diff --git a/handlers/main.yml b/handlers/main.yml index 7afcc90..24c5627 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -4,4 +4,5 @@ ansible.builtin.service: name: sshd state: restarted + become: true listen: "systemctl-restart-sshd" diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 4387b02..cbd9747 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -48,6 +48,7 @@ ansible.builtin.stat: path: "/etc/sudoers.d/ubuntu" register: stat_etc_sudoers_d_ubuntu + become: true - name: "Verify file /etc/sudoers.d/ubuntu" ansible.builtin.assert: @@ -60,6 +61,7 @@ ansible.builtin.stat: path: "/home/ubuntu/.ssh/authorized_keys" register: stat_home_ubuntu_ssh_authorized_keys + become: true - name: "Verify file /home/ubuntu/.ssh/authorized_keys" ansible.builtin.assert: diff --git a/molecule/default_vagrant/converge.yml b/molecule/default_vagrant/converge.yml new file mode 100644 index 0000000..6bfdef7 --- /dev/null +++ b/molecule/default_vagrant/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + tasks: + - name: "Include ednxzu.provision_management_user" + ansible.builtin.include_role: + name: "ednxzu.provision_management_user" diff --git a/molecule/default_vagrant/molecule.yml b/molecule/default_vagrant/molecule.yml new file mode 100644 index 0000000..2b02360 --- /dev/null +++ b/molecule/default_vagrant/molecule.yml @@ -0,0 +1,35 @@ +--- +dependency: + name: galaxy + options: + requirements-file: ./requirements.yml +driver: + name: vagrant + provider: + name: libvirt +platforms: + - name: instance + box: generic/${MOLECULE_TEST_OS} + cpus: 4 + memory: 4096 +provisioner: + name: ansible + config_options: + defaults: + remote_tmp: /tmp/.ansible +verifier: + name: ansible +scenario: + name: default_vagrant + test_sequence: + - dependency + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - verify + - cleanup + - destroy diff --git a/molecule/default_vagrant/requirements.yml b/molecule/default_vagrant/requirements.yml new file mode 100644 index 0000000..e9320f9 --- /dev/null +++ b/molecule/default_vagrant/requirements.yml @@ -0,0 +1,3 @@ +--- +# requirements file for molecule +roles: [] diff --git a/molecule/default_vagrant/verify.yml b/molecule/default_vagrant/verify.yml new file mode 100644 index 0000000..2a3d45f --- /dev/null +++ b/molecule/default_vagrant/verify.yml @@ -0,0 +1,73 @@ +--- +- name: Verify + hosts: all + gather_facts: true + tasks: + - name: "Test: file /etc/hosts" + block: + - name: "Stat file /etc/hosts" + ansible.builtin.stat: + path: "/etc/hosts" + register: stat_etc_hosts + + - name: "Verify file /etc/hosts" + vars: + etc_hosts_group: + ubuntu: "adm" + debian: "root" + ansible.builtin.assert: + that: + - stat_etc_hosts.stat.exists + - stat_etc_hosts.stat.isreg + - stat_etc_hosts.stat.pw_name == 'root' + - stat_etc_hosts.stat.gr_name == etc_hosts_group[(ansible_distribution|lower)] + + - name: "Test: ubuntu user and group" + block: + - name: "Getent user ansible" + ansible.builtin.getent: + database: passwd + key: ubuntu + register: ednxzu_management_user + + - name: "Getent group ubuntu" + ansible.builtin.getent: + database: group + key: ubuntu + register: ednxzu_management_group + + - name: "Verify ubuntu user and group" + ansible.builtin.assert: + that: + - not ednxzu_management_user.failed + - not ednxzu_management_group.failed + - "'ubuntu' in ednxzu_management_user.ansible_facts.getent_passwd.keys()" + - "'/home/ubuntu' in ednxzu_management_user.ansible_facts.getent_passwd['ubuntu']" + - "'/bin/bash' in ednxzu_management_user.ansible_facts.getent_passwd['ubuntu']" + - "'ubuntu' in ednxzu_management_group.ansible_facts.getent_group.keys()" + + - name: "Test: ubuntu sudo permissions" + block: + - name: "Stat file /etc/sudoers.d/ubuntu" + ansible.builtin.stat: + path: "/etc/sudoers.d/ubuntu" + register: stat_etc_sudoers_d_ubuntu + become: true + + - name: "Verify file /etc/sudoers.d/ubuntu" + ansible.builtin.assert: + that: + - not stat_etc_sudoers_d_ubuntu.stat.exists + + - name: "Test: ubuntu authorized_keys" + block: + - name: "Stat file /home/ubuntu/.ssh/authorized_keys" + ansible.builtin.stat: + path: "/home/ubuntu/.ssh/authorized_keys" + register: