From 411f71a7ffd6b23abf8e851e59b5bb287c4d3ab9 Mon Sep 17 00:00:00 2001 From: Thomas von Dein Date: Mon, 9 Dec 2024 19:03:48 +0100 Subject: [PATCH] add group role, rename default group --- group_vars/all/all.yaml | 10 +-- roles/pubnix/bin/group.sh | 66 ++++++++++++++++++ roles/pubnix/tasks/main.yaml | 16 ++--- roles/user/bin/user.sh | 128 ----------------------------------- roles/user/files/keys/tom | 1 - roles/user/tasks/main.yaml | 19 ------ 6 files changed, 80 insertions(+), 160 deletions(-) create mode 100755 roles/pubnix/bin/group.sh delete mode 100755 roles/user/bin/user.sh delete mode 100644 roles/user/files/keys/tom delete mode 100644 roles/user/tasks/main.yaml diff --git a/group_vars/all/all.yaml b/group_vars/all/all.yaml index 0936d3e..4ff9832 100644 --- a/group_vars/all/all.yaml +++ b/group_vars/all/all.yaml @@ -29,7 +29,6 @@ jails: pkgs: - bash - zsh - - tcsh - fish - vim - emacs-nox @@ -53,13 +52,16 @@ jails: - rust defaults: - group: bsdnix + group: bsdnixer jailbase: /usr/local/bastille/jails -users: +jailgroups: + - name: bsdnixer + state: present + +jailusers: - name: scip state: present - groups: wheel,bsdnix - name: tom state: present diff --git a/roles/pubnix/bin/group.sh b/roles/pubnix/bin/group.sh new file mode 100755 index 0000000..a88903d --- /dev/null +++ b/roles/pubnix/bin/group.sh @@ -0,0 +1,66 @@ +#!/bin/sh + +rootdir="" +group="" +action="" + +usage() { + echo "Usage: $0 -g group -a action" + echo "Valid actions: present, absent" + exit 1 +} + +run() { + echo $* + $* +} + +OPTIND=1 +while getopts d:g:a: opt ; do + case $opt in + d) + rootdir="$OPTARG" + ;; + g) + group="$OPTARG" + ;; + a) + action="$OPTARG" + ;; + *) + usage + ;; + esac +done + +shift $(($OPTIND - 1)) + +if test -z "$group" -o -z "$action"; then + usage +fi + +root="" + +if test -n "$rootdir"; then + root="-R $rootdir" +fi + +case "$action" in + present) + if pw $root group show "$group" > /dev/null 2>&1; then + if pw $root group show "$group" | grep -q LOCKED; then + echo "$group exists." + fi + else + run pw $root group add "$group" + fi + ;; + absent) + if pw $root group show "$group" > /dev/null 2>&1; then + run pw $root group del "$group" + fi + ;; + *) + usage + ;; +esac diff --git a/roles/pubnix/tasks/main.yaml b/roles/pubnix/tasks/main.yaml index 4e784b6..7d68740 100644 --- a/roles/pubnix/tasks/main.yaml +++ b/roles/pubnix/tasks/main.yaml @@ -65,17 +65,17 @@ # args: # creates: /usr/local/bastille/jails/{{ role_name }}/root/etc/skel +# these will later be used by bin/user.sh (see below) to be installed +# into the user homes - name: copy user ssh keys copy: src: keys dest: "/usr/local/bastille/" - -- name: create user group - shell: | - pw -R {{ defaults.jailbase }}/{{ role_name }}/root group show {{ defaults.group }} ||\ - pw -R {{ defaults.jailbase }}/{{ role_name }}/root group add {{ defaults.group }} - +# create our own group[s] +- name: Manage groups + loop: "{{ jailgroups }}" + ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/pubnix/root" # The normal ansible user module can't be used here, because we're # talking about jail users here. I tried to patch the module to @@ -86,6 +86,6 @@ # So, instead I'm just using this simple script, which does the job as # well. - name: Manage users - loop: "{{ users }}" + loop: "{{ jailusers }}" ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -d {{ defaults.jailbase }}/{{ role_name }}/root" - + diff --git a/roles/user/bin/user.sh b/roles/user/bin/user.sh deleted file mode 100755 index b5e0f92..0000000 --- a/roles/user/bin/user.sh +++ /dev/null @@ -1,128 +0,0 @@ -#!