/files/admin_ssh_keys/mart_id.pub
--------------------------------
SSH-Public Key

Alice, Bob and Eve may log in to ther own user accounts via ssh:
```
users:
alice:
- alice
eve:
- eve@device1
- eve@device2
```
Eve can do so with two different `ssh` keys. Alice only with his only SSH Key.


The `files/ssh_public_keys/` contains the following files:

```
/files/admin_ssh_keys/l3d_id.pub
alice_id25519.pub
bob_id25519.pub
eve@device1_id25519.pub
eve@device2_id25519.pub
```

Generate ed25519 Certificate
--------------------------------
SSH-Public Key

```bash
ssh-keygen -t ed25519
```



+ 13
- 2
defaults/main.yml View File

@@ -1,3 +1,14 @@
---

admin_ssh_keys: 'admin_ssh_keys'
# Directory where the ssh public keys are stored
# inside the ansible repository
ssh_public_key_store: 'ssh_public_keys'

# all admins on this host
admins: []

# all users including their ssh keys, which may want to log in
users: {}

# all users who should be available on this host
accounts: []


+ 47
- 70
tasks/main.yml View File

@@ -8,141 +8,118 @@
group: root
mode: 'u=rwx,g=,o='

- name: Add ssh keys for admin users to user root
template:
src: 'authorized_keys.j2'
dest: '/root/.ssh/authorized_keys'
- name: Add ssh keys for root
become: yes
template:
src: authorized_keys.j2
dest: /root/.ssh/authorized_keys
owner: root
group: root
mode: 'u=rw,g=,o='
become: yes
mode: "u=rw,g=,o="
vars:
local_user: 'root'
remote_users: '{{ admins }}'

- name: Add admin group
become: yes
group:
name: 'admins'
state: present
become: yes

- name: Add admin users
user:
name: '{{ item }}'
shell: '/bin/bash'
groups: 'admins'
append: yes
with_items: '{{ admins }}'
become: yes

- name: Add individual group
become: yes
group:
name: '{{ item}}'
state: present
become: yes
with_items: '{{ user }}'
when: user is defined

with_items: '{{ accounts }}'

- name: Add non admin users
- name: Add local users
become: yes
user:
name: '{{ item }}'
shell: '/bin/bash'
groups: '{{ item }}'
append: yes
with_items: '{{ user }}'
when: user is defined
with_items: '{{ accounts }}'

- name: Create .ssh directory for all admin users
file:
path: '/home/{{ item }}/.ssh'
state: directory
owner: '{{ item }}'
group: admins
mode: 'u=rwx,g=,o='
with_items: '{{ admins }}'
- name: Copy .bashrc for local users
become: yes

- name: Create .ssh directory for non admin users
file:
path: '/home/{{ item }}/.ssh'
state: directory
owner: '{{ item }}'
group: '{{ item }}'
mode: 'u=rwx,g=,o='
with_items: '{{ user }}'
become: yes


- name: Add ssh keys for non admin users to their user
copy:
src: 'files/{{ admin_ssh_keys }}/{{ item }}_id.pub'
dest: '/home/{{ item }}/.ssh/authorized_keys'
src: 'files/home_environment/bashrc'
dest: '/home/{{ item }}/.bashrc'
owner: '{{ item }}'
group: admins
mode: 'u=rw,g=,o='
with_items: '{{ user }}'
become: yes
group: '{{ item }}'
mode: 'u=rw,g=r,o='
with_items: '{{ accounts }}'


- name: Add ssh keys for admin users to their users
copy:
src: 'files/{{ admin_ssh_keys }}/{{ item }}_id.pub'
dest: '/home/{{ item }}/.ssh/authorized_keys'
owner: '{{ item }}'
group: admins
mode: 'u=rw,g=,o='
with_items: '{{ admins }}'
become: yes

- name: Add ansible user
become: yes
user:
name: 'ansible'
shell: '/bin/bash'
groups: 'admins'
append: yes
become: yes

- name: Create .ssh directory for user ansible
become: yes
file:
path: '/home/ansible/.ssh'
state: directory
owner: ansible
group: admins
mode: 'u=rwx,g=,o='
become: yes

- name: Add ssh keys for admins to user ansible
template:
src: 'authorized_keys.j2'
dest: '/home/ansible/.ssh/authorized_keys'
owner: ansible
group: admins
mode: 'u=rw,g=,o='
become: yes
template:
src: authorized_keys.j2
dest: /root/.ssh/authorized_keys
owner: root
group: root
mode: "u=rw,g=,o="
vars:
local_user: 'ansible'
remote_users: '{{ admins }}'

- name: Copy .bashrc for user ansible
become: yes
copy:
src: 'files/home_environment/bashrc'
dest: '/home/ansible/.bashrc'
owner: ansible
group: admins
mode: 'u=rw,g=r,o='
become: yes

- name: Create /etc/sudoers.d directory
become: yes
file:
path: '/etc/sudoers.d'
state: directory
owner: root
group: root
mode: 'u=rwx,g=x,o=x'
become: yes

- name: Copy sudoers file
become: yes
copy:
src: 'files/home_environment/sudoers'
dest: '/etc/sudoers.d/ansible'
owner: root
group: root
mode: 'u=r,g=r,o='

- name: adding existing user '{{ item }}' to group sudo
become: yes
user:
name: '{{ item }}'
groups: sudo
append: yes
with_items: '{{ admins }}'

- name: Setup local users ssh keys
include_tasks: ssh_user.yml
with_dict: '{{ users }}'
loop_control:
loop_var: local_user_data


+ 25
- 0
tasks/ssh_user.yml View File

@@ -0,0 +1,25 @@
---

- name: Extract local and remote user names
set_fact:
local_user: '{{ local_user_data.key }}'
remote_users: '{{ local_user_data.value }}'

- name: 'Setup .ssh for user {{ local_user }}'
become: yes
file:
path: '/home/{{ local_user }}/.ssh/'
state: directory
owner: '{{ local_user }}'
group: '{{ local_user }}'
mode: 'u=rwx,g=,o='

- name: 'Add ssh keys for user {{ local_user }}'
become: yes
template:
src: authorized_keys.j2
dest: '/home/{{ local_user }}/.ssh/authorized_keys'
owner: '{{ local_user }}'
group: '{{ local_user }}'
mode: 'u=rw,g=,o='


+ 7
- 10
templates/authorized_keys.j2 View File

@@ -1,12 +1,9 @@
# This file is managed by Ansible
#
# See: git@github.com:ffbsee/ansible.git
#
# * DO NOT EDIT *
#
{% for admin in admins|sort %}
# {{ admin }}
{% for keyfile in lookup('fileglob', 'admin_ssh_keys/{}_*.pub'.format(admin), wantlist=True) %}
{{ lookup('file', keyfile) }}
# {{ ansible_managed }}

{% for user_name in remote_users|sort %}
# {{ user_name }}
{% for keyfile in lookup('fileglob', '{}/{}_*.pub'.format(ssh_public_key_store, user_name), wantlist=True) %}
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as your own user rather than the user \"root\".';echo;sleep 10" {{ lookup('file', keyfile) }}
{% endfor %}
{% endfor %}


Loading…
Cancel
Save