stat_home_ubuntu_ssh_authorized_keys + become: true + + - name: "Verify file /home/ubuntu/.ssh/authorized_keys" + ansible.builtin.assert: + that: + - not stat_home_ubuntu_ssh_authorized_keys.stat.exists diff --git a/molecule/with_ssh_keys/verify.yml b/molecule/with_ssh_keys/verify.yml index 1d8fc02..be88ff0 100644 --- a/molecule/with_ssh_keys/verify.yml +++ b/molecule/with_ssh_keys/verify.yml @@ -48,11 +48,13 @@ ansible.builtin.stat: path: "/etc/sudoers.d/ubuntu" register: stat_etc_sudoers_d_ubuntu + become: true - name: "Slurp file /etc/sudoers.d/ubuntu" ansible.builtin.slurp: src: "/etc/sudoers.d/ubuntu" register: slurp_etc_sudoers_d_ubuntu + become: true - name: "Verify file /etc/sudoers.d/ubuntu" ansible.builtin.assert: @@ -70,11 +72,13 @@ ansible.builtin.stat: path: "/home/ubuntu/.ssh/authorized_keys" register: stat_home_ubuntu_ssh_authorized_keys + become: true - name: "Slurp file /home/ubuntu/.ssh/authorized_keys" ansible.builtin.slurp: src: "/home/ubuntu/.ssh/authorized_keys" register: slurp_home_ubuntu_ssh_authorized_keys + become: true - name: "Verify file /home/ubuntu/.ssh/authorized_keys" ansible.builtin.assert: diff --git a/molecule/with_ssh_keys_vagrant/converge.yml b/molecule/with_ssh_keys_vagrant/converge.yml new file mode 100644 index 0000000..6bfdef7 --- /dev/null +++ b/molecule/with_ssh_keys_vagrant/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + tasks: + - name: "Include ednxzu.provision_management_user" + ansible.builtin.include_role: + name: "ednxzu.provision_management_user" diff --git a/molecule/with_ssh_keys_vagrant/group_vars/all.yml b/molecule/with_ssh_keys_vagrant/group_vars/all.yml new file mode 100644 index 0000000..2d59393 --- /dev/null +++ b/molecule/with_ssh_keys_vagrant/group_vars/all.yml @@ -0,0 +1,14 @@ +--- +provision_management_user_name: ubuntu +provision_management_user_group: ubuntu +provision_management_user_password: "*" +provision_management_user_is_system: true +provision_management_user_home: /home/{{ provision_management_user_name }} +provision_management_user_shell: /bin/bash +provision_management_user_sudoer: true +provision_management_user_disable_root_login: false +provision_management_user_disable_root_password_auth: false +provision_management_user_add_ssh_key: true +provision_management_user_ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClfmTk73wNNL2jwvhRUmUuy80JRrz3P7cEgXUqlc5O9" +provision_management_user_ssh_key_options: "" +provision_management_user_ssh_key_exclusive: true diff --git a/molecule/with_ssh_keys_vagrant/molecule.yml b/molecule/with_ssh_keys_vagrant/molecule.yml new file mode 100644 index 0000000..25f66bc --- /dev/null +++ b/molecule/with_ssh_keys_vagrant/molecule.yml @@ -0,0 +1,35 @@ +--- +dependency: + name: galaxy + options: + requirements-file: ./requirements.yml +driver: + name: vagrant + provider: + name: libvirt +platforms: + - name: instance + box: generic/${MOLECULE_TEST_OS} + cpus: 4 + memory: 4096 +provisioner: + name: ansible + config_options: + defaults: + remote_tmp: /tmp/.ansible +verifier: + name: ansible +scenario: + name: with_ssh_keys_vagrant + test_sequence: + - dependency + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - verify + - cleanup + - destroy diff --git a/molecule/with_ssh_keys_vagrant/requirements.yml b/molecule/with_ssh_keys_vagrant/requirements.yml new file mode 100644 index 0000000..e9320f9 --- /dev/null +++ b/molecule/with_ssh_keys_vagrant/requirements.yml @@ -0,0 +1,3 @@ +--- +# requirements file for molecule +roles: [] diff --git a/molecule/with_ssh_keys_vagrant/verify.yml b/molecule/with_ssh_keys_vagrant/verify.yml new file mode 100644 index 0000000..348b245 --- /dev/null +++ b/molecule/with_ssh_keys_vagrant/verify.yml @@ -0,0 +1,95 @@ +--- +- name: Verify + hosts: all + gather_facts: true + tasks: + - name: "Test: file /etc/hosts" + block: + - name: "Stat file /etc/hosts" + ansible.builtin.stat: + path: "/etc/hosts" + register: stat_etc_hosts + + - name: "Verify file /etc/hosts" + vars: + etc_hosts_group: + ubuntu: "adm" + debian: "root" + ansible.builtin.assert: + that: + - stat_etc_hosts.stat.exists + - stat_etc_hosts.stat.isreg + - stat_etc_hosts.stat.pw_name == 