This commit is contained in:
Bertrand Lanson 2023-05-08 21:44:01 +02:00
parent 1efe2a9896
commit a499c468bb
15 changed files with 328 additions and 77 deletions

8
.ansible-lint Normal file
View File

@ -0,0 +1,8 @@
---
warn_list:
- experimental # all rules tagged as experimental
- yaml # violations reported by yamllint
- meta-no-info
skip_list:
- jinja[spacing] # Rule that looks inside jinja2 templates.

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
# ignore molecule/testinfra pycache
**/__pycache__

40
.yamllint Normal file
View File

@ -0,0 +1,40 @@
---
# Based on ansible-lint config
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
colons:
max-spaces-after: -1
level: error
commas:
max-spaces-after: -1
level: error
comments: enable
comments-indentation: disable
document-start: enable
empty-lines:
max: 3
level: error
hyphens:
level: error
indentation: enable
key-duplicates: enable
line-length:
max: 80
level: warning
new-line-at-end-of-file: enable
new-lines:
type: unix
trailing-spaces: enable
truthy:
allowed-values:
- 'true'
- 'false'
- 'yes'
- 'no'

20
LICENSE Normal file
View File

@ -0,0 +1,20 @@
The MIT License (MIT)
Copyright (c) 2017 Jeff Geerling
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

