Add user creation for ddns script

2024-04-10 20:09:34 +02:00 · 2024-04-10 20:09:34 +02:00 · fb017565f4
commit fb017565f4
parent f29cd352bd
8 changed files with 71 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -51,3 +51,24 @@ It's possible to connect to the Raspberry Pi from the internal network via eithe
 When logged in the user will be prompted with the **zsh** configured with **[Oh My Zsh](https://ohmyz.sh)** and **[Starhip](https://starship.rs) prompts**.

 ![zsh](./images/zsh.png)
+
+## Other
+### Creating users with the `singleplatform-eng.users` role
+See the documentation [here](https://galaxy.ansible.com/ui/standalone/roles/singleplatform-eng/users/documentation/). The `password` setting for users states that a hash should be provided.
+This hash should be stored within an ansible vault and can be generated with the following command:
+
+```bash
+# Enter the password after which the hash will be printed
+mkpasswd -m sha512crypt
+```
+
+Logging into the new user's account can be done as follows (for testing and debugging):
+
+```bash
+# Enter both the username and password
+sudo login
+```
+
+This is verified to be working:
+
+![new users](./images/login_success.png)
--- a/images/login_success.png
+++ b/images/login_success.png
--- a/playbook.yml
+++ b/playbook.yml
@ -15,6 +15,7 @@
    #   become: true
    # - role: zsh
    - role: pi-hole
+    - role: cloudflare-ddns
  vars:
    # devsec.hardening.os_hardening vars:
    os_auth_pw_max_age: 99999 # Effectively disables the setting as mentioned in the docs.
@ -25,6 +26,8 @@
    ssh_allow_users: 'thomas'
    ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN.
    ssh_client_password_login: false # Default, but duplicated here for documentation purpose.
+    # Default for the "singleplatform-eng.users" role.
+    users_default_shell: '/usr/bin/zsh'
  tasks:
    # This task can be handy for debugging gathered facts, uncomment it if necessary:
    # - name: Store gathered facts in local file
--- a/requirements.yml
+++ b/requirements.yml
@ -4,3 +4,6 @@ collections:
  # See: https://galaxy.ansible.com/ui/repo/published/devsec/hardening/
  - name: devsec.hardening
    version: 9.0.1
+roles:
+  - name: singleplatform-eng.users
+    version: v1.2.6
--- a/roles/cloudflare-ddns/tasks/main.yml
+++ b/roles/cloudflare-ddns/tasks/main.yml
@ -0,0 +1,14 @@
+---
+- include_vars: defaults.yml
+# TODO: Configure ZSH correctly by reasusing the zsh role by running the commands as the new user.
+#       see: https://serverfault.com/questions/662443/running-ansible-task-as-a-specific-user
+- name: Create a new user
+  ansible.builtin.include_role:
+    name: singleplatform-eng.users
+    apply:
+      become: true
+  vars:
+    users:
+      - username: cloudflare_ddns
+        name: '-'
+        password: "{{ cloudflare_ddns_user_password_hash }}"
--- a/roles/cloudflare-ddns/templates/ddns_config.ini.j2
+++ b/roles/cloudflare-ddns/templates/ddns_config.ini.j2
@ -0,0 +1,6 @@
+[credentials]
+dns_cloudflare_token = {{ dns_cloudflare_token }}
+
+[log_changes]
+# TODO: Update this...
+log_path = /home/thomas/repositories/raspberry-pi-iac/ddns_update.log
--- a/roles/cloudflare-ddns/vars/defaults.yml
+++ b/roles/cloudflare-ddns/vars/defaults.yml
@ -0,0 +1,13 @@
+$ANSIBLE_VAULT;1.1;AES256
+38343230616338653130383466333361323362326431303133616166373864333766366263613134
+6533376165613166646366396366646663383937303835650a343134336239613266643931393766
+62613963313431626564616239333531643361653739396363343362313035646561656239656366
+6462636435353931350a626132313565636666653839653839666465363262663365643264383331
+31316338313262636263346339653030363831643133643837333666383363616331653432326164
+36383561393561643439363931343532626335363937303432653938633439663435666234646533
+63653730633333626430656663636130663962643765303236343763383965643535653566633766
+39323166633933646162633032336335386265386237383133653865343435386530386139613061
+33343738643736306630326235313730303661333431376238363334313463363734383730343638
+65303365343433326630323066376132376465333965343930363066363561663530306261303961
+37626233623762353632653039353231623432316232323831343262343731353533343863326135
+36313836646130333431
--- a/vault.yml
+++ b/vault.yml
@ -1,8 +1,12 @@
 $ANSIBLE_VAULT;1.1;AES256
-62623739323861346233393436396635393933303232646636383335663033623863646637383762
-6466613363613136626237383830373535336138643539660a313731313738636133646236386237
-64346565353630393639653766386137386132633362336432633664383165663665363562626131
-3337646464383465330a666638373130353234353532333830353265643063313365616361333834
-37656661343561303564383963656532633364303863616234633437346338653563623030393065
-36336630636133393831363361396239353761653039316533613239633234326161616663636335
-323335343265396264356563373664643264
+35363131353033623862663935613138653762333339653537663562383437303061613535313739
+6162393830346534363031363832333261343334643236370a626166613738336563383765363134
+64656532393433623434323861303531393231383939613036306231343965646262666330336165
+3863303932663731340a303138316666333733363161653061316235326361343465366231663665
+32646236653532333231666261616661366665303236356261316535333138336633306562356130
+64353064373061663537626439346631383838666233323932643562323533396364613063333431
+66323338646262396432366433373366613564656230333432373762306461363234636365646532
+65303161346464313964643036646539356664326261616362333336666265613435383630356164
+66326631373538333739376165393333393833636164626138643762623763396338623038623863
+30663431343438613062386235646265663262636533653034333434663162363031396135326361
+303937623733336261653636623061306632