add group role, rename default group

2024-12-09 19:03:48 +01:00 · 2024-12-09 19:03:48 +01:00 · 411f71a7ff
commit 411f71a7ff
parent f92f2f2fad
6 changed files with 80 additions and 160 deletions
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@ -29,7 +29,6 @@ jails:
    pkgs:
      - bash
      - zsh
      - tcsh
      - fish
      - vim
      - emacs-nox
@ -53,13 +52,16 @@ jails:
      - rust
 defaults:
-  group: bsdnix
+  group: bsdnixer
  jailbase: /usr/local/bastille/jails
-users:
+jailgroups:
  - name: bsdnixer
    state: present
 jailusers:
  - name: scip
    state: present
    groups: wheel,bsdnix
  - name: tom
    state: present
--- a/roles/pubnix/bin/group.sh
+++ b/roles/pubnix/bin/group.sh
@ -0,0 +1,66 @@
 #!/bin/sh
 rootdir=""
 group=""
 action=""
 usage() {
    echo "Usage: $0 -g group -a action"
    echo "Valid actions: present, absent"
    exit 1
 }
 run() {
    echo $*
    $*
 }
 OPTIND=1
 while getopts d:g:a: opt ; do
    case $opt in
        d)
            rootdir="$OPTARG"
            ;;
        g)
            group="$OPTARG"
            ;;
        a)
            action="$OPTARG"
            ;;
        *)
            usage
            ;;
    esac
 done
 shift $(($OPTIND - 1))
 if test -z "$group" -o -z "$action"; then
    usage
 fi
 root=""
 if test -n "$rootdir"; then
    root="-R $rootdir"
 fi
 case "$action" in
    present)
        if pw $root group show "$group" > /dev/null 2>&1; then
            if pw $root group show "$group" | grep -q LOCKED; then
                echo "$group exists."
            fi
        else
            run pw $root group add "$group"
        fi
        ;;
    absent)
        if pw $root group show "$group" > /dev/null 2>&1; then
            run pw $root group del "$group"
        fi
        ;;
    *)
        usage
        ;;
 esac
--- a/roles/pubnix/tasks/main.yaml
+++ b/roles/pubnix/tasks/main.yaml
@ -65,17 +65,17 @@
  # args:
  #   creates: /usr/local/bastille/jails/{{ role_name }}/root/etc/skel
 # these will later be used by  bin/user.sh (see below) to be installed
 # into the user homes
 - name: copy user ssh keys
  copy:
    src: keys
    dest: "/usr/local/bastille/"
-
+# create our own group[s]
- name: create user group
+- name: Manage groups
-  shell: |
+  loop: "{{ jailgroups }}"
-    pw -R {{ defaults.jailbase }}/{{ role_name }}/root group show {{ defaults.group }} ||\
+  ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/pubnix/root"
    pw -R {{ defaults.jailbase }}/{{ role_name }}/root group add {{ defaults.group }}
 # The normal  ansible user  module can't be  used here,  because we're
 # talking  about jail  users  here. I  tried to  patch  the module  to
@ -86,6 +86,6 @@
 # So, instead I'm just using this simple script, which does the job as
 # well.
 - name: Manage users
-  loop: "{{ users }}"
+  loop: "{{ jailusers }}"
  ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -d {{ defaults.jailbase }}/{{ role_name }}/root"
-  
+
--- a/roles/user/bin/user.sh
+++ b/roles/user/bin/user.sh
@ -1,128 +0,0 @@
 #!/bin/sh
 rootdir=""
 user=""
 groups=""
 home=""
 shell="/usr/local/bin/bash"
 comment=""
 action=""
 usage() {
    echo "Usage: $0 -u user [-h home] [-s shell] [-g groups] [-d rootdir] [-c comment] -a action"
    echo "Valid actions: present, absent, locked"
    exit 1
 }
 getuid() {
    local root="$1"
    local user="$2"
    pw $root show user "$user" -7 | cut -d: -f 3
 }
 run() {
    echo $*
    $*
 }
 OPTIND=1
 while getopts d:u:h:g:s:c:a: opt ; do
    case $opt in
        d)
            rootdir="$OPTARG"
            ;;
        u)
            user="$OPTARG"
            ;;
        h)
            home="$OPTARG"
            ;;
        g)
            groups="$OPTARG"
            ;;
        s)
            shell="$OPTARG"
            ;;
        c)
            comment="$OPTARG"
            ;;
        a)
            action="$OPTARG"
            ;;
        *)
            usage
            ;;
    esac
 done
 shift $(($OPTIND - 1))
 if test -z "$user" -o -z "$action"; then
    usage
 fi
 args=""
 root=""
 if test -n "$rootdir"; then
    root="-R $rootdir"
 fi
 if test -n "$groups"; then
    args="-G $groups"
 fi
 if test -n "$home"; then
    args="$args -d $home -k /etc/skel -m -M 700"
 else
    args="$args -d /home/$user -k /etc/skel -m -M 700"
 fi
 if test -n "$shell"; then
    args="$args -s $shell"
 else
    args="$args -s /usr/local/bin/bash"
 fi
 if test -n "$comment"; then
    args="$args -c $comment"
 fi
 case "$action" in
    present)
        set -x
        if pw $root user show "$user" > /dev/null 2>&1; then
            if pw $root user show "$user" | grep -q LOCKED; then
                run pw unlock "$user"
            else
                echo "$user exists."
