diff --git a/README.md b/README.md index d7c0138..cc99716 100644 --- a/README.md +++ b/README.md @@ -51,3 +51,24 @@ It's possible to connect to the Raspberry Pi from the internal network via eithe When logged in the user will be prompted with the **zsh** configured with **[Oh My Zsh](https://ohmyz.sh)** and **[Starhip](https://starship.rs) prompts**. ![zsh](./images/zsh.png) + +## Other +### Creating users with the `singleplatform-eng.users` role +See the documentation [here](https://galaxy.ansible.com/ui/standalone/roles/singleplatform-eng/users/documentation/). The `password` setting for users states that a hash should be provided. +This hash should be stored within an ansible vault and can be generated with the following command: + +```bash +# Enter the password after which the hash will be printed +mkpasswd -m sha512crypt +``` + +Logging into the new user's account can be done as follows (for testing and debugging): + +```bash +# Enter both the username and password +sudo login +``` + +This is verified to be working: + +![new users](./images/login_success.png) diff --git a/images/login_success.png b/images/login_success.png new file mode 100644 index 0000000..1343894 Binary files /dev/null and b/images/login_success.png differ diff --git a/playbook.yml b/playbook.yml index 2fa0dd0..38635cc 100644 --- a/playbook.yml +++ b/playbook.yml @@ -15,6 +15,7 @@ # become: true # - role: zsh - role: pi-hole + - role: cloudflare-ddns vars: # devsec.hardening.os_hardening vars: os_auth_pw_max_age: 99999 # Effectively disables the setting as mentioned in the docs. @@ -25,6 +26,8 @@ ssh_allow_users: 'thomas' ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN. ssh_client_password_login: false # Default, but duplicated here for documentation purpose. + # Default for the "singleplatform-eng.users" role. + users_default_shell: '/usr/bin/zsh' tasks: # This task can be handy for debugging gathered facts, uncomment it if necessary: # - name: Store gathered facts in local file diff --git a/requirements.yml b/requirements.yml index a7fcc8e..abbeb83 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,3 +4,6 @@ collections: # See: https://galaxy.ansible.com/ui/repo/published/devsec/hardening/ - name: devsec.hardening version: 9.0.1 +roles: + - name: singleplatform-eng.users + version: v1.2.6 diff --git a/roles/cloudflare-ddns/tasks/main.yml b/roles/cloudflare-ddns/tasks/main.yml new file mode 100644 index 0000000..d655684 --- /dev/null +++ b/roles/cloudflare-ddns/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- include_vars: defaults.yml +# TODO: Configure ZSH correctly by reasusing the zsh role by running the commands as the new user. +# see: https://serverfault.com/questions/662443/running-ansible-task-as-a-specific-user +- name: Create a new user + ansible.builtin.include_role: + name: singleplatform-eng.users + apply: + become: true + vars: + users: + - username: cloudflare_ddns + name: '-' + password: "{{ cloudflare_ddns_user_password_hash }}" diff --git a/roles/cloudflare-ddns/templates/ddns_config.ini.j2 b/roles/cloudflare-ddns/templates/ddns_config.ini.j2 new file mode 100644 index 0000000..b58caea --- /dev/null +++ b/roles/cloudflare-ddns/templates/ddns_config.ini.j2 @@ -0,0 +1,6 @@ +[credentials] +dns_cloudflare_token = {{ dns_cloudflare_token }} + +[log_changes] +# TODO: Update this... +log_path = /home/thomas/repositories/raspberry-pi-iac/ddns_update.log diff --git a/roles/cloudflare-ddns/vars/defaults.yml b/roles/cloudflare-ddns/vars/defaults.yml new file mode 100644 index 0000000..4a9ecb6 --- /dev/null +++ b/roles/cloudflare-ddns/vars/defaults.yml @@ -0,0 +1,13 @@ +$ANSIBLE_VAULT;1.1;AES256 +38343230616338653130383466333361323362326431303133616166373864333766366263613134 +6533376165613166646366396366646663383937303835650a343134336239613266643931393766 +62613963313431626564616239333531643361653739396363343362313035646561656239656366 +6462636435353931350a626132313565636666653839653839666465363262663365643264383331 +31316338313262636263346339653030363831643133643837333666383363616331653432326164 +36383561393561643439363931343532626335363937303432653938633439663435666234646533 +63653730633333626430656663636130663962643765303236343763383965643535653566633766 +39323166633933646162633032336335386265386237383133653865343435386530386139613061 +33343738643736306630326235313730303661333431376238363334313463363734383730343638 +65303365343433326630323066376132376465333965343930363066363561663530306261303961 +37626233623762353632653039353231623432316232323831343262343731353533343863326135 +36313836646130333431 diff --git a/vault.yml b/vault.yml index cdaa296..5a5f83a 100644 --- a/vault.yml +++ b/vault.yml @@ -1,8 +1,12 @@ $ANSIBLE_VAULT;1.1;AES256 -62623739323861346233393436396635393933303232646636383335663033623863646637383762 -6466613363613136626237383830373535336138643539660a313731313738636133646236386237 -64346565353630393639653766386137386132633362336432633664383165663665363562626131 -3337646464383465330a666638373130353234353532333830353265643063313365616361333834 -37656661343561303564383963656532633364303863616234633437346338653563623030393065 -36336630636133393831363361396239353761653039316533613239633234326161616663636335 -323335343265396264356563373664643264 +35363131353033623862663935613138653762333339653537663562383437303061613535313739 +6162393830346534363031363832333261343334643236370a626166613738336563383765363134 +64656532393433623434323861303531393231383939613036306231343965646262666330336165 +3863303932663731340a303138316666333733363161653061316235326361343465366231663665 +32646236653532333231666261616661366665303236356261316535333138336633306562356130 +64353064373061663537626439346631383838666233323932643562323533396364613063333431 +66323338646262396432366433373366613564656230333432373762306461363234636365646532 +65303161346464313964643036646539356664326261616362333336666265613435383630356164 +66326631373538333739376165393333393833636164626138643762623763396338623038623863 +30663431343438613062386235646265663262636533653034333434663162363031396135326361 +303937623733336261653636623061306632