added tests, still not sure if this role should include more stuff
This commit is contained in:
parent
c81b770732
commit
6f48a19b0b
@ -1,8 +1,10 @@
|
|||||||
---
|
---
|
||||||
# defaults file for provision_ansible_user
|
# defaults file for provision_ansible_user
|
||||||
provision_ansible_user_name: ansible
|
provision_ansible_user_name: ansible
|
||||||
|
provision_ansible_user_group: ansible
|
||||||
provision_ansible_user_password: "*"
|
provision_ansible_user_password: "*"
|
||||||
provision_ansible_user_is_system: true
|
provision_ansible_user_is_system: true
|
||||||
|
provision_ansible_user_home: /opt/{{ provision_ansible_user_name }}
|
||||||
provision_ansible_user_shell: /bin/bash
|
provision_ansible_user_shell: /bin/bash
|
||||||
provision_ansible_user_sudoer: false
|
provision_ansible_user_sudoer: false
|
||||||
provision_ansible_user_add_ssh_key: false
|
provision_ansible_user_add_ssh_key: false
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
---
|
||||||
|
# meta file for provision_ansible_user
|
||||||
galaxy_info:
|
galaxy_info:
|
||||||
namespace: 'ednxzu'
|
namespace: 'ednxzu'
|
||||||
role_name: 'provision_ansible_user'
|
role_name: 'provision_ansible_user'
|
||||||
|
@ -3,8 +3,27 @@
|
|||||||
|
|
||||||
def test_hosts_file(host):
|
def test_hosts_file(host):
|
||||||
"""Validate /etc/hosts file."""
|
"""Validate /etc/hosts file."""
|
||||||
f = host.file("/etc/hosts")
|
etc_hosts = host.file("/etc/hosts")
|
||||||
|
assert etc_hosts.exists
|
||||||
|
assert etc_hosts.user == "root"
|
||||||
|
assert etc_hosts.group == "root"
|
||||||
|
|
||||||
assert f.exists
|
def test_ansible_user_group(host):
|
||||||
assert f.user == "root"
|
"""Validate consul user and group."""
|
||||||
assert f.group == "root"
|
ansible_group = host.group("ansible")
|
||||||
|
ansible_user = host.user("ansible")
|
||||||
|
assert ansible_group.exists
|
||||||
|
assert ansible_user.exists
|
||||||
|
assert ansible_user.group == "ansible"
|
||||||
|
assert ansible_user.shell == "/bin/bash"
|
||||||
|
|
||||||
|
def test_ansible_sudoer(host):
|
||||||
|
"""Validate that ansible user is not sudoer"""
|
||||||
|
etc_sudoers_d_ansible = host.file("/etc/sudoers.d/ansible")
|
||||||
|
assert not etc_sudoers_d_ansible.exists
|
||||||
|
|
||||||
|
|
||||||
|
def test_ansible_no_ssh(host):
|
||||||
|
"""Validate that ansible user has no authorized_keys"""
|
||||||
|
opt_ansible_authorized_keys = host.file("/opt/ansible/.ssh/authorized_keys")
|
||||||
|
assert not opt_ansible_authorized_keys.exists
|
||||||
|
@ -3,8 +3,34 @@
|
|||||||
|
|
||||||
def test_hosts_file(host):
|
def test_hosts_file(host):
|
||||||
"""Validate /etc/hosts file."""
|
"""Validate /etc/hosts file."""
|
||||||
f = host.file("/etc/hosts")
|
etc_hosts = host.file("/etc/hosts")
|
||||||
|
assert etc_hosts.exists
|
||||||
|
assert etc_hosts.user == "root"
|
||||||
|
assert etc_hosts.group == "root"
|
||||||
|
|
||||||
assert f.exists
|
def test_ansible_user_group(host):
|
||||||
assert f.user == "root"
|
"""Validate consul user and group."""
