From c83cad2e880ffa9610aad13a04ee124785981b57 Mon Sep 17 00:00:00 2001 From: Tyler Hale Date: Sun, 2 Feb 2025 20:37:05 -0700 Subject: [PATCH] Switching user management solution --- README.md | 24 -------------- roles/base/defaults/main.yml | 18 ++++------ roles/base/public_keys/ansible_awx | 1 - roles/base/public_keys/as-awx-workstation | 1 - roles/base/public_keys/thale-bw-curve25519 | 1 - roles/base/public_keys/thale-bw-rsa | 1 - .../base/public_keys/thale-desktop-curve25519 | 1 - roles/base/public_keys/thale-desktop-rsa | 1 - .../base/public_keys/thale-laptop-curve25519 | 1 - roles/base/public_keys/thale-laptop-rsa | 1 - roles/base/public_keys/thale-phone-curve25519 | 1 - roles/base/public_keys/thale-phone-rsa | 1 - roles/base/public_keys/thale-work-curve25519 | 1 - roles/base/public_keys/thale-work-rsa | 1 - roles/base/tasks/core.yml | 23 +++++++------ roles/base/tasks/core_ssh.yml | 21 ------------ roles/base/tasks/core_users.yml | 33 +++++++++++++++++++ 17 files changed, 51 insertions(+), 80 deletions(-) delete mode 100644 roles/base/public_keys/ansible_awx delete mode 100644 roles/base/public_keys/as-awx-workstation delete mode 100644 roles/base/public_keys/thale-bw-curve25519 delete mode 100644 roles/base/public_keys/thale-bw-rsa delete mode 100644 roles/base/public_keys/thale-desktop-curve25519 delete mode 100644 roles/base/public_keys/thale-desktop-rsa delete mode 100644 roles/base/public_keys/thale-laptop-curve25519 delete mode 100644 roles/base/public_keys/thale-laptop-rsa delete mode 100644 roles/base/public_keys/thale-phone-curve25519 delete mode 100644 roles/base/public_keys/thale-phone-rsa delete mode 100644 roles/base/public_keys/thale-work-curve25519 delete mode 100644 roles/base/public_keys/thale-work-rsa create mode 100644 roles/base/tasks/core_users.yml diff --git a/README.md b/README.md index 84a383f..6df9e5f 100644 --- a/README.md +++ b/README.md @@ -10,30 +10,6 @@ If the "base_core_hostname" variable is defined, it is recommended to set the an | ----------------------- | ------------------------------------------------------------- | | ansible_ssh_common_args | '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' | -## Role Variables - -### Core Variables - -| Variable | Default | Choices | Comments | -| -------------------------------------------- | ------------- | ----------- | ------------------------------------------------------------------------------- | -| base_core_cert_common_name | nodename | | Common name for created self-signed cert | -| base_core_firewall_configure | True | True, False | Allows the firewall to be configured | -| base_core_hostname | "" | | Defines the computer hostname | -| base_core_install_updates | True | True, False | Install all available updates for the distro at runtime | -| base_core_management_user | ansible_user | | Defines the account that ansible will use for management in the future | -| base_core_management_user_disable_password | False | True, False | When enabled the password for the management user account will be disabled | -| base_core_motd_banner | "" | | Banner to be added to MOTD if desired | -| base_core_motd_configure | True | True, False | Allows the MOTD to be configured | -| base_core_root_ca_basename | "" | | Basename of the cert for local system reference | -| base_core_root_ca_convert | False | True, False | Converts the defined certificate from DER to PEM type | -| base_core_root_ca_url | "" | | URL of a Root CA to install | -| base_core_secondary_user | "" | | Defines a secondary account that ansible configure for management in the future | -| base_core_secondary_user_disable_password | False | True, False | When enabled the password for the secondary user account will be disabled | -| base_core_ssh_permit_password_authentication | False | True, False | Permits the use of passwords for ssh | -| base_core_ssh_permit_root_login | False | True, False | Permits the use of root logins for ssh | -| base_core_timezone | America/Boise | | Defines the timezone to apply to the client | -| base_core_web_management | False | True, False | Enables installation of the Cockpit web management package(s) | - ## Example Execute playbook with needed variables diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml index def77a3..8f55ec2 100644 --- a/roles/base/defaults/main.yml +++ b/roles/base/defaults/main.yml @@ -8,17 +8,13 @@ # General # ======= -# User that should be configured for future management -base_core_management_user: "{{ ansible_user }}" - -# Secondary user that may be configured for future management -base_core_secondary_user: "" - -# If enabled, the password for the management user account will be disabled -base_core_management_user_disable_password: false - -# If enabled, the password for the secondary user account will be disabled -base_core_secondary_user_disable_password: false +# Users that should be configured for future management +base_users: [] +#- username: "{{ ansible_user }}" +# password: "" +# disable_password: false +# ssh_keys: [] +# ssh_keys_force: false # setting ssh_keys_force to true will overwrite the authorized_keys file to only be the ssh keys provided # Install all available updates at runtime base_core_install_updates: true diff --git a/roles/base/public_keys/ansible_awx b/roles/base/public_keys/ansible_awx deleted file mode 100644 index 3e8db57..0000000 --- a/roles/base/public_keys/ansible_awx +++ /dev/null @@ -1 +0,0 @@ -ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACzgUaiXanC7LIMR2JHlNjqHdscstjUQ4ZMJOG9ndZY2Ml81g+KPSUQHsmEAO+24TBVc/EpmeU3iMX4BO6XhUEhRACIAfyxW0zZWBZlO46TWf+oMcH6CQNQHubEpxqGvZd8A0tNxI2npzOEW6b3mKDGd1Z60yBPjNr5KZWVcJePPMwjaw== ansible_awx diff --git a/roles/base/public_keys/as-awx-workstation b/roles/base/public_keys/as-awx-workstation deleted file mode 100644 index 4e140f8..0000000 --- a/roles/base/public_keys/as-awx-workstation +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEAccPXNMwyNb4UW2P3MyxRGH2xDrOHKOkW0/2DGuNJq as-awx-workstation diff --git a/roles/base/public_keys/thale-bw-curve25519 b/roles/base/public_keys/thale-bw-curve25519 deleted file mode 100644 index 71d3527..0000000 --- a/roles/base/public_keys/thale-bw-curve25519 +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJoxKs7UgLr/6zVzZLSbqMUfHtrAtg93qRwEEXFAMqfR thale-bw-curve25519 diff --git a/roles/base/public_keys/thale-bw-rsa b/roles/base/public_keys/thale-bw-rsa deleted file mode 100644 index e96ed5b..0000000 --- a/roles/base/public_keys/thale-bw-rsa +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCt6oTKMmZBQB9tS4ucEHZsDEZnBvcQiFeqfW31UjSbMRzKMqQwhOxqM6ezBvIJwlbAsR8p6tpGtl7lVOoOpQtUYBN8sPHHIr4hsOgaUhG3J5YeUHkg9u6GJ+QYyve6TXxXQdQozkov4OhCwMqtruMZCKZXxAxu5qzUO5uexz9l6EiMXyonggtiaWFKBtyyRkr7pgUeYjGE+xeNTzhlMWqM6jX10EhHwjbYZ8KXZCm0+eue/b3gNqgfP155S9o+a+6bCECPmYQQy8mkTjVFefiEROS7F7t+ZOgI/KhmebWEHIeGPs5BRKwsu21jHVvfIrZKlb2byItIhyawHesQcOpUhGWfWsXkqZ/4IPqpguxo2zsdyVhkOkuHCztpDUAd6TZawejskgdpgacwWG9kamsXJwSS9+ukv/nQwZVkc8xrGvwS1ftUDj6oWE50PIfGU4GxxiIG3pe1eFiiqAG2GFkc783bo6sXBfHpZQnfNoJnYxhSy2o0STACwQ4poCte0HVipb1RQHGf3jKpyKjtdtaHtZYyu05A6iZ/1gLlousrk3dn/l0f1Bq25cfevwqqpeN/kT/xz8JgIJZgU8i5MFm3KyUBXxhaSGi4xCf5zhIviLV5ysPJgKZiECgVxCDYm6GJP35dDKTCGsmz59it7D9jJUh76JLiq+/pWs6RQyanAQ== thale-bw-rsa diff --git a/roles/base/public_keys/thale-desktop-curve25519 b/roles/base/public_keys/thale-desktop-curve25519 deleted file mode 100644 index 32ee367..0000000 --- a/roles/base/public_keys/thale-desktop-curve25519 +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXJshwwSz1rf7wJw5trBwBkNdWrLWffAxUlbW1JSkdt thale-desktop-curve25519 diff --git a/roles/base/public_keys/thale-desktop-rsa b/roles/base/public_keys/thale-desktop-rsa deleted file mode 100644 index 02b0b3f..0000000 --- a/roles/base/public_keys/thale-desktop-rsa +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTdOj42XVn1DPRGsUEVyEoMGKG7dn3DbwqMokzj8SrPpD5EirOmPGTGY6ePGu4keKnBpKPGpW7rYw76CD+7g8fg9/I3rBuVcNOexarlMFfDzGhns+DUFq2ruNTyRfdLWUSHNzSV+8u7Z5g23d54gWsgqagPYtK07gg7aPN/QsnEEJnJZUykc3Zy5NUI9+sDhG3gH5JEgJPcnO1Z1Gxm3mkXHyn32Rx7tydNn2Y+zRnga1//6INtf06FuIBjjrENMDThw3x82Knbugt7m2fs6J0Ktk0+LQQmLyAT7+RqCeetjFcsBYXemPs8chxCC6U8QSaUZVH0cDwFWdBFpyLAfy2Ux9ym0D4dyktui3C9ImRtGtor2dzVFR3gWDSd73L8oQ4kHU0mjJSWtQlH7PVNRIZUm2Z9eOXd59HDtE/rLhF2jCGeVEBenogLt69Neeo/0GV7GCxNwL19GUzFjw3pgowuQPXmqVczKS8Na1AUNZI850GM6GxKemR/SxRmEM2vgmm6qbamazOnsMmQfxh35VT+vjCxtx2o3Lr60+mqHNWvcnAF0hP8NH8FIySI7y1ZkPPFy4kUtbPAtPimgCRma2uXXhB6YpSF9oaHLiD1KbcTRrlFZFS4yfSVsNo302PvpoZ4E8bXAUHo8CBwLANSusTL3wnotOeaZ2H/4jX1sl55Q== thale-desktop-rsa diff --git a/roles/base/public_keys/thale-laptop-curve25519 b/roles/base/public_keys/thale-laptop-curve25519 deleted file mode 100644 index 79c4f69..0000000 --- a/roles/base/public_keys/thale-laptop-curve25519 +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVLEQhiLGQa72Byq8MApoyvltFodOF/lCen7TBNsdAc thale-laptop-curve25519 diff --git a/roles/base/public_keys/thale-laptop-rsa b/roles/base/public_keys/thale-laptop-rsa deleted file mode 100644 index a5f7820..0000000 --- a/roles/base/public_keys/thale-laptop-rsa +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCQArz4zOe9fGbIfvCdkMFr3W34r1dJFWcpgojGUGVRrlKkFPqvSvtEJEZHtha5EO4TVeoQRE+HiRs582eV9XROYaZTHGVvmzXVOH/l8nCZwEfMsmfRMa0xEd8Uk+7OCWWd0T9e6HrTMve46V2h1iuYs1OZTNV3N0yupCadX1pR6mFqa2wy9MqZlBXa5+3c4HYVe0s3ZomKhg4384oCQ7Vhke4wxxYopgUP1kMJSNtuQ9tS695Z26QnSAtvaO6caO/RUN2bpeWU+utAu2I54p536il8webo/nTugh3PM769ZXLp6zBf9BsNNC5fSMpjA7O2coX9muphQSWRf9QmD+wY/0ymbIb1n/dTnLtwm0tzmBToCABfJF6lyczgL679D750PHnEbwFmjjyGDI1zCZNSqajPJ7tbTW+dRe20TV55DqshOqM2AnlyIn+7RrG84/ovuKdNXOKzuNnnEvhmy048gEWHi3RQP6kzSZevhhECRYhY6rabx8kQyvYx3AoQGFWY9yAvkMi95x7OyhT8aaGdhgydbAEVjJJEA+iiG8sXkDBslJ9/GE0fBKdgW9SR1XwT/IPUUiS/nf5w9SqQeCoWCdOIY4r54h8UBGPG3kWndMIoWS0ptSxBixFu3kkE44H8c6wjo7uHMFVNyRaBb80NpZf89lgavnT2cXbKSqKEw== thale-laptop-rsa diff --git a/roles/base/public_keys/thale-phone-curve25519 b/roles/base/public_keys/thale-phone-curve25519 deleted file mode 100644 index f6b84ab..0000000 --- a/roles/base/public_keys/thale-phone-curve25519 +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgqeosFeqdDoLZ2rRaFrtXlhS3qLC6/1z2lqrtlFk27 thale-phone-curve25519 diff --git a/roles/base/public_keys/thale-phone-rsa b/roles/base/public_keys/thale-phone-rsa deleted file mode 100644 index 0816ce2..0000000 --- a/roles/base/public_keys/thale-phone-rsa +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmtVMgc09oGNwExmhUDf5Qf49LVR5x3ynaWqVETnn5SYIvLkY/Uo1OSA/wxR7afn+dnUwEEp4QT1LCO08enINLa/+SFxkceESxuRWcWqUrlZNLsocF2uWDqWAUQUVlB/o3iO8z8v8bHPTt0XjEyfQz1EFzGmRF7iUMEKKnSSyX7yiP7EAsQgs8pb8mvVtQCj+0zDjbfjmiE8pF9P4nNzsSi2rVduXLLDvH9AvNmW/EiIxDyb8LzMxCMdIK/OYugXFRYfExQbWpYEORFRMphRq8MPgCon7kW2DmyIMNBiHXSyapDFy0m3U3+iqy0d1A6bKQxNKKQP2FG91sTCwtcuhYxZ3Ak6Ee3PE1kRKAmVI3FCGcfQUp8Y8wYqMwHHuXnJQGBsqppCCtuQjCiszyburXE5mvps++61PdMtWfgSCrZOTx+yJCaabIzwBCwKuzZUGiZwfkYbSniPRq/j//SEQxOOd3pjWHSnimg+maTrzXOWEt+D4CzYZzS2izBxECPPxgnuaOP14/GIDHOhqJvD0mR6bfidBVpsYGELRbUs9HG2SDFmmNZij3l3dt4b3nW++V5aUypc94PIB3utDgUbhXOLePf9l3p+ShWe0OWw5aEen8ow18F9pVx/Lfru3vr8YUWJp6zqZO09pUWiinC9xEXwwz0olzRfqZ5e4Eec+CjQ== thale-phone-rsa diff --git a/roles/base/public_keys/thale-work-curve25519 b/roles/base/public_keys/thale-work-curve25519 deleted file mode 100644 index 6f6f814..0000000 --- a/roles/base/public_keys/thale-work-curve25519 +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACL4TqzQo8qFu5V5LB+PxQG2MHFAGXJrquf2SpuZpzA thale-work-curve25519 diff --git a/roles/base/public_keys/thale-work-rsa b/roles/base/public_keys/thale-work-rsa deleted file mode 100644 index 6599fac..0000000 --- a/roles/base/public_keys/thale-work-rsa +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCVb3OxjvY9QAPUgrxc9X6h1KpCyyefh8SgBSARJZRwKTHL/HkzL05/5iCX0eeDe7cTsvU9O3lKTKKDh+6ZbJTEuiKlp7XPIGuXL6VCNTkz6yMHy0zQhKW/0VnvIZjHt7Y+evh8wa5SHpZz2ka80pohG9zea4ylqMjfWnxAwbNBwen/o/Owss94tQH1aJIpA8BNwPSqTCDqgcVX8w4d9D3ERMrmp1DaZVU6NlFJ5Pk4acZ9piIOI42Dwb9pqAiOVzQceIEG2RRKyAahNB1iRX9q+jHxAnhh1hv/tKs/i3J5gzlN83WVJLNL70RpMyMI2Tp8Gr3mJkU56/RJkN6OHPOIO066I9psTzTBHMFDjUAvl30STPdsHsX1Ejel3KWVbpkzxiFvVbQfI3/f5g008PvGgRX0/x4UOrNSp8hPCxd//GmoAuxFcJqCN9vrJxL9xiG6JWNe7LDokTeQu+F/M8eXj6wcBs9Jnu4Fmpmx5UROmU/T2+manQnySC34a7AnzzXueH/ysA7iteE6abIMnUJ9zmRZZk624MJzerrbFIf1qHrQWZ8fJ3BPZ9UXNJL945suny0aHnHIMJT/ojPfdJDc62rKxYP7WFeDRM5kOjdnOIZpAaBEcWeykWL5gV8pl+7m3EEDHHbUizrthFlOMgdScPMrkm+jGjDsvzEKKEttw== thale-work-rsa