diff --git a/ce-dev/ansible/vars/_common/user_deploy.yml b/ce-dev/ansible/vars/_common/user_deploy.yml index bb18c1fde..0130b82cb 100644 --- a/ce-dev/ansible/vars/_common/user_deploy.yml +++ b/ce-dev/ansible/vars/_common/user_deploy.yml @@ -1,9 +1,16 @@ +_user_deploy_username: ce-dev user_deploy: - username: ce-dev + username: "{{ _user_deploy_username }}" utility_host: "localhost" - utility_username: ce-dev - sudoer: false + utility_username: "{{ _user_deploy_username }}" + sudo_config: + entity_name: "{{ _user_deploy_username }}" + hosts: "ALL" + operators: "(ALL)" + tags: "NOPASSWD:" + commands: "ALL" + filename: "{{ _user_deploy_username }}" groups: [] ssh_keys: - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbzq9srh/W23MBCx/GmlTO3aJckDjZnCcczAAGtx3rAzGFEtvFgDaZbbHK+ya2SSazzQbfSXmwWAYABtFu6qRmZtDCBKlHhR7rI9MysiACmSX6X6fVIDbCZoVXIZIVGR0wdv52+kMArMktO9Y456jlman5whd3b7VD5LOt1xKQRLVQ7KjsxgQ/hpolSo6ZmsJuJe2xF9NMSfpQetmprTEFoCbXbVOl6XDUVqYsNF/e55A2jXBng2UNluztWQDnaP2sDODPk5uw3Fy6Znk0auYe9CmImUZX5x+BLulJIJWmsDa2+Ls3MCpF9VKPqV/UInETJ5P3ge1ieC8a1dboPL4/T9XERPXuGxeZtISNHwFZ3mGSjrbqFpMpJHZ7G41oGqBOq9dsw4eY3G0YlvMtv8Nqu2MtOQz/nGFSniES6e7Q4aHtBOoCbpJt7tDcpIDy9YfEhgQHxNtdAmt0n7GS71O0HS+15y89EzJ46139vZeuvSUkdgUxhQ5ZWhp1u3/6XyaCKt+SHKH5CbbrXQrfP/g98wm4W6kVAAjtkEXZ6rwsc71WdRLxZr17ArOpG+YVTJ67+iMEgsaEw9bi2DNDVeYl51NmNc4d873iH7d/0gsRq4ECzZwoNB0X9N6n0F5cVjQvx2802FzwHUMA2V8gS64UBuoC2OIv/r3YSkwuplzggw== controller@127.0.0.1" - #- "{{ lookup('file', '{{ _ce_provision_data_dir }}/provision-controller/home/ce-dev/.ssh/id_rsa.pub') }}" # works locally + #- "{{ lookup('file', '{{ _ce_provision_data_dir }}/provision-controller/home/' + _user_deploy_username + '/.ssh/id_rsa.pub') }}" # works locally diff --git a/ce-dev/ansible/vars/_common/user_provision.yml b/ce-dev/ansible/vars/_common/user_provision.yml index fb9c97b97..3fdc118c4 100644 --- a/ce-dev/ansible/vars/_common/user_provision.yml +++ b/ce-dev/ansible/vars/_common/user_provision.yml @@ -1,9 +1,16 @@ +_user_provision_username: ce-dev user_provision: - username: ce-dev + username: "{{ _user_provision_username }}" utility_host: "localhost" - utility_username: ce-dev - sudoer: true + utility_username: "{{ _user_provision_username }}" + sudo_config: + entity_name: "{{ _user_provision_username }}" + hosts: "ALL" + operators: "(ALL)" + tags: "NOPASSWD:" + commands: "ALL" + filename: "{{ _user_provision_username }}" groups: [] ssh_keys: - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbzq9srh/W23MBCx/GmlTO3aJckDjZnCcczAAGtx3rAzGFEtvFgDaZbbHK+ya2SSazzQbfSXmwWAYABtFu6qRmZtDCBKlHhR7rI9MysiACmSX6X6fVIDbCZoVXIZIVGR0wdv52+kMArMktO9Y456jlman5whd3b7VD5LOt1xKQRLVQ7KjsxgQ/hpolSo6ZmsJuJe2xF9NMSfpQetmprTEFoCbXbVOl6XDUVqYsNF/e55A2jXBng2UNluztWQDnaP2sDODPk5uw3Fy6Znk0auYe9CmImUZX5x+BLulJIJWmsDa2+Ls3MCpF9VKPqV/UInETJ5P3ge1ieC8a1dboPL4/T9XERPXuGxeZtISNHwFZ3mGSjrbqFpMpJHZ7G41oGqBOq9dsw4eY3G0YlvMtv8Nqu2MtOQz/nGFSniES6e7Q4aHtBOoCbpJt7tDcpIDy9YfEhgQHxNtdAmt0n7GS71O0HS+15y89EzJ46139vZeuvSUkdgUxhQ5ZWhp1u3/6XyaCKt+SHKH5CbbrXQrfP/g98wm4W6kVAAjtkEXZ6rwsc71WdRLxZr17ArOpG+YVTJ67+iMEgsaEw9bi2DNDVeYl51NmNc4d873iH7d/0gsRq4ECzZwoNB0X9N6n0F5cVjQvx2802FzwHUMA2V8gS64UBuoC2OIv/r3YSkwuplzggw== controller@127.0.0.1" - #- "{{ lookup('file', '{{ _ce_provision_data_dir }}/provision-controller/home/ce-dev/.ssh/id_rsa.pub') }}" # works locally + #- "{{ lookup('file', '{{ _ce_provision_data_dir }}/provision-controller/home/' + _user_provision_username + '/.ssh/id_rsa.pub') }}" # works locally diff --git a/install.sh b/install.sh index 8ecf56643..eddc31133 100755 --- a/install.sh +++ b/install.sh @@ -235,7 +235,13 @@ user_provision: