From a53b27a8fdd6b0156a89cdc7922441507c3425d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krist=C3=B3f=20Torma?= Date: Tue, 25 Jul 2023 15:00:05 +0200 Subject: [PATCH] replace usernames --- roles/common/tasks/clean-motd.yaml | 6 +-- roles/common/tasks/ssh-security-settings.yaml | 4 +- roles/common/tasks/user-ops.yaml | 49 +++---------------- roles/docker/tasks/main.yaml | 2 +- roles/realmd/tasks/main.yaml | 16 ++++++ 5 files changed, 29 insertions(+), 48 deletions(-) diff --git a/roles/common/tasks/clean-motd.yaml b/roles/common/tasks/clean-motd.yaml index 2894fad..8d6f411 100644 --- a/roles/common/tasks/clean-motd.yaml +++ b/roles/common/tasks/clean-motd.yaml @@ -2,8 +2,8 @@ - name: clean motd ansible.builtin.file: state: touch - owner: tormakris - group: tormakris + owner: tormakris@intra.tormakris.dev + group: tormakris@intra.tormakris.dev mode: "0644" - path: /home/tormakris/.hushlogin + path: /home/tormakris@intra.tormakris.dev/.hushlogin ... diff --git a/roles/common/tasks/ssh-security-settings.yaml b/roles/common/tasks/ssh-security-settings.yaml index 3fb3e75..eb6d61e 100644 --- a/roles/common/tasks/ssh-security-settings.yaml +++ b/roles/common/tasks/ssh-security-settings.yaml @@ -27,7 +27,7 @@ ansible.builtin.lineinfile: state: absent path: /etc/ssh/sshd_config - regexp: "^AllowUsers" + regexp: "intra.tormakris.dev" check_mode: true changed_when: false register: checkallowusers @@ -36,7 +36,7 @@ ansible.builtin.lineinfile: state: present path: /etc/ssh/sshd_config - line: "AllowUsers tormakris ansible service-user" + line: "AllowUsers tormakris@intra.tormakris.dev ansible@intra.tormakris.dev service-user@intra.tormakris.dev" when: checkallowusers.found == 0 - name: "Restart sshd" diff --git a/roles/common/tasks/user-ops.yaml b/roles/common/tasks/user-ops.yaml index 6ef721e..6780cc1 100644 --- a/roles/common/tasks/user-ops.yaml +++ b/roles/common/tasks/user-ops.yaml @@ -1,57 +1,22 @@ --- -- name: "Add service user" - ansible.builtin.user: - name: service-user - comment: Service user - shell: /bin/bash - -- name: "Add ansible user" - ansible.builtin.user: - name: ansible - comment: Ansible - shell: /bin/bash - -- name: "Add ansible user to sudo group" - ansible.builtin.user: - name: ansible - comment: Ansible - groups: sudo - append: yes - - name: Create .ssh directory of root user ansible.builtin.file: - path: /home/ansible/.ssh + path: /home/ansible@intra.tormakris.dev/.ssh state: directory - owner: ansible - group: ansible + owner: ansible@intra.tormakris.dev + group: ansible@intra.tormakris.dev - name: Copy authorized_keys ansible.builtin.copy: src: authorized_keys - dest: /home/ansible/.ssh/authorized_keys + dest: /home/ansible@intra.tormakris.dev/.ssh/authorized_keys mode: 0600 - owner: ansible - group: ansible - -- name: Check if ansible is already nopasswd in sudoers - ansible.builtin.lineinfile: - state: absent - path: /etc/sudoers - regexp: "^ansible" - check_mode: true - changed_when: false - register: checkallowusers - -- name: Define ansible nopasswd in sudoers - ansible.builtin.lineinfile: - state: present - path: /etc/sudoers - line: "ansible ALL=(ALL:ALL) NOPASSWD:ALL" - when: checkallowusers.found == 0 + owner: ansible@intra.tormakris.dev + group: ansible@intra.tormakris.dev - name: "Update authorized_keys of tormakris" ansible.posix.authorized_key: - user: tormakris + user: tormakris@intra.tormakris.dev state: present key: https://static.tormakristof.eu/ssh.keys ... diff --git a/roles/docker/tasks/main.yaml b/roles/docker/tasks/main.yaml index 4732e8f..aabed20 100644 --- a/roles/docker/tasks/main.yaml +++ b/roles/docker/tasks/main.yaml @@ -23,7 +23,7 @@ - name: "Add service user to docker group" ansible.builtin.user: - name: service-user + name: service-user@intra.tormakris.dev comment: Service user groups: docker append: yes diff --git a/roles/realmd/tasks/main.yaml b/roles/realmd/tasks/main.yaml index ffc3231..b0def1a 100644 --- a/roles/realmd/tasks/main.yaml +++ b/roles/realmd/tasks/main.yaml @@ -85,4 +85,20 @@ ansible.builtin.service: name: sssd state: restarted + +- name: Check if group is presend in sudoers + ansible.builtin.lineinfile: + state: absent + path: /etc/sudoers + regexp: "^%linuxadmins" + check_mode: true + changed_when: false + register: checksudoers + +- name: Define group in sudoers + ansible.builtin.lineinfile: + state: present + path: /etc/ssh/sshd_config + line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL" + when: checksudoers.found == 0 ...