Update custom user role
This commit is contained in:
Thomas Kleinendorst
parent
fb017565f4
commit
90855de87a
7 changed files with 56 additions and 48 deletions
12
README.md
12
README.md
|
|
@ -53,15 +53,9 @@ When logged in the user will be prompted with the **zsh** configured with **[Oh
|
|||
|
||||
|
||||
## Other
|
||||
### Creating users with the `singleplatform-eng.users` role
|
||||
See the documentation [here](https://galaxy.ansible.com/ui/standalone/roles/singleplatform-eng/users/documentation/). The `password` setting for users states that a hash should be provided.
|
||||
This hash should be stored within an ansible vault and can be generated with the following command:
|
||||
|
||||
```bash
|
||||
# Enter the password after which the hash will be printed
|
||||
mkpasswd -m sha512crypt
|
||||
```
|
||||
|
||||
### Debugging users other than the main user
|
||||
The **user** role included in this repository makes it possible to create new users which will also have a fully configured
|
||||
ZSH environment. They can't be accessed via SSH because no SSH keys are added for them and password logins are disabled.
|
||||
Logging into the new user's account can be done as follows (for testing and debugging):
|
||||
|
||||
```bash
|
||||
|
|
|
|||
|
|
@ -4,6 +4,3 @@ collections:
|
|||
# See: https://galaxy.ansible.com/ui/repo/published/devsec/hardening/
|
||||
- name: devsec.hardening
|
||||
version: 9.0.1
|
||||
roles:
|
||||
- name: singleplatform-eng.users
|
||||
version: v1.2.6
|
||||
|
|
|
|||
|
|
@ -1,14 +1,10 @@
|
|||
---
|
||||
- include_vars: defaults.yml
|
||||
- include_vars: vault.yml
|
||||
# TODO: Configure ZSH correctly by reasusing the zsh role by running the commands as the new user.
|
||||
# see: https://serverfault.com/questions/662443/running-ansible-task-as-a-specific-user
|
||||
- name: Create a new user
|
||||
ansible.builtin.include_role:
|
||||
name: singleplatform-eng.users
|
||||
apply:
|
||||
become: true
|
||||
name: user
|
||||
vars:
|
||||
users:
|
||||
- username: cloudflare_ddns
|
||||
name: '-'
|
||||
password: "{{ cloudflare_ddns_user_password_hash }}"
|
||||
username: cloudflare_ddns
|
||||
password: "{{ cloudflare_ddns_user_password }}"
|
||||
|
|
|
|||
|
|
@ -1,13 +0,0 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
38343230616338653130383466333361323362326431303133616166373864333766366263613134
|
||||
6533376165613166646366396366646663383937303835650a343134336239613266643931393766
|
||||
62613963313431626564616239333531643361653739396363343362313035646561656239656366
|
||||
6462636435353931350a626132313565636666653839653839666465363262663365643264383331
|
||||
31316338313262636263346339653030363831643133643837333666383363616331653432326164
|
||||
36383561393561643439363931343532626335363937303432653938633439663435666234646533
|
||||
63653730633333626430656663636130663962643765303236343763383965643535653566633766
|
||||
39323166633933646162633032336335386265386237383133653865343435386530386139613061
|
||||
33343738643736306630326235313730303661333431376238363334313463363734383730343638
|
||||
65303365343433326630323066376132376465333965343930363066363561663530306261303961
|
||||
37626233623762353632653039353231623432316232323831343262343731353533343863326135
|
||||
36313836646130333431
|
||||
9
roles/cloudflare-ddns/vars/vault.yml
Normal file
9
roles/cloudflare-ddns/vars/vault.yml
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
66356265626336393935313366363030306565343830633365383938383363376430326330633430
|
||||
6138653236396139613861393639303766633062323336310a373133336139316661383039303533
|
||||
63343563333232633166353061346630326339303062663066663464333733613164623864306264
|
||||
6165366331373734660a623664353734613037343537646135663239616239383136636562356137
|
||||
62646565626565663831396137313364626632353064633661333135636439663537343438653237
|
||||
66633733353435653031366533376463616335633131613862393764353337643665353464623939
|
||||
33613931343561316133386636613036666363663161353163306566393234323239643762386130
|
||||
35623434313161313034
|
||||
|
|
@ -1,14 +1,29 @@
|
|||
---
|
||||
# The ZSH installation instructions are sourced from this blog:
|
||||
# https://harshithashok.com/tools/oh-my-zsh-with-starship/
|
||||
- name: Install zsh # noqa: package-latest
|
||||
- name: Create a new user
|
||||
become: true
|
||||
ansible.builtin.user:
|
||||
append: true
|
||||
groups:
|
||||
- users
|
||||
name: "{{ username }}"
|
||||
# Salt is necessary, see: https://stackoverflow.com/questions/56869949/ansible-user-module-always-shows-changed
|
||||
password: "{{ password | password_hash('sha512', password_salt) }}"
|
||||
when: username is not undefined # Skip when no user is provided, we'll asume we're targetting the Ansible user.