diff --git a/roles/base/tasks/core.yml b/roles/base/tasks/core.yml index efc599a..4fce338 100644 --- a/roles/base/tasks/core.yml +++ b/roles/base/tasks/core.yml @@ -27,6 +27,17 @@ pool: '^(Red Hat Enterprise Server|Red Hat Virtualization)$' when: ansible_distribution == 'RedHat' and (base_redhat_subscription_org_id != "" and base_redhat_subscription_activationkey != "") +- name: "*** Users Configuration ***" + include_tasks: + file: core_users.yml + apply: + tags: users + loop: "{{ base_users }}" + loop_control: + loop_var: user + tags: + - users + - name: "*** MOTD Configuration ***" include_tasks: file: core_motd.yml @@ -77,15 +88,3 @@ when: base_core_web_management == true tags: - web_management - -- name: Disable password for management account - user: - name: "{{ base_core_management_user }}" - password_lock: yes - when: base_core_management_user_disable_password == true - -- name: Disable password for secondary management account - user: - name: "{{ base_core_secondary_user }}" - password_lock: yes - when: base_core_secondary_user != "" and base_core_secondary_user_disable_password == true diff --git a/roles/base/tasks/core_ssh.yml b/roles/base/tasks/core_ssh.yml index 497f8b6..694de9c 100644 --- a/roles/base/tasks/core_ssh.yml +++ b/roles/base/tasks/core_ssh.yml @@ -18,27 +18,6 @@ tags: - issue -- name: Setup authorized keys - authorized_key: - user: "{{ base_core_management_user }}" - state: present - key: '{{ lookup("file", item) }}' - with_fileglob: - - "public_keys/*" - tags: - - authorized_key - -- name: Setup authorized keys for secondary user - authorized_key: - user: "{{ base_core_secondary_user }}" - state: present - key: '{{ lookup("file", item) }}' - with_fileglob: - - "public_keys/*" - when: base_core_secondary_user != "" - tags: - - authorized_key - - name: Configure SSH root login lineinfile: path: /etc/ssh/sshd_config diff --git a/roles/base/tasks/core_users.yml b/roles/base/tasks/core_users.yml new file mode 100644 index 0000000..7008d73 --- /dev/null +++ b/roles/base/tasks/core_users.yml @@ -0,0 +1,33 @@ +--- +# file: roles/base/tasks/core_users.yml + +- name: "{{ user.username }} user setup" + user: + name: "{{ user.username }}" + password_lock: "{{ user.disable_password | default(false) }}" + +- name: "Configure {{ user.username }} password" + user: + name: "{{ user.username }}" + password: "{{ user.password | default('*') }}" + when: user.password is defined + +- name: "Setup {{ user.username }} authorized keys" + authorized_key: + user: "{{ user.username }}" + state: present + key: "{{ user.ssh_keys | join('\n') }}" + exclusive: "{{ user.ssh_keys_force | default('false') }}" + tags: + - authorized_key + when: ( user.ssh_keys is defined ) and ( user.ssh_keys is not url ) + +- name: "Setup {{ user.username }} authorized keys from url" + authorized_key: + user: "{{ user.username }}" + state: present + key: "{{ user.ssh_keys }}" + exclusive: "{{ user.ssh_keys_force | default('false') }}" + tags: + - authorized_key + when: ( user.ssh_keys is defined ) and ( user.ssh_keys is url )