From 90855de87a10afb40113cf15515a16baa7a5afc6 Mon Sep 17 00:00:00 2001
From: Thomas Kleinendorst <thomas@kleinendorst.info>
Date: Thu, 11 Apr 2024 10:39:03 +0200
Subject: [PATCH] Update custom user role

---
 README.md                               | 12 +++-------
 requirements.yml                        |  3 ---
 roles/cloudflare-ddns/tasks/main.yml    | 12 ++++------
 roles/cloudflare-ddns/vars/defaults.yml | 13 -----------
 roles/cloudflare-ddns/vars/vault.yml    |  9 +++++++
 roles/{zsh => user}/tasks/main.yml      | 31 +++++++++++++++++++++----
 vault.yml                               | 24 ++++++++++---------
 7 files changed, 56 insertions(+), 48 deletions(-)
 delete mode 100644 roles/cloudflare-ddns/vars/defaults.yml
 create mode 100644 roles/cloudflare-ddns/vars/vault.yml
 rename roles/{zsh => user}/tasks/main.yml (62%)

diff --git a/README.md b/README.md
index cc99716..363d08a 100644
--- a/README.md
+++ b/README.md
@@ -53,15 +53,9 @@ When logged in the user will be prompted with the **zsh** configured with **[Oh
 ![zsh](./images/zsh.png)
 