195
README.md
View File

@ -1,92 +1,133 @@
# provision_management_user Provision ansible user
=========
> This repository is only a mirror. Development and testing is done on a private gitlab server.
This role configures the ansible service user on **debian-based** distributions.
Requirements
------------
## Getting started None.
To make it easy for you to get started with GitLab, here's a list of recommended next steps. Role Variables
--------------
Already a pro? Just edit this README.md and make it your own. Want to make it easy? [Use the template at the bottom](#editing-this-readme)! Available variables are listed below, along with default values. A sample file for the default values is available in `default/provision_ansible_user.yml.sample` in case you need it for any `group_vars` or `host_vars` configuration.
## Add your files
- [ ] [Create](https://docs.gitlab.com/ee/user/project/repository/web_editor.html#create-a-file) or [upload](https://docs.gitlab.com/ee/user/project/repository/web_editor.html#upload-a-file) files
- [ ] [Add files using the command line](https://docs.gitlab.com/ee/gitlab-basics/add-file.html#add-a-file-using-the-command-line) or push an existing Git repository with the following command:
```yaml
provision_ansible_user_name: ansible # by default, set to ansible
``` ```
cd existing_repo This variable sets the name to configure for the service account.
git remote add origin https://gitlab.ednz.fr/homelab/ansible-resources/roles/provision_management_user.git
git branch -M main ```yaml
git push -uf origin main provision_ansible_user_group: ansible # by default, set to ansible
```
This variable sets the primary group to configure for the service account.
```yaml
provision_ansible_user_password: "*" # by default, set to *
```
This variable sets the password of the account, by default, it is set to "*", which means password authentication is disabled.
```yaml
provision_ansible_user_is_system: true # by default, set to true
```
This variable describe whether the account should be a system user or not. Default (and recommended) is `true`.
```yaml
provision_ansible_user_home: /opt/{{ provision_ansible_user_name }} # by default, set to /opt/{{ provision_ansible_user_name }}
```
This variable sets the home for the service account. By default the home of the account is set in /opt/.
```yaml
provision_ansible_user_shell: /bin/bash # by default, set to /bin/bash
```
This variable sets the shell to be used by the account. Defaults to bash.
```yaml
provision_ansible_user_sudoer: false # by default, set to false
```
This variable defines if the user should be root. For security reasons, this defaults to `false`, but should probably be `true` in a real world scenario.
```yaml
provision_ansible_user_add_ssh_key: false # by default, set to false
```
This variable defines if ssh_keys should be added to the authroized_keys file for the user. Defaults to `false` because there is no "default" ssh_key. This should be set to true and a key passed to the role.
```yaml
provision_ansible_user_ssh_key: # by default, not set
```
This variable contains the ssh public key to use by ansible to log in the service account. Defaults to `None`, but should be set by the operator, and preferably obfuscated (see examples).
```yaml
provision_ansible_user_ssh_key_options: "" # by default, set to ""
```
This variable sets the potential ssh options to add in the authorized_keys file. Default to no options.
```yaml
provision_ansible_user_ssh_key_exclusive: true # by default, set to true
```
This variable defines if the ssh public key passed above should be the only key to log into this account. For security reasons, it is recommended that this gets set to `true`.
Dependencies
------------
None.
Example Playbook
----------------
```yaml
# calling the role inside a playbook with either the default or group_vars/host_vars
- hosts: servers
roles:
- ednxzu.provision_ansible_user
``` ```
## Integrate with your tools ```yaml
# calling the role inside a playbook with just-in-time provisioning of the ssh public key, and vault storage
- hosts: servers
tasks:
- name: "Dynamic ssh keys generation"
delegate_to: localhost
block:
- name: "Generate a keypair for {{ ansible_hostname }}"
community.crypto.openssh_keypair:
path: "/tmp/id_ed25519_{{ ansible_hostname }}"
type: ed25519
owner: root
group: root
delegate_to: localhost
register: _keypair
- [ ] [Set up project integrations](https://gitlab.ednz.fr/homelab/ansible-resources/roles/provision_management_user/-/settings/integrations) - name: "Write the private and public key to vault"
community.hashi_vault.vault_write:
url: https://vault.domain.tld
path: "ansible/hosts/{{ inventory_hostname }}"
data:
private_key: "{{ lookup('ansible.builtin.file', '/tmp/id_ed25519_' ~ ansible_hostname ) }}\n"
public_key: "{{ _keypair.public_key }}"
delegate_to: localhost
## Collaborate with your team - name: "Remove private_key files"
ansible.builtin.file:
path: "/tmp/id_ed25519_{{ ansible_hostname }}"
state: absent
delegate_to: localhost
- [ ] [Invite team members and collaborators](https://docs.gitlab.com/ee/user/project/members/) - name: "Provision ansible user"
- [ ] [Create a new merge request](https://docs.gitlab.com/ee/user/project/merge_requests/creating_merge_requests.html) ansible.builtin.include_role:
- [ ] [Automatically close issues from merge requests](https://docs.gitlab.com/ee/user/project/issues/managing_issues.html#closing-issues-automatically) name: ednxzu.provision_ansible_user
- [ ] [Enable merge request approvals](https://docs.gitlab.com/ee/user/project/merge_requests/approvals/) vars:
- [ ] [Automatically merge when pipeline succeeds](https://docs.gitlab.com/ee/user/project/merge_requests/merge_when_pipeline_succeeds.html) provision_ansible_user_add_ssh_key: true
provision_ansible_user_ssh_key: "{{ _keypair.public_key }}"
```
## Test and Deploy License
-------
Use the built-in continuous integration in GitLab. MIT / BSD
- [ ] [Get started with GitLab CI/CD](https://docs.gitlab.com/ee/ci/quick_start/index.html) Author Information
- [ ] [Analyze your code for known vulnerabilities with Static Application Security Testing(SAST)](https://docs.gitlab.com/ee/user/application_security/sast/) ------------------
- [ ] [Deploy to Kubernetes, Amazon EC2, or Amazon ECS using Auto Deploy](https://docs.gitlab.com/ee/topics/autodevops/requirements.html)
- [ ] [Use pull-based deployments for improved Kubernetes management](https://docs.gitlab.com/ee/user/clusters/agent/)
- [ ] [Set up protected environments](https://docs.gitlab.com/ee/ci/environments/protected_environments.html)
*** This role was created by Bertrand Lanson in 2023.
# Editing this README
When you're ready to make this README your own, just edit this file and use the handy template below (or feel free to structure it however you want - this is just a starting point!). Thank you to [makeareadme.com](https://www.makeareadme.com/) for this template.
## Suggestions for a good README
Every project is different, so consider which of these sections apply to yours. The sections used in the template are suggestions for most open source projects. Also keep in mind that while a README can be too long and detailed, too long is better than too short. If you think your README is too long, consider utilizing another form of documentation rather than cutting out information.
## Name
Choose a self-explaining name for your project.
## Description
Let people know what your project can do specifically. Provide context and add a link to any reference visitors might be unfamiliar with. A list of Features or a Background subsection can also be added here. If there are alternatives to your project, this is a good place to list differentiating factors.
## Badges
On some READMEs, you may see small images that convey metadata, such as whether or not all the tests are passing for the project. You can use Shields to add some to your README. Many services also have instructions for adding a badge.
## Visuals
Depending on what you are making, it can be a good idea to include screenshots or even a video (you'll frequently see GIFs rather than actual videos). Tools like ttygif can help, but check out Asciinema for a more sophisticated method.
## Installation
Within a particular ecosystem, there may be a common way of installing things, such as using Yarn, NuGet, or Homebrew. However, consider the possibility that whoever is reading your README is a novice and would like more guidance. Listing specific steps helps remove ambiguity and gets people to using your project as quickly as possible. If it only runs in a specific context like a particular programming language version or operating system or has dependencies that have to be installed manually, also add a Requirements subsection.
## Usage
Use examples liberally, and show the expected output if you can. It's helpful to have inline the smallest example of usage that you can demonstrate, while providing links to more sophisticated examples if they are too long to reasonably include in the README.
## Support
Tell people where they can go to for help. It can be any combination of an issue tracker, a chat room, an email address, etc.
## Roadmap
If you have ideas for releases in the future, it is a good idea to list them in the README.
## Contributing
State if you are open to contributions and what your requirements are for accepting them.
For people who want to make changes to your project, it's helpful to have some documentation on how to get started. Perhaps there is a script that they should run or some environment variables that they need to set. Make these steps explicit. These instructions could also be useful to your future self.
You can also document commands to lint the code or run tests. These steps help to ensure high code quality and reduce the likelihood that the changes inadvertently break something. Having instructions for running tests is especially helpful if it requires external setup, such as starting a Selenium server for testing in a browser.
## Authors and acknowledgment
Show your appreciation to those who have contributed to the project.
## License
For open source projects, say how it is licensed.
## Project status
If you have run out of energy or time for your project, put a note at the top of the README saying that development has slowed down or stopped completely. Someone may choose to fork your project or volunteer to step in as a maintainer or owner, allowing your project to keep going. You can also make an explicit request for maintainers.

