provision_management_user/README.md

133 lines
4.5 KiB
Markdown
Raw Normal View History

2023-05-11 21:33:45 +00:00
Provision management user
2023-05-08 19:44:01 +00:00
=========
> This repository is only a mirror. Development and testing is done on a private gitlab server.
2023-05-08 19:39:01 +00:00
2023-05-11 21:33:45 +00:00
This role configures the management user on **debian-based** distributions.
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
Requirements
------------
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
None.
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
Role Variables
--------------
2023-05-11 21:33:45 +00:00
Available variables are listed below, along with default values. A sample file for the default values is available in `default/provision_management_user.yml.sample` in case you need it for any `group_vars` or `host_vars` configuration.
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
```yaml
2023-05-11 21:33:45 +00:00
provision_management_user_name: ansible # by default, set to ansible
2023-05-08 19:39:01 +00:00
```
2023-05-08 19:44:01 +00:00
This variable sets the name to configure for the service account.
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
```yaml
2023-05-11 21:33:45 +00:00
provision_management_user_group: ansible # by default, set to ansible
2023-05-08 19:44:01 +00:00
```
This variable sets the primary group to configure for the service account.
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
```yaml
2023-05-11 21:33:45 +00:00
provision_management_user_password: "*" # by default, set to *
2023-05-08 19:44:01 +00:00
```
This variable sets the password of the account, by default, it is set to "*", which means password authentication is disabled.
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
```yaml
2023-05-11 21:33:45 +00:00
provision_management_user_is_system: true # by default, set to true
2023-05-08 19:44:01 +00:00
```
This variable describe whether the account should be a system user or not. Default (and recommended) is `true`.
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
```yaml
2023-05-11 21:33:45 +00:00
provision_management_user_home: /opt/{{ provision_management_user_name }} # by default, set to /opt/{{ provision_management_user_name }}
2023-05-08 19:44:01 +00:00
```
This variable sets the home for the service account. By default the home of the account is set in /opt/.
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
```yaml
2023-05-11 21:33:45 +00:00
provision_management_user_shell: /bin/bash # by default, set to /bin/bash
2023-05-08 19:44:01 +00:00
```
This variable sets the shell to be used by the account. Defaults to bash.
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
```yaml
2023-05-11 21:33:45 +00:00
provision_management_user_sudoer: false # by default, set to false
2023-05-08 19:44:01 +00:00
```
This variable defines if the user should be root. For security reasons, this defaults to `false`, but should probably be `true` in a real world scenario.
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
```yaml
2023-05-11 21:33:45 +00:00
provision_management_user_add_ssh_key: false # by default, set to false
2023-05-08 19:44:01 +00:00
```
This variable defines if ssh_keys should be added to the authroized_keys file for the user. Defaults to `false` because there is no "default" ssh_key. This should be set to true and a key passed to the role.
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
```yaml
2023-05-11 21:33:45 +00:00
provision_management_user_ssh_key: # by default, not set
2023-05-08 19:44:01 +00:00
```
This variable contains the ssh public key to use by ansible to log in the service account. Defaults to `None`, but should be set by the operator, and preferably obfuscated (see examples).
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
```yaml
2023-05-11 21:33:45 +00:00
provision_management_user_ssh_key_options: "" # by default, set to ""
2023-05-08 19:44:01 +00:00
```
This variable sets the potential ssh options to add in the authorized_keys file. Default to no options.
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
```yaml
2023-05-11 21:33:45 +00:00
provision_management_user_ssh_key_exclusive: true # by default, set to true
2023-05-08 19:44:01 +00:00
```
This variable defines if the ssh public key passed above should be the only key to log into this account. For security reasons, it is recommended that this gets set to `true`.
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
Dependencies
------------
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
None.
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
Example Playbook
----------------
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
```yaml
# calling the role inside a playbook with either the default or group_vars/host_vars
- hosts: servers
roles:
2023-05-11 21:33:45 +00:00
- ednxzu.provision_management_user
2023-05-08 19:44:01 +00:00
```
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
```yaml
# calling the role inside a playbook with just-in-time provisioning of the ssh public key, and vault storage
- hosts: servers
tasks:
- name: "Dynamic ssh keys generation"
delegate_to: localhost
block:
- name: "Generate a keypair for {{ ansible_hostname }}"
community.crypto.openssh_keypair:
path: "/tmp/id_ed25519_{{ ansible_hostname }}"
type: ed25519
owner: root
group: root
delegate_to: localhost
register: _keypair
- name: "Write the private and public key to vault"
community.hashi_vault.vault_write:
url: https://vault.domain.tld
path: "ansible/hosts/{{ inventory_hostname }}"
data:
private_key: "{{ lookup('ansible.builtin.file', '/tmp/id_ed25519_' ~ ansible_hostname ) }}\n"
public_key: "{{ _keypair.public_key }}"
delegate_to: localhost
- name: "Remove private_key files"
ansible.builtin.file:
path: "/tmp/id_ed25519_{{ ansible_hostname }}"
state: absent
delegate_to: localhost
- name: "Provision ansible user"
ansible.builtin.include_role:
2023-05-11 21:33:45 +00:00
name: ednxzu.provision_management_user
2023-05-08 19:44:01 +00:00
vars:
2023-05-11 21:33:45 +00:00
provision_management_user_add_ssh_key: true
provision_management_user_ssh_key: "{{ _keypair.public_key }}"
2023-05-08 19:44:01 +00:00
```
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
License
-------
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
MIT / BSD
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
Author Information
------------------
2023-05-08 19:39:01 +00:00
2023-05-08 19:44:01 +00:00
This role was created by Bertrand Lanson in 2023.