 ## Other
-### Creating users with the `singleplatform-eng.users` role
-See the documentation [here](https://galaxy.ansible.com/ui/standalone/roles/singleplatform-eng/users/documentation/). The `password` setting for users states that a hash should be provided.
-This hash should be stored within an ansible vault and can be generated with the following command:
-
-```bash
-# Enter the password after which the hash will be printed
-mkpasswd -m sha512crypt
-```
-
+### Debugging users other than the main user
+The **user** role included in this repository makes it possible to create new users which will also have a fully configured
+ZSH environment. They can't be accessed via SSH because no SSH keys are added for them and password logins are disabled.
 Logging into the new user's account can be done as follows (for testing and debugging):
 
 ```bash
diff --git a/requirements.yml b/requirements.yml
index abbeb83..a7fcc8e 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -4,6 +4,3 @@ collections:
   # See: https://galaxy.ansible.com/ui/repo/published/devsec/hardening/
   - name: devsec.hardening
     version: 9.0.1
-roles:
-  - name: singleplatform-eng.users
-    version: v1.2.6
diff --git a/roles/cloudflare-ddns/tasks/main.yml b/roles/cloudflare-ddns/tasks/main.yml
index d655684..bad6523 100644
--- a/roles/cloudflare-ddns/tasks/main.yml
+++ b/roles/cloudflare-ddns/tasks/main.yml
@@ -1,14 +1,10 @@
 ---
-- include_vars: defaults.yml
+- include_vars: vault.yml
 # TODO: Configure ZSH correctly by reasusing the zsh role by running the commands as the new user.
 #       see: https://serverfault.com/questions/662443/running-ansible-task-as-a-specific-user
 - name: Create a new user
   ansible.builtin.include_role:
-    name: singleplatform-eng.users
-    apply:
-      become: true
+    name: user
   vars:
-    users:
-      - username: cloudflare_ddns
-        name: '-'
-        password: "{{ cloudflare_ddns_user_password_hash }}"
+    username: cloudflare_ddns
+    password: "{{ cloudflare_ddns_user_password }}"
diff --git a/roles/cloudflare-ddns/vars/defaults.yml b/roles/cloudflare-ddns/vars/defaults.yml
deleted file mode 100644
index 4a9ecb6..0000000
--- a/roles/cloudflare-ddns/vars/defaults.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-38343230616338653130383466333361323362326431303133616166373864333766366263613134
-6533376165613166646366396366646663383937303835650a343134336239613266643931393766
-62613963313431626564616239333531643361653739396363343362313035646561656239656366
-6462636435353931350a626132313565636666653839653839666465363262663365643264383331
-31316338313262636263346339653030363831643133643837333666383363616331653432326164
-36383561393561643439363931343532626335363937303432653938633439663435666234646533
-63653730633333626430656663636130663962643765303236343763383965643535653566633766
-39323166633933646162633032336335386265386237383133653865343435386530386139613061
-33343738643736306630326235313730303661333431376238363334313463363734383730343638
-65303365343433326630323066376132376465333965343930363066363561663530306261303961
-37626233623762353632653039353231623432316232323831343262343731353533343863326135
-36313836646130333431
diff --git a/roles/cloudflare-ddns/vars/vault.yml b/roles/cloudflare-ddns/vars/vault.yml
new file mode 100644
index 0000000..acabed6
--- /dev/null
+++ b/roles/cloudflare-ddns/vars/vault.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+66356265626336393935313366363030306565343830633365383938383363376430326330633430
+6138653236396139613861393639303766633062323336310a373133336139316661383039303533
+63343563333232633166353061346630326339303062663066663464333733613164623864306264
+6165366331373734660a623664353734613037343537646135663239616239383136636562356137
+62646565626565663831396137313364626632353064633661333135636439663537343438653237
+66633733353435653031366533376463616335633131613862393764353337643665353464623939
+33613931343561316133386636613036666363663161353163306566393234323239643762386130
+35623434313161313034
diff --git a/roles/zsh/tasks/main.yml b/roles/user/tasks/main.yml
similarity index 62%
rename from roles/zsh/tasks/main.yml
rename to roles/user/tasks/main.yml
index db5d21e..74aae3d 100644
--- a/roles/zsh/tasks/main.yml
+++ b/roles/user/tasks/main.yml
@@ -1,14 +1,29 @@
 ---
 # The ZSH installation instructions are sourced from this blog:
 # https://harshithashok.com/tools/oh-my-zsh-with-starship/
-- name: Install zsh # noqa: package-latest
+- name: Create a new user
+  become: true
+  ansible.builtin.user:
+    append: true
+    groups:
+      - users
+    name: "{{ username }}"
+    # Salt is necessary, see: https://stackoverflow.com/questions/56869949/ansible-user-module-always-shows-changed
+    password: "{{ password | password_hash('sha512', password_salt) }}"
+  when: username is not undefined # Skip when no user is provided, we'll asume we're targetting the Ansible user.
+- name: Set fact for defining the user which should run the next modules
+  ansible.builtin.set_fact:
+    target_user: "{{ ansible_facts['user_id'] if username is undefined else username }}"
+- name: Ensuring ZSH is installed # noqa: package-latest
   become: true
   ansible.builtin.apt:
     pkg:
-      - git
+      - acl # Needed to prevent this error: https://stackoverflow.com/questions/46352173/ansible-failed-to-set-permissions-on-the-temporary
       - zsh
     state: latest
 - name: Install Oh My ZSH # noqa: command-instead-of-module   ignore error since we're removing the script after install.
+  become: true
+  become_user: "{{ target_user }}"
   ansible.builtin.shell: |
     wget https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh
     chmod u+x install.sh
@@ -28,21 +43,29 @@
     executable: /bin/bash
     creates: /usr/local/bin/starship
 - name: Install zsh-autosuggestions # noqa: command-instead-of-module   ignore error since we're removing the script after install.
+  become: true
+  become_user: "{{ target_user }}"
   ansible.builtin.command:
     cmd: git clone https://github.com/zsh-users/zsh-autosuggestions ~/.oh-my-zsh/custom/plugins/zsh-autosuggestions
     creates: ~/.oh-my-zsh/custom/plugins/zsh-autosuggestions
 - name: Clear "ZSH_THEME" in ~/.zshrc
+  become: true
+  become_user: "{{ target_user }}"
   ansible.builtin.lineinfile:
     path: ~/.zshrc
     regexp: '^ZSH_THEME="[^"]+"$'
     line: ZSH_THEME=""
 - name: Add the zsh-autosuggestions plugin in ~/.zshrc
+  become: true
+  become_user: "{{ target_user }}"
   ansible.builtin.lineinfile:
     path: ~/.zshrc
     regexp: '^plugins=\((.*)(?<!zsh-autosuggestions)\)$'
     line: 'plugins=(\1 zsh-autosuggestions)'
     backrefs: true
 - name: Add Starship eval in ~/.zshrc
+  become: true
+  become_user: "{{ target_user }}"
   ansible.builtin.blockinfile:
     path: ~/.zshrc
     block: |-
@@ -52,5 +75,5 @@
 - name: Change the default shell of the current user
   become: true
   ansible.builtin.user:
-    name: "{{ ansible_facts['user_id'] }}"
-    shell: /bin/zsh
+    name: "{{ target_user }}"
+    shell: /usr/bin/zsh
diff --git a/vault.yml b/vault.yml
index 5a5f83a..3310939 100644
--- a/vault.yml
+++ b/vault.yml
@@ -1,12 +1,14 @@
 $ANSIBLE_VAULT;1.1;AES256
-35363131353033623862663935613138653762333339653537663562383437303061613535313739
-6162393830346534363031363832333261343334643236370a626166613738336563383765363134
-64656532393433623434323861303531393231383939613036306231343965646262666330336165
-3863303932663731340a303138316666333733363161653061316235326361343465366231663665
-32646236653532333231666261616661366665303236356261316535333138336633306562356130
-64353064373061663537626439346631383838666233323932643562323533396364613063333431
-66323338646262396432366433373366613564656230333432373762306461363234636365646532
-65303161346464313964643036646539356664326261616362333336666265613435383630356164
-66326631373538333739376165393333393833636164626138643762623763396338623038623863
-30663431343438613062386235646265663262636533653034333434663162363031396135326361
-303937623733336261653636623061306632
+34373038613431663961616561383563333464646230303766356139333961633736333665346666
+3461323862343164303961306339613536303261623435360a623839623764306639343766646666
+38376535623131386335383361656430633364646130343939623036636339306531393036663861
+3438366666643962360a613238333032626666633833376530356666373531306439386464393138
+32353438613636303963623132373930383166626264303030376535633762646638653363366231
+62633566653139336538636265666332323632636236633363636563626539613962393766303038
+34316163643663303866376633376361633865646664336163623038383735313835313863363264
+61646336313765353264333034303131316130376538643763306438353031333964353534636561
+62313639623039323135636630356638633932343737626163316434636461316437346230616631
+62386432373465336330386564626561376630313938343039653366346666333138653835363831
+32646336633632616332393430343630636332393565353431386238326238643630633466333561
+35626666636236336132363639663663613237613238366139396332333266346238333032666236
+3033