|
||||
- name: Set fact for defining the user which should run the next modules
|
||||
ansible.builtin.set_fact:
|
||||
target_user: "{{ ansible_facts['user_id'] if username is undefined else username }}"
|
||||
- name: Ensuring ZSH is installed # noqa: package-latest
|
||||
become: true
|
||||
ansible.builtin.apt:
|
||||
pkg:
|
||||
- git
|
||||
- acl # Needed to prevent this error: https://stackoverflow.com/questions/46352173/ansible-failed-to-set-permissions-on-the-temporary
|
||||
- zsh
|
||||
state: latest
|
||||
- name: Install Oh My ZSH # noqa: command-instead-of-module ignore error since we're removing the script after install.
|
||||
become: true
|
||||
become_user: "{{ target_user }}"
|
||||
ansible.builtin.shell: |
|
||||
wget https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh
|
||||
chmod u+x install.sh
|
||||
|
|
@ -28,21 +43,29 @@
|
|||
executable: /bin/bash
|
||||
creates: /usr/local/bin/starship
|
||||
- name: Install zsh-autosuggestions # noqa: command-instead-of-module ignore error since we're removing the script after install.
|
||||
become: true
|
||||
become_user: "{{ target_user }}"
|
||||
ansible.builtin.command:
|
||||
cmd: git clone https://github.com/zsh-users/zsh-autosuggestions ~/.oh-my-zsh/custom/plugins/zsh-autosuggestions
|
||||
creates: ~/.oh-my-zsh/custom/plugins/zsh-autosuggestions
|
||||
- name: Clear "ZSH_THEME" in ~/.zshrc
|
||||
become: true
|
||||
become_user: "{{ target_user }}"
|
||||
ansible.builtin.lineinfile:
|
||||
path: ~/.zshrc
|
||||
regexp: '^ZSH_THEME="[^"]+"$'
|
||||
line: ZSH_THEME=""
|
||||
- name: Add the zsh-autosuggestions plugin in ~/.zshrc
|
||||
become: true
|
||||
become_user: "{{ target_user }}"
|
||||
ansible.builtin.lineinfile:
|
||||
path: ~/.zshrc
|
||||
regexp: '^plugins=\((.*)(?<!zsh-autosuggestions)\)$'
|
||||
line: 'plugins=(\1 zsh-autosuggestions)'
|
||||
backrefs: true
|
||||
- name: Add Starship eval in ~/.zshrc
|
||||
become: true
|
||||
become_user: "{{ target_user }}"
|
||||
ansible.builtin.blockinfile:
|
||||
path: ~/.zshrc
|
||||
block: |-
|
||||
|
|
@ -52,5 +75,5 @@
|
|||
- name: Change the default shell of the current user
|
||||
become: true
|
||||
ansible.builtin.user:
|
||||
name: "{{ ansible_facts['user_id'] }}"
|
||||
shell: /bin/zsh
|
||||
name: "{{ target_user }}"
|
||||
shell: /usr/bin/zsh
|
||||
24
vault.yml
24
vault.yml
|
|
@ -1,12 +1,14 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
35363131353033623862663935613138653762333339653537663562383437303061613535313739
|
||||
6162393830346534363031363832333261343334643236370a626166613738336563383765363134
|
||||
64656532393433623434323861303531393231383939613036306231343965646262666330336165
|
||||
3863303932663731340a303138316666333733363161653061316235326361343465366231663665
|
||||
32646236653532333231666261616661366665303236356261316535333138336633306562356130
|
||||
64353064373061663537626439346631383838666233323932643562323533396364613063333431
|
||||
66323338646262396432366433373366613564656230333432373762306461363234636365646532
|
||||
65303161346464313964643036646539356664326261616362333336666265613435383630356164
|
||||
66326631373538333739376165393333393833636164626138643762623763396338623038623863
|
||||
30663431343438613062386235646265663262636533653034333434663162363031396135326361
|
||||
303937623733336261653636623061306632
|
||||
34373038613431663961616561383563333464646230303766356139333961633736333665346666
|
||||
3461323862343164303961306339613536303261623435360a623839623764306639343766646666
|
||||
38376535623131386335383361656430633364646130343939623036636339306531393036663861
|
||||
3438366666643962360a613238333032626666633833376530356666373531306439386464393138
|
||||
32353438613636303963623132373930383166626264303030376535633762646638653363366231
|
||||
62633566653139336538636265666332323632636236633363636563626539613962393766303038
|
||||
34316163643663303866376633376361633865646664336163623038383735313835313863363264
|
||||
61646336313765353264333034303131316130376538643763306438353031333964353534636561
|
||||
62313639623039323135636630356638633932343737626163316434636461316437346230616631
|
||||
62386432373465336330386564626561376630313938343039653366346666333138653835363831
|
||||
32646336633632616332393430343630636332393565353431386238326238643630633466333561
|
||||
35626666636236336132363639663663613237613238366139396332333266346238333032666236
|
||||
3033
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue