ssh-config role / docs / updated user config

README.md

@@ -1 +1,57 @@
+# Users
+Ansible role to create/configure users on Linux/FreeBSD 
+
+## Variables
+| user_groups | 
+| ---         | 
+| name        | name of the group                             |
+| gid         | group ID                                      |   
+| state       | whether the group shoud be created or removed |
+| users       |
+
+## Default variables
+The default shells depending on the OS are:
+
+- Linux: `/bin/bash`
+- FreeBSD: `/bin/cshrc`
+
+This is defined in the `defaults` section of the **users roles**
+
+
+## Example Playbook
+
+```
+user_groups:
+  - name: mygroup
+    gid: 700
+    
+
+users:
+  - name: remember
+    state: present
+    password: "blabla"
+    groups:
+      - mygroup
+    uid: 1100
+    keys:
+      - file: key1
+        state: present
+    shell_lines:
+      - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh"
+        state: present
+      - line: "alias ls='ls lah'"
+        state: present
+  - name: test
+    keys:
+      - file: key2
+        state: absent
+    shell_lines:
+      - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh"
+        state: absent
+```
+## Using the Role
+### Adding user
+
+### Configure users' shell
+
 https://github.com/stationgroup/ansible-experiments/issues/9

ansible.cfg

@@ -6,7 +6,8 @@ retry_files_save_path = /tmp/
 inventory=./hosts
 host_key_checking=False
 gathering = smart
-#stdout_callback=skippy
+#stdout_callback=unixy
+stdout_callback=debug
 
 [privilege_escalation]
 become=True

group_vars/all

@@ -0,0 +1,38 @@
+---
+user_groups:
+  - name: mygroup
+    gid: 700
+  - name: mysecondgroup
+    gid: 702
+    state: absent
+    
+
+users:
+  - name: remember
+    state: present
+    password: "blabla"
+    groups:
+      - mygroup
+    uid: 1100
+    keys:
+      - file: key1
+        state: present
+    shell_lines:
+      - line: "testline"
+        state: present
+      - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh"
+        state: present
+      - line: "alias ls='ls lah'"
+        state: present
+    ssh_config:
+      - ServerAliveInterval: 10
+  - name: test
+    keys:
+      - file: key2
+        state: absent
+    shell_lines:
+      - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh"
+        state: present
+#    ssh_config:
+#      - host: "{{ ansible_hostname }}"
+#        hostname: "{{ ansible_hostname }}"

hosts

@@ -1 +1,2 @@
-10.106.116.157
+10.106.116.157 ssh_short_name=host1
+10.106.116.139 ssh_short_name=host2

roles/ssh-config/tasks/main.yml

@@ -0,0 +1,44 @@
+---
+- name: Check if user has ~/.ssh/config
+  stat:
+    path: "/home/{{ item.name }}/.ssh/config"
+  with_items: "{{ users }}"
+  register: sshconfig
+
+
+- name: Create ~/.ssh/config when absent
+  file:
+    path: "/home/{{ item.item.name }}/.ssh/config"
+    owner: "{{ item.item.name }}"
+    group: "{{ item.item.name }}"
+    mode: 0600
+    state: touch
+  when: item.stat.exists == False
+  with_items:
+    - "{{ sshconfig.results }}"
+  no_log: True
+
+
+- name: Configure ~/.ssh/config
+  blockinfile:
+    path: "/home/{{ item.0.name  }}/.ssh/config"
+    owner: "{{ item.0.name }}"
+    group: "{{ item.0.name }}"
+    mode: 0600
+    marker: "# {mark} ANSIBLE MANAGED BLOCK"
+    content: |
+      {% for host in groups['all'] -%} 
+      Host {{ hostvars[host]['ssh_short_name'] }}
+          Hostname {{ hostvars[host]['inventory_hostname'] }}
+          RemoteForward /home/{{ item.0.name }}/.gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent
+          RemoteForward /home/{{ item.0.name }}/.gnupg/S.gpg-agent.ssh $HOME/.gnupg/S.gpg-agent.ssh
+      {% for k,v  in item.1.items() %}
+      {% if k|lower != "host" and k|lower != "hostname" %}
+          {{k}} {{v}}
+      {% endif %}
+      {% endfor %}
+      {% endfor %}
+  with_subelements:
+    - "{{ users }}"
+    - ssh_config
+    - skip_missing: true

roles/users/tasks/ssh_config.yml

@@ -2,37 +2,56 @@
   file:
     path: "/home/{{item.name}}/.ssh"
     state: directory
-    mode: 0600
+    mode: 0700
+    owner: "{{ item.name }}"
+    group: "{{ item.name }}"
   with_items:
     - "{{ users }}"
 
