Ansible role to provision a management user for manual operations, on debian-based systems. https://ednz.fr

Go to file

Bertrand Lanson ee0ec67961 All checks were successful test / Linting (push) Successful in 7s Details test / Molecule tests (default, debian11) (push) Successful in 26s Details test / Molecule tests (default, debian12) (push) Successful in 26s Details test / Molecule tests (default, ubuntu2004) (push) Successful in 27s Details test / Molecule tests (default, ubuntu2204) (push) Successful in 26s Details test / Molecule tests (with_ssh_keys, debian11) (push) Successful in 29s Details test / Molecule tests (with_ssh_keys, debian12) (push) Successful in 28s Details test / Molecule tests (with_ssh_keys, ubuntu2004) (push) Successful in 30s Details test / Molecule tests (with_ssh_keys, ubuntu2204) (push) Successful in 30s Details feat(core): change namespace		2024-02-05 22:51:23 +01:00
.gitea/workflows	moved tests to ansible	2023-07-17 23:12:30 +02:00
.github/workflows	feat(core): change namespace	2024-02-05 22:51:23 +01:00
defaults	added sample file, edit some minor thing to comply with template	2023-06-25 19:33:40 +02:00
handlers	feat: remove become from role, fix #1	2023-12-03 18:10:56 +01:00
meta	feat(core): change namespace	2024-02-05 22:51:23 +01:00
molecule	feat(core): change namespace	2024-02-05 22:51:23 +01:00
tasks	fix: linting	2023-12-03 18:11:30 +01:00
vars	skeleton	2023-05-08 21:44:01 +02:00
.ansible-lint	skeleton	2023-05-08 21:44:01 +02:00
.gitignore	ignore .vscode	2023-05-21 20:18:54 +02:00
.yamllint	skeleton	2023-05-08 21:44:01 +02:00
LICENSE	added sample file, edit some minor thing to comply with template	2023-06-25 19:33:40 +02:00
README.md	feat(core): change namespace	2024-02-05 22:51:23 +01:00

README.md

provision_management_user

This repository is only a mirror. Development and testing is done on a private gitlab server.

This role configures the management user on debian-based distributions.

Requirements

None.

Role Variables

Available variables are listed below, along with default values. A sample file for the default values is available in default/provision_management_user.yml.sample in case you need it for any group_vars or host_vars configuration.

provision_management_user_name: ansible # by default, set to ansible

This variable sets the name to configure for the service account.

provision_management_user_group: ansible # by default, set to ansible

This variable sets the primary group to configure for the service account.

provision_management_user_password: "*" # by default, set to *

This variable sets the password of the account, by default, it is set to "*", which means password authentication is disabled.

provision_management_user_is_system: true # by default, set to true

This variable describe whether the account should be a system user or not. Default (and recommended) is true.

provision_management_user_home: /opt/{{ provision_management_user_name }} # by default, set to /opt/{{ provision_management_user_name }}

This variable sets the home for the service account. By default the home of the account is set in /opt/.

provision_management_user_shell: /bin/bash # by default, set to /bin/bash

This variable sets the shell to be used by the account. Defaults to bash.

provision_management_user_sudoer: false # by default, set to false

This variable defines if the user should be root. For security reasons, this defaults to false, but should probably be true in a real world scenario.

provision_management_user_add_ssh_key: false # by default, set to false

This variable defines if ssh_keys should be added to the authroized_keys file for the user. Defaults to false because there is no "default" ssh_key. This should be set to true and a key passed to the role.

provision_management_user_ssh_key: # by default, not set

This variable contains the ssh public key to use by ansible to log in the service account. Defaults to None, but should be set by the operator, and preferably obfuscated (see examples).

provision_management_user_ssh_key_options: "" # by default, set to ""

This variable sets the potential ssh options to add in the authorized_keys file. Default to no options.

provision_management_user_ssh_key_exclusive: true # by default, set to true

This variable defines if the ssh public key passed above should be the only key to log into this account. For security reasons, it is recommended that this gets set to true.

Dependencies

None.

Example Playbook

# calling the role inside a playbook with either the default or group_vars/host_vars
- hosts: servers
  roles:
    - ednz_cloud.provision_management_user

# calling the role inside a playbook with just-in-time provisioning of the ssh public key, and vault storage
- hosts: servers
  tasks:
    - name: "Dynamic ssh keys generation"
      delegate_to: localhost
      block:
        - name: "Generate a keypair for {{ ansible_hostname }}"
          community.crypto.openssh_keypair:
            path: "/tmp/id_ed25519_{{ ansible_hostname }}"
            type: ed25519
            owner: root
            group: root
          delegate_to: localhost
          register: _keypair

        - name: "Write the private and public key to vault"
          community.hashi_vault.vault_write:
            url: https://vault.domain.tld
            path: "ansible/hosts/{{ inventory_hostname }}"
            data:
              private_key: "{{ lookup('ansible.builtin.file', '/tmp/id_ed25519_' ~ ansible_hostname ) }}\n"
              public_key: "{{ _keypair.public_key }}"
          delegate_to: localhost

        - name: "Remove private_key files"
          ansible.builtin.file:
            path: "/tmp/id_ed25519_{{ ansible_hostname }}"
            state: absent
          delegate_to: localhost

    - name: "Provision ansible user"
      ansible.builtin.include_role:
        name: ednz_cloud.provision_management_user
      vars:
        provision_management_user_add_ssh_key: true
        provision_management_user_ssh_key: "{{ _keypair.public_key }}"

License

MIT / BSD

Author Information

This role was created by Bertrand Lanson in 2023.