PHiAX/Raspberry-Pi-IaC
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update custom user role

Browse source
This commit is contained in:
Thomas Kleinendorst 2024-04-11 10:39:03 +02:00
parent fb017565f4
commit 90855de87a
7 changed files with 56 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

12
README.md
View file

@ -53,15 +53,9 @@ When logged in the user will be prompted with the **zsh** configured with **[Oh
![zsh](./images/zsh.png) ![zsh](./images/zsh.png)
## Other ## Other
### Creating users with the `singleplatform-eng.users` role ### Debugging users other than the main user
See the documentation [here](https://galaxy.ansible.com/ui/standalone/roles/singleplatform-eng/users/documentation/). The `password` setting for users states that a hash should be provided. The **user** role included in this repository makes it possible to create new users which will also have a fully configured
This hash should be stored within an ansible vault and can be generated with the following command: ZSH environment. They can't be accessed via SSH because no SSH keys are added for them and password logins are disabled.
```bash
# Enter the password after which the hash will be printed
mkpasswd -m sha512crypt
```
Logging into the new user's account can be done as follows (for testing and debugging): Logging into the new user's account can be done as follows (for testing and debugging):
```bash ```bash

3
requirements.yml
View file

@ -4,6 +4,3 @@ collections:
# See: https://galaxy.ansible.com/ui/repo/published/devsec/hardening/ # See: https://galaxy.ansible.com/ui/repo/published/devsec/hardening/
- name: devsec.hardening - name: devsec.hardening
version: 9.0.1 version: 9.0.1
roles:
- name: singleplatform-eng.users
version: v1.2.6

12
roles/cloudflare-ddns/tasks/main.yml
View file

@ -1,14 +1,10 @@
--- ---
- include_vars: defaults.yml - include_vars: vault.yml
# TODO: Configure ZSH correctly by reasusing the zsh role by running the commands as the new user. # TODO: Configure ZSH correctly by reasusing the zsh role by running the commands as the new user.
# see: https://serverfault.com/questions/662443/running-ansible-task-as-a-specific-user # see: https://serverfault.com/questions/662443/running-ansible-task-as-a-specific-user
- name: Create a new user - name: Create a new user
ansible.builtin.include_role: ansible.builtin.include_role:
name: singleplatform-eng.users name: user
apply:
become: true
vars: vars:
users: username: cloudflare_ddns
- username: cloudflare_ddns password: "{{ cloudflare_ddns_user_password }}"
name: '-'
password: "{{ cloudflare_ddns_user_password_hash }}"

13
roles/cloudflare-ddns/vars/defaults.yml
View file

@ -1,13 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
38343230616338653130383466333361323362326431303133616166373864333766366263613134
6533376165613166646366396366646663383937303835650a343134336239613266643931393766
62613963313431626564616239333531643361653739396363343362313035646561656239656366
6462636435353931350a626132313565636666653839653839666465363262663365643264383331
31316338313262636263346339653030363831643133643837333666383363616331653432326164
36383561393561643439363931343532626335363937303432653938633439663435666234646533
63653730633333626430656663636130663962643765303236343763383965643535653566633766
39323166633933646162633032336335386265386237383133653865343435386530386139613061
33343738643736306630326235313730303661333431376238363334313463363734383730343638
65303365343433326630323066376132376465333965343930363066363561663530306261303961
37626233623762353632653039353231623432316232323831343262343731353533343863326135
36313836646130333431

9
roles/cloudflare-ddns/vars/vault.yml Normal file
View file

@ -0,0 +1,9 @@
$ANSIBLE_VAULT;1.1;AES256
66356265626336393935313366363030306565343830633365383938383363376430326330633430
6138653236396139613861393639303766633062323336310a373133336139316661383039303533
63343563333232633166353061346630326339303062663066663464333733613164623864306264
6165366331373734660a623664353734613037343537646135663239616239383136636562356137
62646565626565663831396137313364626632353064633661333135636439663537343438653237
66633733353435653031366533376463616335633131613862393764353337643665353464623939
33613931343561316133386636613036666363663161353163306566393234323239643762386130
35623434313161313034

31
roles/zsh/tasks/main.yml → roles/user/tasks/main.yml
View file

@ -1,14 +1,29 @@
--- ---
# The ZSH installation instructions are sourced from this blog: # The ZSH installation instructions are sourced from this blog:
# https://harshithashok.com/tools/oh-my-zsh-with-starship/ # https://harshithashok.com/tools/oh-my-zsh-with-starship/
- name: Install zsh # noqa: package-latest - name: Create a new user
become: true
ansible.builtin.user:
append: true
groups:
- users
name: "{{ username }}"
# Salt is necessary, see: https://stackoverflow.com/questions/56869949/ansible-user-module-always-shows-changed
password: "{{ password | password_hash('sha512', password_salt) }}"