'root' + - stat_etc_hosts.stat.gr_name == etc_hosts_group[(ansible_distribution|lower)] + + - name: "Test: ubuntu user and group" + block: + - name: "Getent user ansible" + ansible.builtin.getent: + database: passwd + key: ubuntu + register: ednxzu_management_user + + - name: "Getent group ubuntu" + ansible.builtin.getent: + database: group + key: ubuntu + register: ednxzu_management_group + + - name: "Verify ubuntu user and group" + ansible.builtin.assert: + that: + - not ednxzu_management_user.failed + - not ednxzu_management_group.failed + - "'ubuntu' in ednxzu_management_user.ansible_facts.getent_passwd.keys()" + - "'/home/ubuntu' in ednxzu_management_user.ansible_facts.getent_passwd['ubuntu']" + - "'/bin/bash' in ednxzu_management_user.ansible_facts.getent_passwd['ubuntu']" + - "'ubuntu' in ednxzu_management_group.ansible_facts.getent_group.keys()" + + - name: "Test: ubuntu sudo permissions" + block: + - name: "Stat file /etc/sudoers.d/ubuntu" + ansible.builtin.stat: + path: "/etc/sudoers.d/ubuntu" + register: stat_etc_sudoers_d_ubuntu + become: true + + - name: "Slurp file /etc/sudoers.d/ubuntu" + ansible.builtin.slurp: + src: "/etc/sudoers.d/ubuntu" + register: slurp_etc_sudoers_d_ubuntu + become: true + + - name: "Verify file /etc/sudoers.d/ubuntu" + ansible.builtin.assert: + that: + - stat_etc_sudoers_d_ubuntu.stat.exists + - stat_etc_sudoers_d_ubuntu.stat.isreg + - stat_etc_sudoers_d_ubuntu.stat.pw_name == 'root' + - stat_etc_sudoers_d_ubuntu.stat.gr_name == 'root' + - stat_etc_sudoers_d_ubuntu.stat.mode == '0440' + - "'ubuntu ALL=NOPASSWD:SETENV: ALL' in (slurp_etc_sudoers_d_ubuntu.content|b64decode)" + + - name: "Test: ubuntu authorized_keys" + block: + - name: "Stat file /home/ubuntu/.ssh/authorized_keys" + ansible.builtin.stat: + path: "/home/ubuntu/.ssh/authorized_keys" + register: stat_home_ubuntu_ssh_authorized_keys + become: true + + - name: "Slurp file /home/ubuntu/.ssh/authorized_keys" + ansible.builtin.slurp: + src: "/home/ubuntu/.ssh/authorized_keys" + register: slurp_home_ubuntu_ssh_authorized_keys + become: true + + - name: "Verify file /home/ubuntu/.ssh/authorized_keys" + ansible.builtin.assert: + that: + - stat_home_ubuntu_ssh_authorized_keys.stat.exists + - stat_home_ubuntu_ssh_authorized_keys.stat.isreg + - stat_home_ubuntu_ssh_authorized_keys.stat.pw_name == 'ubuntu' + - stat_home_ubuntu_ssh_authorized_keys.stat.gr_name == 'ubuntu' + - stat_home_ubuntu_ssh_authorized_keys.stat.mode == '0600' + - "'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClfmTk73wNNL2jwvhRUmUuy80JRrz3P7cEgXUqlc5O9 ubuntu@instance' in (slurp_home_ubuntu_ssh_authorized_keys.content|b64decode)" diff --git a/tasks/add_ssh_keys.yml b/tasks/add_ssh_keys.yml index d2688c0..4253286 100644 --- a/tasks/add_ssh_keys.yml +++ b/tasks/add_ssh_keys.yml @@ -7,3 +7,4 @@ comment: "{{ provision_management_user_name }}@{{ ansible_hostname }}" key_options: "{{ provision_management_user_ssh_key_options }}" exclusive: "{{ provision_management_user_ssh_key_exclusive }}" + become: true \ No newline at end of file diff --git a/tasks/configure_host.yml b/tasks/configure_host.yml index f1cd330..07c82b5 100644 --- a/tasks/configure_host.yml +++ b/tasks/configure_host.yml @@ -10,6 +10,7 @@ notify: - systemctl-restart-sshd when: provision_management_user_disable_root_password_auth + become: true - name: "Lock root authentication" ansible.builtin.lineinfile: @@ -21,3 +22,4 @@ notify: - systemctl-restart-sshd when: provision_management_user_disable_root_login + become: true diff --git a/tasks/create_user.yml b/tasks/create_user.yml index 866a8c1..ac2c08f 100644 --- a/tasks/create_user.yml +++ b/tasks/create_user.yml @@ -5,6 +5,7 @@ name: "{{ provision_management_user_group }}" state: present system: "{{ provision_management_user_is_system }}" + become: true - name: "Create user {{ provision_management_user_name }}" ansible.builtin.user: @@ -16,6 +17,7 @@ shell: "{{ provision_management_user_shell }}" system: "{{ provision_management_user_is_system }}" create_home: true + become: true - name: "Add user to sudoers" community.general.sudoers: @@ -25,3 +27,4 @@ nopassword: true setenv: true when: provision_management_user_sudoer + become: true