-- name: Check if user has ~/.ssh/config
-  stat:
-    path: "/home/{{ item.name }}/.ssh/config"
-  with_items: "{{ users }}"
-  register: sshconfig
 
-#- name: debug items
+- name: Configure authorized_keys
-#  debug:
+  authorized_key:
-#    msg: "{{ item.item.name }} {{item.stat}}"
+    user: "{{ item.0.name }}"
+    key: "{{ lookup('file', 'keys/' + item.0.name + '/' + item.1.file + '.pub') }}"
+    state: "{{ item.1.state | default('present') }}"
+  with_subelements:
+    - "{{ users }}"
+    -  keys
+
+
+#- name: Check if user has ~/.ssh/config
+#  stat:
+#    path: "/home/{{ item.name }}/.ssh/config"
+#  with_items: "{{ users }}"
+#  register: sshconfig
+#
+#
+#- name: Create ~/.ssh/config when absent
+#  file:
+#    path: "/home/{{ item.item.name }}/.ssh/config"
+#    owner: "{{ item.item.name }}"
+#    group: "{{ item.item.name }}"
+#    mode: 0600
+#    state: touch
+#  when: item.stat.exists == False
 #  with_items:
 #    - "{{ sshconfig.results }}"
+#  no_log: True
+#
+#- name: Configure ~/.ssh/config
+#  blockinfile:
+#    path: "/home/{{ item.name  }}/.ssh/config"
+#    owner: "{{ item.name }}"
+#    group: "{{ item.name }}"
+#    mode: 0600
+#    marker: "# {mark} ANSIBLE MANAGED BLOCK"
+#    content: |
+#        host {{ ansible_hostname }}
+#          hostname {{ ansible_hostname }}
+#          User {{ item.name }}
+#          RemoteForward /home/{{ item.name }}/.gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent
+#          RemoteForward /home/{{ item.name }}/.gnupg/S.gpg-agent.ssh $HOME/.gnupg/S.gpg-agent.ssh
+#          ServerAliveInterval 10
+#  with_items:
+#    - "{{ users }}"
 
-- name: Create ~/.ssh/config when absent
-  file:
-    path: "/home/{{ item.item.name }}/.ssh/config"
-    owner: "{{ item.item.name }}"
-    mode: 0600
-    state: touch
-  when: item.stat.exists == False
-  with_items:
-    - "{{ sshconfig.results }}"
-  no_log: True
-
-- name: Configure ~/.ssh/config
-  template:
-    src: ssh.config.j2 
-    dest: "/home/{{ item.name }}/.ssh/config"
-    owner: "{{ item.name }}"
-  with_items:
-    - "{{ users }}"

roles/users/tasks/users.yml

@@ -3,83 +3,41 @@
   group:
     name: "{{ item.name }}"
     gid: "{{ item.gid | default(omit) }}"
-    state: present
+    state: "{{ item.state | default('present') }}"
   with_items: "{{ user_groups }}"
 
+
 - name: Ensure users exist
   user:
     name: "{{ item.name }}"
-    id: "{{ item.id | default(omit) }}"
+    state: "{{ item.state | default('present') }}"
+    password: "{{ item.password | default(omit) }}"
     groups: "{{ item.groups | default(omit) }}"
+    uid: "{{ item.uid | default(omit) }}"
     shell: "{{ item.shell | default(default_shell) }}"
-    state: present
+    append: yes
-  no_log: True
+    #no_log: True
   with_items: "{{ users }}"
 