|
||||||
assert f.group == "root"
|
ansible_group = host.group("ansible")
|
||||||
|
ansible_user = host.user("ansible")
|
||||||
|
assert ansible_group.exists
|
||||||
|
assert ansible_user.exists
|
||||||
|
assert ansible_user.group == "ansible"
|
||||||
|
assert ansible_user.shell == "/bin/bash"
|
||||||
|
|
||||||
|
def test_ansible_sudoer(host):
|
||||||
|
"""Validate that ansible user is sudoer"""
|
||||||
|
etc_sudoers_d_ansible = host.file("/etc/sudoers.d/ansible")
|
||||||
|
assert etc_sudoers_d_ansible.exists
|
||||||
|
assert etc_sudoers_d_ansible.user == "root"
|
||||||
|
assert etc_sudoers_d_ansible.group == "root"
|
||||||
|
assert etc_sudoers_d_ansible.mode == 0o640
|
||||||
|
assert etc_sudoers_d_ansible.contains("ansible ALL=(ALL) NOPASSWD: ALL")
|
||||||
|
|
||||||
|
def test_ansible_ssh_authorized_keys(host):
|
||||||
|
"""Validate that ansible user has authorized_keys"""
|
||||||
|
opt_ansible_authorized_keys = host.file("/opt/ansible/.ssh/authorized_keys")
|
||||||
|
assert opt_ansible_authorized_keys.exists
|
||||||
|
assert opt_ansible_authorized_keys.user == "ansible"
|
||||||
|
assert opt_ansible_authorized_keys.group == "ansible"
|
||||||
|
assert opt_ansible_authorized_keys.mode == 0o600
|
||||||
|
assert opt_ansible_authorized_keys.contains("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClfmTk73wNNL2jwvhRUmUuy80JRrz3P7cEgXUqlc5O9 ansible@instance")
|
||||||
|
@ -4,6 +4,6 @@
|
|||||||
ansible.posix.authorized_key:
|
ansible.posix.authorized_key:
|
||||||
user: "{{ provision_ansible_user_name }}"
|
user: "{{ provision_ansible_user_name }}"
|
||||||
key: "{{ provision_ansible_user_ssh_key }}"
|
key: "{{ provision_ansible_user_ssh_key }}"
|
||||||
comment: "ansible@{{ ansible_hostname }}"
|
comment: "{{ provision_ansible_user_name }}@{{ ansible_hostname }}"
|
||||||
key_options: "{{ provision_ansible_user_ssh_key_options }}"
|
key_options: "{{ provision_ansible_user_ssh_key_options }}"
|
||||||
exclusive: "{{ provision_ansible_user_ssh_key_exclusive }}"
|
exclusive: "{{ provision_ansible_user_ssh_key_exclusive }}"
|
||||||
|
@ -1,11 +1,18 @@
|
|||||||
---
|
---
|
||||||
# task/create_user file for provision_ansible_user
|
# task/create_user file for provision_ansible_user
|
||||||
- name: "Create group {{ provision_ansible_user_group }}"
|
- name: "Create group {{ provision_ansible_user_group }}"
|
||||||
|
ansible.builtin.group:
|
||||||
|
name: "{{ provision_ansible_user_group }}"
|
||||||
|
state: present
|
||||||
|
system: "{{ provision_ansible_user_is_system }}"
|
||||||
|
|
||||||
- name: "Create user {{ provision_ansible_user_name }}"
|
- name: "Create user {{ provision_ansible_user_name }}"
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
name: "{{ provision_ansible_user_name }}"
|
name: "{{ provision_ansible_user_name }}"
|
||||||
comment: "Ansible service user"
|
comment: "Ansible service user"
|
||||||
password: "{{ provision_ansible_user_password }}"
|
password: "{{ provision_ansible_user_password }}"
|
||||||
|
group: "{{ provision_ansible_user_group }}"
|
||||||
|
home: "{{ provision_ansible_user_home }}"
|
||||||
shell: "{{ provision_ansible_user_shell }}"
|
shell: "{{ provision_ansible_user_shell }}"
|
||||||
system: "{{ provision_ansible_user_is_system }}"
|
system: "{{ provision_ansible_user_is_system }}"
|
||||||
create_home: true
|
create_home: true
|
||||||
@ -13,6 +20,8 @@
|
|||||||
- name: "Add user to sudoers"
|
- name: "Add user to sudoers"
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
dest: "/etc/sudoers.d/{{ provision_ansible_user_name }}"
|
dest: "/etc/sudoers.d/{{ provision_ansible_user_name }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
mode: 0640
|
mode: 0640
|
||||||
content: "{{ provision_ansible_user_name }} ALL=(ALL) NOPASSWD: ALL"
|
content: "{{ provision_ansible_user_name }} ALL=(ALL) NOPASSWD: ALL"
|
||||||
when: provision_ansible_user_sudoer
|
when: provision_ansible_user_sudoer
|
||||||
|
Loading…
Reference in New Issue
Block a user