            fi
        else
            run pw $root user add "$user" $args
        fi
        if test -e "/usr/local/bastille/keys/$user" -a ! -e "/home/$user/.ssh/authorized_keys"; then
            uid=$(getuid "$root" "$user")
            install -m 700 -o "$uid" -g "$uid" -d "/home/$user/.ssh"
            install -m 600 -o "$uid" -g "$uid" "/usr/local/bastille/keys/$user" "/home/$user/.ssh/authorized_keys"
        fi
        set +x
        ;;
    absent)
        if pw $root user show "$user" > /dev/null 2>&1; then
            run pw $root user del "$user"
        fi
        ;;
    locked)
        if pw $root user show "$user" > /dev/null 2>&1; then
            if pw $root user show "$user" | grep -q LOCKED; then
                echo "$user is already locked."
            else
                run pw lock "$user"
            fi
        fi
        ;;
    *)
        usage
        ;;
 esac
--- a/roles/user/files/keys/tom
+++ b/roles/user/files/keys/tom
@ -1 +0,0 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfY4Oxp6LnFvdAOhs2hcFmQ31VyMPQmg4/6eU0LaNioroK8iniGdfM1zw48uTKApD2z5iI8SCOae7VZaab9rWwz+BExpFRYMR013quWY89gie6HK7wa2lrKt4wuKsl26HwcWOwo1dCnxKRbVqSRWUCAm4D7iArUl7+9y/VqQIZWIVPyfiqRGPZ68wCMm/VvkZggE2No2XINbVd+Ts1ddOudRpeg2BHiYZ48JWLWlnMNiJAgVQEFaBemdj9OBt9ey81/iWGbGoPeUW113SuOgNL+YLwo2pcgeMHcwC+B184LcMdt1r2O4jsW7OemLfrazq2p3VfSdzOduVDQvdGsnqpFArHgM+kPFt4YIdn772lrlMkxSgK2mbCbSzNZoomdCyuwKUt6dA3b1PZF8L6uMJK7DOVGcmrjk9UUW/goZhg6Xw0tBxYYQlhVNyRTZNwUtqC8CTJ1/xUSEqzbRO2jOxWTJFrLFJPMr0FSrwFqfFN/1DMFa4Pqb+w5OTyfKS0usikpvFoE3Ct/MQkgb1YdFseui2ARpo7SgFD/t7plYb3FLJpP49gIgK3dg8g/uiFLwwbGE13hUrzagAKChmhgfbY/yhrc+ES3OZJExleXUhYD4CCTiYjghNoYcmW2+X6c1VbOULDCrDfCRErFBW2lPVsoRebd8B30SC8YeaHzmWFdQ== scip@tripod
--- a/roles/user/tasks/main.yaml
+++ b/roles/user/tasks/main.yaml
@ -1,19 +0,0 @@
 ---
 - name: copy user ssh keys
  copy:
    src: keys
    dest: "/usr/local/bastille/"
 # The normal  ansible user  module can't be  used here,  because we're
 # talking  about jail  users  here. I  tried to  patch  the module  to
 # support the  -R flag (https://github.com/ansible/ansible/pull/84371)
 # but it makes no sense. Every  single function needs to be patched so
 # that it works for jails.
 #
 # So, instead I'm just using this simple script, which does the job as
 # well.
 - name: Manage users
  loop: "{{ users }}"
  ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups }}' -c {{ role_name }}-user -a {{ item.state }} -d /usr/local/bastille/jails/pubnix/root"
		`@ -1 +0,0 @@`
			ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfY4Oxp6LnFvdAOhs2hcFmQ31VyMPQmg4/6eU0LaNioroK8iniGdfM1zw48uTKApD2z5iI8SCOae7VZaab9rWwz+BExpFRYMR013quWY89gie6HK7wa2lrKt4wuKsl26HwcWOwo1dCnxKRbVqSRWUCAm4D7iArUl7+9y/VqQIZWIVPyfiqRGPZ68wCMm/VvkZggE2No2XINbVd+Ts1ddOudRpeg2BHiYZ48JWLWlnMNiJAgVQEFaBemdj9OBt9ey81/iWGbGoPeUW113SuOgNL+YLwo2pcgeMHcwC+B184LcMdt1r2O4jsW7OemLfrazq2p3VfSdzOduVDQvdGsnqpFArHgM+kPFt4YIdn772lrlMkxSgK2mbCbSzNZoomdCyuwKUt6dA3b1PZF8L6uMJK7DOVGcmrjk9UUW/goZhg6Xw0tBxYYQlhVNyRTZNwUtqC8CTJ1/xUSEqzbRO2jOxWTJFrLFJPMr0FSrwFqfFN/1DMFa4Pqb+w5OTyfKS0usikpvFoE3Ct/MQkgb1YdFseui2ARpo7SgFD/t7plYb3FLJpP49gIgK3dg8g/uiFLwwbGE13hUrzagAKChmhgfbY/yhrc+ES3OZJExleXUhYD4CCTiYjghNoYcmW2+X6c1VbOULDCrDfCRErFBW2lPVsoRebd8B30SC8YeaHzmWFdQ== scip@tripod