From d8adbe12d3e00c646dbfd5213f84479bba95c939 Mon Sep 17 00:00:00 2001 From: William Bradford Clark Date: Wed, 31 Aug 2022 09:14:28 -0400 Subject: [PATCH 1/3] Optionally add additional groups to unprivileged_user Also grants passwordless sudo via the groupname, which defaults to the username if groupname is not specified. --- roles/unprivileged_user/defaults/main.yml | 1 + roles/unprivileged_user/tasks/main.yml | 30 ++++++++++++++++------- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/roles/unprivileged_user/defaults/main.yml b/roles/unprivileged_user/defaults/main.yml index 5bfb8aa1e..1f0bcb4ba 100644 --- a/roles/unprivileged_user/defaults/main.yml +++ b/roles/unprivileged_user/defaults/main.yml @@ -1,2 +1,3 @@ --- unprivileged_user_username: vagrant +unprivileged_user_additional_groups: [] diff --git a/roles/unprivileged_user/tasks/main.yml b/roles/unprivileged_user/tasks/main.yml index 85a46d7ac..4af4b3208 100644 --- a/roles/unprivileged_user/tasks/main.yml +++ b/roles/unprivileged_user/tasks/main.yml @@ -1,17 +1,29 @@ --- -- name: "Creating of {{ unprivileged_user_username }} user" - user: +- name: "Set group name" + ansible.builtin.set_fact: + unprivileged_user_groupname: "{{ unprivileged_user_primary_group | default(unprivileged_user_username) }}" + +- name: "Create groups" + ansible.builtin.group: + name: "{{ item }}" + state: present + with_items: "{{ unprivileged_user_additional_groups + [unprivileged_user_groupname] }}" + become: true + +- name: "Create the {{ unprivileged_user_username }} user" + ansible.builtin.user: name: "{{ unprivileged_user_username }}" - comment: "John Vagrant" + groups: "{{ unprivileged_user_additional_groups + [unprivileged_user_groupname] }}" + append: yes become: true -- name: "Add {{ unprivileged_user_username }} to sudoers" - lineinfile: - dest: "/etc/sudoers.d/{{ unprivileged_user_username }}" +- name: "Grant passwordless sudo via {{ unprivileged_user_groupname }} group" + ansible.builtin.lineinfile: + dest: "/etc/sudoers.d/{{ unprivileged_user_groupname }}" state: present - regexp: '^{{ unprivileged_user_username }}' - line: '{{ unprivileged_user_username }} ALL=(ALL) NOPASSWD: ALL' - validate: 'visudo -cf %s' + regexp: '^%{{ unprivileged_user_groupname }}' + line: '%{{ unprivileged_user_groupname }} ALL=(ALL) NOPASSWD: ALL' + validate: '/usr/sbin/visudo -cf %s' create: yes become: true From 6e53237347c392838cd6599713cce8f0c2419aaa Mon Sep 17 00:00:00 2001 From: William Bradford Clark Date: Wed, 31 Aug 2022 14:55:41 -0400 Subject: [PATCH 2/3] Use authorized_key module and optionally import shh pubkey from GitHub --- roles/unprivileged_user/tasks/main.yml | 29 ++++++++++++-------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/roles/unprivileged_user/tasks/main.yml b/roles/unprivileged_user/tasks/main.yml index 4af4b3208..846998228 100644 --- a/roles/unprivileged_user/tasks/main.yml +++ b/roles/unprivileged_user/tasks/main.yml @@ -27,24 +27,20 @@ create: yes become: true -- name: "Create {{ unprivileged_user_username }} .ssh" - file: - path: "/home/{{ unprivileged_user_username }}/.ssh" - owner: "{{ unprivileged_user_username }}" - group: root - state: directory - mode: 0700 +- name: "Add public key to authorized_keys from Host Machine" + ansible.posix.authorized_key: + user: "{{ unprivileged_user_username }}" + state: present + key: "{{ lookup('file', unprivileged_user_import_ssh_pub_key) }}" + when: unprivileged_user_import_ssh_pub_key | default(False) become: true -- name: "Ensure public key is in authorized_keys" - lineinfile: - line: "{{ lookup('file', unprivileged_user_import_ssh_pub_key) }}" - path: "/home/{{ unprivileged_user_username }}/.ssh/authorized_keys" - create: yes - mode: 0600 - owner: "{{ unprivileged_user_username }}" +- name: "Add public key to authorized_keys via GitHub" + ansible.posix.authorized_key: + user: "{{ unprivileged_user_username }}" state: present - when: unprivileged_user_import_ssh_pub_key | default(False) + key: "https://github.com/{{ unprivileged_user_import_ssh_pub_key_github }}.keys" + when: unprivileged_user_import_ssh_pub_key_github | default(False) become: true - name: "Check /home/{{ unprivileged_user_username }}/.ssh/authorized_keys" @@ -53,7 +49,8 @@ register: authorized_keys_file become: true -- block: +- name: "Inherit authorized_keys from root user if none imported for {{ unprivileged_user_username }}" + block: - name: "Check /root/.ssh/authorized_keys" stat: path: /root/.ssh/authorized_keys From 22d0cc3bb3ccb68d7af3fba6da3c7a1299450a6a Mon Sep 17 00:00:00 2001 From: William Bradford Clark Date: Wed, 31 Aug 2022 15:17:17 -0400 Subject: [PATCH 3/3] Use community.general.sudoers for unprivileged_user sudoers control --- roles/unprivileged_user/tasks/main.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/roles/unprivileged_user/tasks/main.yml b/roles/unprivileged_user/tasks/main.yml index 846998228..e47c92122 100644 --- a/roles/unprivileged_user/tasks/main.yml +++ b/roles/unprivileged_user/tasks/main.yml @@ -18,13 +18,10 @@ become: true - name: "Grant passwordless sudo via {{ unprivileged_user_groupname }} group" - ansible.builtin.lineinfile: - dest: "/etc/sudoers.d/{{ unprivileged_user_groupname }}" - state: present - regexp: '^%{{ unprivileged_user_groupname }}' - line: '%{{ unprivileged_user_groupname }} ALL=(ALL) NOPASSWD: ALL' - validate: '/usr/sbin/visudo -cf %s' - create: yes + community.general.sudoers: + name: "{{ unprivileged_user_groupname }}" + group: "{{ unprivileged_user_groupname }}" + commands: ALL become: true - name: "Add public key to authorized_keys from Host Machine"