Skip to content

Commit

Permalink
Allowing more flexible definition of sudo privileges via user_ansible.
Browse files Browse the repository at this point in the history
  • Loading branch information
@gregharvey
gregharvey committed Jan 16, 2025
1 parent 344d9a3 commit 07b9df8
Show file tree
Hide file tree
Showing 7 changed files with 55 additions and 20 deletions.
15 changes: 11 additions & 4 deletions ce-dev/ansible/vars/_common/user_deploy.yml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,16 @@
_user_deploy_username: ce-dev
user_deploy:
username: ce-dev
username: "{{ _user_deploy_username }}"
utility_host: "localhost"
utility_username: ce-dev
sudoer: false
utility_username: "{{ _user_deploy_username }}"
sudo_config:
entity_name: "{{ _user_deploy_username }}"
hosts: "ALL"
operators: "(ALL)"
tags: "NOPASSWD:"
commands: "ALL"
filename: "{{ _user_deploy_username }}"
groups: []
ssh_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbzq9srh/W23MBCx/GmlTO3aJckDjZnCcczAAGtx3rAzGFEtvFgDaZbbHK+ya2SSazzQbfSXmwWAYABtFu6qRmZtDCBKlHhR7rI9MysiACmSX6X6fVIDbCZoVXIZIVGR0wdv52+kMArMktO9Y456jlman5whd3b7VD5LOt1xKQRLVQ7KjsxgQ/hpolSo6ZmsJuJe2xF9NMSfpQetmprTEFoCbXbVOl6XDUVqYsNF/e55A2jXBng2UNluztWQDnaP2sDODPk5uw3Fy6Znk0auYe9CmImUZX5x+BLulJIJWmsDa2+Ls3MCpF9VKPqV/UInETJ5P3ge1ieC8a1dboPL4/T9XERPXuGxeZtISNHwFZ3mGSjrbqFpMpJHZ7G41oGqBOq9dsw4eY3G0YlvMtv8Nqu2MtOQz/nGFSniES6e7Q4aHtBOoCbpJt7tDcpIDy9YfEhgQHxNtdAmt0n7GS71O0HS+15y89EzJ46139vZeuvSUkdgUxhQ5ZWhp1u3/6XyaCKt+SHKH5CbbrXQrfP/g98wm4W6kVAAjtkEXZ6rwsc71WdRLxZr17ArOpG+YVTJ67+iMEgsaEw9bi2DNDVeYl51NmNc4d873iH7d/0gsRq4ECzZwoNB0X9N6n0F5cVjQvx2802FzwHUMA2V8gS64UBuoC2OIv/r3YSkwuplzggw== [email protected]"
#- "{{ lookup('file', '{{ _ce_provision_data_dir }}/provision-controller/home/ce-dev/.ssh/id_rsa.pub') }}" # works locally
#- "{{ lookup('file', '{{ _ce_provision_data_dir }}/provision-controller/home/' + _user_deploy_username + '/.ssh/id_rsa.pub') }}" # works locally
15 changes: 11 additions & 4 deletions ce-dev/ansible/vars/_common/user_provision.yml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,16 @@
_user_provision_username: ce-dev
user_provision:
username: ce-dev
username: "{{ _user_provision_username }}"
utility_host: "localhost"
utility_username: ce-dev
sudoer: true
utility_username: "{{ _user_provision_username }}"
sudo_config:
entity_name: "{{ _user_provision_username }}"
hosts: "ALL"
operators: "(ALL)"
tags: "NOPASSWD:"
commands: "ALL"
filename: "{{ _user_provision_username }}"
groups: []
ssh_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbzq9srh/W23MBCx/GmlTO3aJckDjZnCcczAAGtx3rAzGFEtvFgDaZbbHK+ya2SSazzQbfSXmwWAYABtFu6qRmZtDCBKlHhR7rI9MysiACmSX6X6fVIDbCZoVXIZIVGR0wdv52+kMArMktO9Y456jlman5whd3b7VD5LOt1xKQRLVQ7KjsxgQ/hpolSo6ZmsJuJe2xF9NMSfpQetmprTEFoCbXbVOl6XDUVqYsNF/e55A2jXBng2UNluztWQDnaP2sDODPk5uw3Fy6Znk0auYe9CmImUZX5x+BLulJIJWmsDa2+Ls3MCpF9VKPqV/UInETJ5P3ge1ieC8a1dboPL4/T9XERPXuGxeZtISNHwFZ3mGSjrbqFpMpJHZ7G41oGqBOq9dsw4eY3G0YlvMtv8Nqu2MtOQz/nGFSniES6e7Q4aHtBOoCbpJt7tDcpIDy9YfEhgQHxNtdAmt0n7GS71O0HS+15y89EzJ46139vZeuvSUkdgUxhQ5ZWhp1u3/6XyaCKt+SHKH5CbbrXQrfP/g98wm4W6kVAAjtkEXZ6rwsc71WdRLxZr17ArOpG+YVTJ67+iMEgsaEw9bi2DNDVeYl51NmNc4d873iH7d/0gsRq4ECzZwoNB0X9N6n0F5cVjQvx2802FzwHUMA2V8gS64UBuoC2OIv/r3YSkwuplzggw== [email protected]"
#- "{{ lookup('file', '{{ _ce_provision_data_dir }}/provision-controller/home/ce-dev/.ssh/id_rsa.pub') }}" # works locally
#- "{{ lookup('file', '{{ _ce_provision_data_dir }}/provision-controller/home/' + _user_provision_username + '/.ssh/id_rsa.pub') }}" # works locally
8 changes: 7 additions & 1 deletion install.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,13 @@ user_provision:
update_password: always
utility_username: "${CONTROLLER_USER}"
utility_host: localhost
sudoer: true
sudo_config:
entity_name: "${CONTROLLER_USER}"
hosts: "ALL"
operators: "(ALL)"
tags: "NOPASSWD:"
commands: "ALL"
filename: "${CONTROLLER_USER}"
groups:
- bypass2fa
ssh_keys:
Expand Down
9 changes: 8 additions & 1 deletion roles/debian/user_ansible/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,14 @@ user_ansible:
# Local username of the deploy user.
utility_host: "localhost"
utility_username: "{{ _user_ansible_username }}"
sudoer: false
sudo_config: {} # an empty dictionary will skip creating a sudo config
# Example sudo config allowing full sudo permissions - see the debian/sudo_config role for more details.
# entity_name: "{{ _user_ansible_username }}"
# hosts: "ALL"
# operators: "(ALL)"
# tags: "NOPASSWD:"
# commands: "ALL"
# filename: "{{ _user_ansible_username }}"
# List of additional groups to add the user to.
groups: []
# List of SSH pub keys to authorize. These must be provided as strings (content of the pub key).
Expand Down
10 changes: 2 additions & 8 deletions roles/debian/user_ansible/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,14 +33,8 @@
ansible.builtin.include_role:
name: debian/sudo_config
vars:
sudo_config:
entity_name: "{{ user_ansible.username }}"
hosts: "ALL"
operators: "(ALL)"
tags: "NOPASSWD:"
commands: "ALL"
filename: "{{ user_ansible.username }}"
when: user_ansible.sudoer
sudo_config: "{{ user_ansible.sudo_config }}"
when: user_ansible.sudo_config | length > 0