/bin/sh - -rootdir="" -user="" -groups="" -home="" -shell="/usr/local/bin/bash" -comment="" -action="" - -usage() { - echo "Usage: $0 -u user [-h home] [-s shell] [-g groups] [-d rootdir] [-c comment] -a action" - echo "Valid actions: present, absent, locked" - exit 1 -} - -getuid() { - local root="$1" - local user="$2" - pw $root show user "$user" -7 | cut -d: -f 3 -} - -run() { - echo $* - $* -} - -OPTIND=1 -while getopts d:u:h:g:s:c:a: opt ; do - case $opt in - d) - rootdir="$OPTARG" - ;; - u) - user="$OPTARG" - ;; - h) - home="$OPTARG" - ;; - g) - groups="$OPTARG" - ;; - s) - shell="$OPTARG" - ;; - c) - comment="$OPTARG" - ;; - a) - action="$OPTARG" - ;; - *) - usage - ;; - esac -done - -shift $(($OPTIND - 1)) - -if test -z "$user" -o -z "$action"; then - usage -fi - -args="" -root="" - -if test -n "$rootdir"; then - root="-R $rootdir" -fi - -if test -n "$groups"; then - args="-G $groups" -fi - -if test -n "$home"; then - args="$args -d $home -k /etc/skel -m -M 700" -else - args="$args -d /home/$user -k /etc/skel -m -M 700" -fi - -if test -n "$shell"; then - args="$args -s $shell" -else - args="$args -s /usr/local/bin/bash" -fi - -if test -n "$comment"; then - args="$args -c $comment" -fi - -case "$action" in - present) - set -x - if pw $root user show "$user" > /dev/null 2>&1; then - if pw $root user show "$user" | grep -q LOCKED; then - run pw unlock "$user" - else - echo "$user exists." - fi - else - run pw $root user add "$user" $args - fi - - if test -e "/usr/local/bastille/keys/$user" -a ! -e "/home/$user/.ssh/authorized_keys"; then - uid=$(getuid "$root" "$user") - install -m 700 -o "$uid" -g "$uid" -d "/home/$user/.ssh" - install -m 600 -o "$uid" -g "$uid" "/usr/local/bastille/keys/$user" "/home/$user/.ssh/authorized_keys" - fi - set +x - ;; - absent) - if pw $root user show "$user" > /dev/null 2>&1; then - run pw $root user del "$user" - fi - ;; - locked) - if pw $root user show "$user" > /dev/null 2>&1; then - if pw $root user show "$user" | grep -q LOCKED; then - echo "$user is already locked." - else - run pw lock "$user" - fi - fi - ;; - *) - usage - ;; -esac diff --git a/roles/user/files/keys/tom b/roles/user/files/keys/tom deleted file mode 100644 index 5b87e0e..0000000 --- a/roles/user/files/keys/tom +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfY4Oxp6LnFvdAOhs2hcFmQ31VyMPQmg4/6eU0LaNioroK8iniGdfM1zw48uTKApD2z5iI8SCOae7VZaab9rWwz+BExpFRYMR013quWY89gie6HK7wa2lrKt4wuKsl26HwcWOwo1dCnxKRbVqSRWUCAm4D7iArUl7+9y/VqQIZWIVPyfiqRGPZ68wCMm/VvkZggE2No2XINbVd+Ts1ddOudRpeg2BHiYZ48JWLWlnMNiJAgVQEFaBemdj9OBt9ey81/iWGbGoPeUW113SuOgNL+YLwo2pcgeMHcwC+B184LcMdt1r2O4jsW7OemLfrazq2p3VfSdzOduVDQvdGsnqpFArHgM+kPFt4YIdn772lrlMkxSgK2mbCbSzNZoomdCyuwKUt6dA3b1PZF8L6uMJK7DOVGcmrjk9UUW/goZhg6Xw0tBxYYQlhVNyRTZNwUtqC8CTJ1/xUSEqzbRO2jOxWTJFrLFJPMr0FSrwFqfFN/1DMFa4Pqb+w5OTyfKS0usikpvFoE3Ct/MQkgb1YdFseui2ARpo7SgFD/t7plYb3FLJpP49gIgK3dg8g/uiFLwwbGE13hUrzagAKChmhgfbY/yhrc+ES3OZJExleXUhYD4CCTiYjghNoYcmW2+X6c1VbOULDCrDfCRErFBW2lPVsoRebd8B30SC8YeaHzmWFdQ== scip@tripod diff --git a/roles/user/tasks/main.yaml b/roles/user/tasks/main.yaml deleted file mode 100644 index 40ba4a9..0000000 --- a/roles/user/tasks/main.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- name: copy user ssh keys - copy: - src: keys - dest: "/usr/local/bastille/" - -# The normal ansible user module can't be used here, because we're -# talking about jail users here. I tried to patch the module to -# support the -R flag (https://github.com/ansible/ansible/pull/84371) -# but it makes no sense. Every single function needs to be patched so -# that it works for jails. -# -# So, instead I'm just using this simple script, which does the job as -# well. -- name: Manage users - loop: "{{ users }}" - ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups }}' -c {{ role_name }}-user -a {{ item.state }} -d /usr/local/bastille/jails/pubnix/root" -