when: username is not undefined # Skip when no user is provided, we'll asume we're targetting the Ansible user.
- name: Set fact for defining the user which should run the next modules
ansible.builtin.set_fact:
target_user: "{{ ansible_facts['user_id'] if username is undefined else username }}"
- name: Ensuring ZSH is installed # noqa: package-latest
become: true become: true
ansible.builtin.apt: ansible.builtin.apt:
pkg: pkg:
- git - acl # Needed to prevent this error: https://stackoverflow.com/questions/46352173/ansible-failed-to-set-permissions-on-the-temporary
- zsh - zsh
state: latest state: latest
- name: Install Oh My ZSH # noqa: command-instead-of-module ignore error since we're removing the script after install. - name: Install Oh My ZSH # noqa: command-instead-of-module ignore error since we're removing the script after install.
become: true
become_user: "{{ target_user }}"
ansible.builtin.shell: | ansible.builtin.shell: |
wget https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh wget https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh
chmod u+x install.sh chmod u+x install.sh
@ -28,21 +43,29 @@
executable: /bin/bash executable: /bin/bash
creates: /usr/local/bin/starship creates: /usr/local/bin/starship
- name: Install zsh-autosuggestions # noqa: command-instead-of-module ignore error since we're removing the script after install. - name: Install zsh-autosuggestions # noqa: command-instead-of-module ignore error since we're removing the script after install.
become: true
become_user: "{{ target_user }}"
ansible.builtin.command: ansible.builtin.command:
cmd: git clone https://github.com/zsh-users/zsh-autosuggestions ~/.oh-my-zsh/custom/plugins/zsh-autosuggestions cmd: git clone https://github.com/zsh-users/zsh-autosuggestions ~/.oh-my-zsh/custom/plugins/zsh-autosuggestions
creates: ~/.oh-my-zsh/custom/plugins/zsh-autosuggestions creates: ~/.oh-my-zsh/custom/plugins/zsh-autosuggestions
- name: Clear "ZSH_THEME" in ~/.zshrc - name: Clear "ZSH_THEME" in ~/.zshrc
become: true
become_user: "{{ target_user }}"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: ~/.zshrc path: ~/.zshrc
regexp: '^ZSH_THEME="[^"]+"$' regexp: '^ZSH_THEME="[^"]+"$'
line: ZSH_THEME="" line: ZSH_THEME=""
- name: Add the zsh-autosuggestions plugin in ~/.zshrc - name: Add the zsh-autosuggestions plugin in ~/.zshrc
become: true
become_user: "{{ target_user }}"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: ~/.zshrc path: ~/.zshrc
regexp: '^plugins=\((.*)(?<!zsh-autosuggestions)\)$' regexp: '^plugins=\((.*)(?<!zsh-autosuggestions)\)$'
line: 'plugins=(\1 zsh-autosuggestions)' line: 'plugins=(\1 zsh-autosuggestions)'
backrefs: true backrefs: true
- name: Add Starship eval in ~/.zshrc - name: Add Starship eval in ~/.zshrc
become: true
become_user: "{{ target_user }}"
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: ~/.zshrc path: ~/.zshrc
block: |- block: |-
@ -52,5 +75,5 @@
- name: Change the default shell of the current user - name: Change the default shell of the current user
become: true become: true
ansible.builtin.user: ansible.builtin.user:
name: "{{ ansible_facts['user_id'] }}" name: "{{ target_user }}"
shell: /bin/zsh shell: /usr/bin/zsh

24
vault.yml
View file

@ -1,12 +1,14 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
35363131353033623862663935613138653762333339653537663562383437303061613535313739 34373038613431663961616561383563333464646230303766356139333961633736333665346666
6162393830346534363031363832333261343334643236370a626166613738336563383765363134 3461323862343164303961306339613536303261623435360a623839623764306639343766646666
64656532393433623434323861303531393231383939613036306231343965646262666330336165 38376535623131386335383361656430633364646130343939623036636339306531393036663861
3863303932663731340a303138316666333733363161653061316235326361343465366231663665 3438366666643962360a613238333032626666633833376530356666373531306439386464393138
32646236653532333231666261616661366665303236356261316535333138336633306562356130 32353438613636303963623132373930383166626264303030376535633762646638653363366231
64353064373061663537626439346631383838666233323932643562323533396364613063333431 62633566653139336538636265666332323632636236633363636563626539613962393766303038
66323338646262396432366433373366613564656230333432373762306461363234636365646532 34316163643663303866376633376361633865646664336163623038383735313835313863363264
65303161346464313964643036646539356664326261616362333336666265613435383630356164 61646336313765353264333034303131316130376538643763306438353031333964353534636561
66326631373538333739376165393333393833636164626138643762623763396338623038623863 62313639623039323135636630356638633932343737626163316434636461316437346230616631
30663431343438613062386235646265663262636533653034333434663162363031396135326361 62386432373465336330386564626561376630313938343039653366346666333138653835363831
303937623733336261653636623061306632 32646336633632616332393430343630636332393565353431386238326238643630633466333561
35626666636236336132363639663663613237613238366139396332333266346238333032666236
3033