update_password: always utility_username: "${CONTROLLER_USER}" utility_host: localhost - sudoer: true + sudo_config: + entity_name: "${CONTROLLER_USER}" + hosts: "ALL" + operators: "(ALL)" + tags: "NOPASSWD:" + commands: "ALL" + filename: "${CONTROLLER_USER}" groups: - bypass2fa ssh_keys: diff --git a/roles/debian/user_ansible/defaults/main.yml b/roles/debian/user_ansible/defaults/main.yml index acebeab30..7f42053a6 100644 --- a/roles/debian/user_ansible/defaults/main.yml +++ b/roles/debian/user_ansible/defaults/main.yml @@ -14,7 +14,14 @@ user_ansible: # Local username of the deploy user. utility_host: "localhost" utility_username: "{{ _user_ansible_username }}" - sudoer: false + sudo_config: {} # an empty dictionary will skip creating a sudo config + # Example sudo config allowing full sudo permissions - see the debian/sudo_config role for more details. + # entity_name: "{{ _user_ansible_username }}" + # hosts: "ALL" + # operators: "(ALL)" + # tags: "NOPASSWD:" + # commands: "ALL" + # filename: "{{ _user_ansible_username }}" # List of additional groups to add the user to. groups: [] # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key). diff --git a/roles/debian/user_ansible/tasks/main.yml b/roles/debian/user_ansible/tasks/main.yml index e8b27767b..454906b3e 100644 --- a/roles/debian/user_ansible/tasks/main.yml +++ b/roles/debian/user_ansible/tasks/main.yml @@ -33,14 +33,8 @@ ansible.builtin.include_role: name: debian/sudo_config vars: - sudo_config: - entity_name: "{{ user_ansible.username }}" - hosts: "ALL" - operators: "(ALL)" - tags: "NOPASSWD:" - commands: "ALL" - filename: "{{ user_ansible.username }}" - when: user_ansible.sudoer + sudo_config: "{{ user_ansible.sudo_config }}" + when: user_ansible.sudo_config | length > 0 - name: Copy SSH public key to target. ansible.posix.authorized_key: diff --git a/roles/debian/user_deploy/defaults/main.yml b/roles/debian/user_deploy/defaults/main.yml index 1d83a8cd7..31934a720 100644 --- a/roles/debian/user_deploy/defaults/main.yml +++ b/roles/debian/user_deploy/defaults/main.yml @@ -15,7 +15,15 @@ user_deploy: # Local username of the deploy user. utility_host: "localhost" utility_username: "{{ _user_deploy_username }}" - sudoer: false + sudo_config: {} + # Example config allowing for feature branching. Allows manipulation of NGINX vhosts and cron.d files. + # Uncomment to use. + # entity_name: "{{ _user_deploy_username }}" + # hosts: "ALL" + # operators: "(ALL)" + # tags: "NOPASSWD:" + # commands: "/usr/bin/systemctl reload nginx, /usr/bin/systemctl restart nginx, /usr/sbin/nginx -t, sudoedit /etc/nginx/sites-available, sudoedit /etc/nginx/sites-enabled, sudoedit /etc/cron.d" + # filename: "{{ _user_deploy_username }}" # List of additional groups to add the user to. groups: - docker # add the docker group so we can do container builds diff --git a/roles/debian/user_provision/defaults/main.yml b/roles/debian/user_provision/defaults/main.yml index f10896c32..3bd885e27 100644 --- a/roles/debian/user_provision/defaults/main.yml +++ b/roles/debian/user_provision/defaults/main.yml @@ -14,7 +14,14 @@ user_provision: # Local username of the system user. utility_host: "localhost" utility_username: "{{ _user_provision_username }}" - sudoer: true + # Sudo configuration for full passwordless admin privileges. + sudo_config: + entity_name: "{{ _user_provision_username }}" + hosts: "ALL" + operators: "(ALL)" + tags: "NOPASSWD:" + commands: "ALL" + filename: "{{ _user_provision_username }}" # List of additional groups to add the user to. groups: [] # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key).