- name: Copy SSH public key to target.
ansible.posix.authorized_key:
Expand Down
9 changes: 8 additions & 1 deletion roles/debian/user_deploy/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,14 @@ user_deploy:
# Local username of the deploy user.
utility_host: "localhost"
utility_username: "{{ _user_deploy_username }}"
sudoer: false
sudo_config: {}
# Example config allowing for feature branching. Uncomment to use.
# entity_name: "{{ _user_deploy_username }}"
# hosts: "ALL"
# operators: "(ALL)"
# tags: "NOPASSWD:"
# commands: "ALL"
# filename: "{{ _user_deploy_username }}"
# List of additional groups to add the user to.
groups:
- docker # add the docker group so we can do container builds
Expand Down
9 changes: 8 additions & 1 deletion roles/debian/user_provision/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,14 @@ user_provision:
# Local username of the system user.
utility_host: "localhost"
utility_username: "{{ _user_provision_username }}"
sudoer: true
# Sudo configuration for full passwordless admin privileges.
sudo_config:
entity_name: "{{ _user_provision_username }}"
hosts: "ALL"
operators: "(ALL)"
tags: "NOPASSWD:"
commands: "ALL"
filename: "{{ _user_provision_username }}"
# List of additional groups to add the user to.
groups: []
# List of SSH pub keys to authorize. These must be provided as strings (content of the pub key).
Expand Down

0 comments on commit 07b9df8

Please sign in to comment.