Add task to setup passwordless sudo for user
This commit is contained in:
parent
1b5458cd79
commit
3af7f61dfa
@ -39,7 +39,27 @@ To get started, follow the [installation](../README.md#installation) guide to se
|
|||||||
# }
|
# }
|
||||||
```
|
```
|
||||||
|
|
||||||
- Execute the `setup-user.yml` Ansible playbook to create a user `dev` with sudo permissions:
|
- Setup `user-vars.yml` using the example file
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd vars
|
||||||
|
cp user-vars.example.yml user-vars.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
- Edit the following vars:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# name of the user you want to setup on the target host
|
||||||
|
username: ""
|
||||||
|
|
||||||
|
# password of the user you want to setup on the target host
|
||||||
|
password: ""
|
||||||
|
|
||||||
|
# path to the ssh key on your machine
|
||||||
|
path_to_ssh_key: "
|
||||||
|
```
|
||||||
|
|
||||||
|
- Execute the `setup-user.yml` Ansible playbook to create a user with passwordless sudo permissions:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ansible-playbook setup-user.yml -i hosts.ini --extra-vars='{ "target_host": "deployment_host" }'
|
ansible-playbook setup-user.yml -i hosts.ini --extra-vars='{ "target_host": "deployment_host" }'
|
||||||
|
@ -59,12 +59,16 @@
|
|||||||
ignore_errors: yes
|
ignore_errors: yes
|
||||||
|
|
||||||
- name: Sign a dummy string using gpg-key
|
- name: Sign a dummy string using gpg-key
|
||||||
shell: echo "This is a dummy string." | gpg --batch --yes --passphrase "{{ vault_passphrase }}" --pinentry-mode loopback --sign -
|
shell: echo "This is a dummy string." | gpg --batch --yes --local-user "{{ gpg_key_id }}" --passphrase "{{ vault_passphrase }}" --pinentry-mode loopback --sign -
|
||||||
|
|
||||||
- name: Run vault-rekey.sh
|
- name: Run vault-rekey.sh
|
||||||
shell: bash .vault/vault-rekey.sh
|
shell: bash .vault/vault-rekey.sh
|
||||||
args:
|
args:
|
||||||
chdir: "service-provider-template"
|
chdir: "service-provider-template"
|
||||||
|
register: rekey_result
|
||||||
|
until: rekey_result.stderr == ""
|
||||||
|
retries: 5
|
||||||
|
delay: 5
|
||||||
|
|
||||||
- name: Ensure the target directory exists
|
- name: Ensure the target directory exists
|
||||||
file:
|
file:
|
||||||
@ -163,13 +167,10 @@
|
|||||||
command: ansible-playbook -i hosts site.yml --tags=firewalld,nginx
|
command: ansible-playbook -i hosts site.yml --tags=firewalld,nginx
|
||||||
args:
|
args:
|
||||||
chdir: "{{ ansible_env.HOME }}/service-provider-template"
|
chdir: "{{ ansible_env.HOME }}/service-provider-template"
|
||||||
|
environment:
|
||||||
- name: Install Stack Orchestrator
|
ANSIBLE_HOST_KEY_CHECKING: "False"
|
||||||
command: ansible-playbook -i hosts site.yml --tags=so --limit=so --user so
|
|
||||||
args:
|
|
||||||
chdir: "{{ ansible_env.HOME }}/service-provider-template"
|
|
||||||
|
|
||||||
- name: Deploy Kubernetes
|
- name: Deploy Kubernetes
|
||||||
command: ansible-playbook -i hosts site.yml --tags=k8s --limit={{ org_id }}_{{ location_id }} --user so
|
command: ansible-playbook -i hosts site.yml --tags=k8s --limit={{ org_id }}_{{ location_id }} --user {{ ansible_user }}
|
||||||
args:
|
args:
|
||||||
chdir: "{{ ansible_env.HOME }}/service-provider-template"
|
chdir: "{{ ansible_env.HOME }}/service-provider-template"
|
||||||
|
@ -2,12 +2,16 @@
|
|||||||
hosts: "{{ target_host }}"
|
hosts: "{{ target_host }}"
|
||||||
become: yes
|
become: yes
|
||||||
|
|
||||||
|
vars_files:
|
||||||
|
- vars/user-vars.yml
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Set unique hostname
|
- name: Set unique hostname
|
||||||
hostname:
|
hostname:
|
||||||
name: "{{ inventory_hostname }}"
|
name: "{{ inventory_hostname }}"
|
||||||
when: ansible_hostname != inventory_hostname
|
when: ansible_hostname != inventory_hostname
|
||||||
|
|
||||||
|
# TODO: Move installation to k8s playbook
|
||||||
- name: Install additional packages
|
- name: Install additional packages
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
@ -78,26 +82,39 @@
|
|||||||
- /var/lib/snapd
|
- /var/lib/snapd
|
||||||
become: yes
|
become: yes
|
||||||
|
|
||||||
# TODO: Make username and password configurable
|
- name: Create a user
|
||||||
- name: Create a user `dev`
|
|
||||||
user:
|
user:
|
||||||
name: dev
|
name: "{{ username }}"
|
||||||
password: "{{ 'so-service-provider' | password_hash('sha512') }}"
|
password: "{{ '{{ password }}' | password_hash('sha512') }}"
|
||||||
shell: /bin/zsh
|
shell: /bin/bash
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Add dev user to sudoers group
|
- name: Add user to sudoers group
|
||||||
user:
|
user:
|
||||||
name: dev
|
name: "{{ username }}"
|
||||||
groups: sudo
|
groups: sudo
|
||||||
append: yes
|
append: yes
|
||||||
|
|
||||||
- name: Ensure .ssh directory exists for 'dev' user
|
- name: Ensure .ssh directory exists for user
|
||||||
file:
|
file:
|
||||||
path: /home/dev/.ssh
|
path: /home/"{{ username }}"/.ssh
|
||||||
state: directory
|
state: directory
|
||||||
owner: dev
|
owner: "{{ username }}"
|
||||||
group: dev
|
group: "{{ username }}"
|
||||||
mode: '0700'
|
mode: '0700'
|
||||||
|
|
||||||
# TODO: Add tasks to setup passwordless sudo for the user
|
- name: Copy SSH public key to authorized_keys
|
||||||
|
copy:
|
||||||
|
src: "{{ path_to_ssh_key }}"
|
||||||
|
dest: /home/{{ username }}/.ssh/authorized_keys
|
||||||
|
owner: "{{ username }}"
|
||||||
|
group: "{{ username }}"
|
||||||
|
mode: '0600'
|
||||||
|
|
||||||
|
- name: Add user to sudoers for passwordless sudo
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/sudoers
|
||||||
|
state: present
|
||||||
|
regexp: '^{{ username }} ALL=\(ALL\) NOPASSWD:ALL'
|
||||||
|
line: '{{ username }} ALL=(ALL) NOPASSWD:ALL'
|
||||||
|
validate: 'visudo -cf %s'
|
||||||
|
Loading…
Reference in New Issue
Block a user