-- name: Configure authorized_keys
-  authorized_key:
-    user: "{{ item.0.name }}"
-    key: "{{ lookup('file', 'keys/' + item.0.name + '/' + item.1.file + '.pub') }}"
-    state: "{{ item.1.state | default(present) }}"
-  with_subelements:
-    - "{{ users }}"
-    -  keys
-
-#- name: debug
-#  debug:
-#    msg: "{{ item.0 }} - {{ item.1 }}"
-#  with_nested:
-#    - "{{ users }}"
-#    - "{{ users | map(attribute='shell_lines') | list }}"
-#  when: ansible_os_family == 'Debian' and item.1 is defined
-
-- name: check vars
-  debug:
-    msg: "{{ item.0.name }} --- {{ item.1 }}"
-  with_subelements:
-    - "{{ users }}"
-    - shell_lines
-    - skip_missing: true
-  when: ansible_os_family == 'Debian'
-
-- name: Add Ansible comment in bashrc
-  lineinfile:
-    path: "/home/{{ item.name }}/.bashrc"
-    line: "## Ansible managed below this line ###########"
-    insertafter: EOF
-    state: present
-  with_items:
-    - "{{ users }}"
-  when: ansible_os_family == 'Debian'
 
 - name: Configure bashrc
   lineinfile:
     path: "/home/{{ item.0.name }}/.bashrc"
     line: "{{ item.1.line }}"
-    insertafter: "^## Ansible managed below this line"
+    state: "{{ item.1.state | default('present') }}"
-    state: "{{ item.1.state }}"
+    backup: yes
   with_subelements:
     - "{{ users }}"
     - shell_lines
     - skip_missing: true
   when: ansible_os_family == 'Debian'
-  
+
-- name: Add Ansible comment in cshrc
-  lineinfile:
-    path: "/home/{{ item.0.name }}/.bashrc"
-    line: "## Ansible managed blow this line ###########"
-    insertafter: EOF
-    state: present
-  with_items:
-    - "{{ users }}"
-  when: ansible_os_family == 'FreeBSD'
 
 - name: Configure cshrc
   lineinfile:
     path: "/home/{{ item.0.name }}/.cshrc"
     line: "{{ item.1.line }}"
-    insertafter: EOF
+    state: "{{ item.1.state | default('present')}}"
-    state: "{{ item.1.state }}"
   with_subelements:
     - "{{ users }}"
     - shell_lines

roles/users/templates/ssh.config.j2

@@ -1,6 +0,0 @@
-host blabla
-  hostname {{ ansible_hostname }}
-  User {{ item.name }}
-  RemoteForward /home/{{ item.name }}/.gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent
-  RemoteForward /home/{{ item.name }}/.gnupg/S.gpg-agent.ssh $HOME/.gnupg/S.gpg-agent.ssh
-  ServerAliveInterval 10

roles/users/vars/main.yml

@@ -1,21 +1,33 @@
----
+#---
-user_groups:
+#user_groups:
-  - name: remember 
+#  - name: mygroup
-
+#    gid: 700
-users:
+#  - name: mysecondgroup
-  - name: remember
+#    gid: 702
-    keys:
+#    state: absent
-      - file: key1
+#    
-        state: present
+#
-    shell_lines:
+#users:
-      - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh"
+#  - name: remember
-        state: present
+#    state: present
-      - line: "line2"
+#    password: "blabla"
-        state: absent
+#    groups:
-  - name: test
+#      - mygroup
-    keys:
+#    uid: 1100
-      - file: key2
+#    keys:
-        state: absent
+#      - file: key1
-        #    shell_lines:
+#        state: present
-        #      - "line1"
+#    shell_lines:
-        #      - "line2"
+#      - line: "testline"
+#        state: present
+#      - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh"
+#        state: present
+#      - line: "alias ls='ls lah'"
+#        state: present
+#  - name: test
+#    keys:
+#      - file: key2
+#        state: absent
+#    shell_lines:
+#      - line: "export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh"
+#        state: present

site.yaml

@@ -4,4 +4,5 @@
   remote_user: root
   roles:
     - users
+    - ssh-config