2
defaults/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# defaults file for provision_management_user

2
handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# handlers file for provision_management_user

53
meta/main.yml Normal file
View File

@ -0,0 +1,53 @@
galaxy_info:
author: your name
namespace: ednxzu
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

View File

@ -0,0 +1,7 @@
---
- name: Converge
hosts: all
tasks:
- name: "Include ednxzu.provision_management_user"
ansible.builtin.include_role:
name: "ednxzu.provision_management_user"

View File

@ -0,0 +1,37 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: docker
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: testinfra
scenario:
name: default
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

View File

@ -0,0 +1,3 @@
---
# requirements file for molecule
roles: []

View File

@ -0,0 +1,22 @@
"""PyTest Fixtures."""
import os
import pytest
def pytest_runtest_setup(item):
"""Run tests only when under molecule with testinfra installed."""
try:
import testinfra
except ImportError:
pytest.skip("Test requires testinfra", allow_module_level=True)
if "MOLECULE_INVENTORY_FILE" in os.environ:
pytest.testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"],
).get_hosts("all")
else:
pytest.skip(
"Test should run only from inside molecule.",
allow_module_level=True,
)

View File

@ -0,0 +1,10 @@
"""Role testing files using testinfra."""
def test_hosts_file(host):
"""Validate /etc/hosts file."""
f = host.file("/etc/hosts")
assert f.exists
assert f.user == "root"
assert f.group == "root"

2
tasks/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# task/main file for provision_management_user

2
vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# vars file for provision_management_user