diff --git a/Makefile b/Makefile index 9517d80..341221d 100644 --- a/Makefile +++ b/Makefile @@ -19,6 +19,8 @@ DEBUG_COMMAND = ansible-playbook debug.yaml $(OPTIONS) ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose) +x: + @echo $(TOKEN) all: create deploy @@ -38,7 +40,7 @@ clean: $(ENV) $(CLEAN_COMMAND) check: - ansible-playbook -vvv --ask-vault-pass deploy.yaml -i inventory --syntax-check + $(ENV) ansible-playbook deploy.yaml --syntax-check editvars: ansible-vault decrypt $(VARS) diff --git a/TODO.md b/TODO.md index 112562e..b05a864 100644 --- a/TODO.md +++ b/TODO.md @@ -27,12 +27,10 @@ or using e3 using wrapper script around `jaildk exec dns knotc ...` - remove pkg function from root .bashrc -## fix home mount - -nullfs into jail - ## Add users with authorized_keys files +Users script ready, add ssh keys support + ## Add quota config and enable/configure rctl ## DNS diff --git a/group_vars/all/all.yaml b/group_vars/all/all.yaml index bce34c3..07ee7e6 100644 --- a/group_vars/all/all.yaml +++ b/group_vars/all/all.yaml @@ -40,13 +40,11 @@ jails: users: - name: scip + state: present groups: wheel - shell: /usr/local/bin/bash - rootdir: /usr/local/bastille/jails/pubnix/root - name: tom - groups: nobody - shell: /usr/local/bin/bash - rootdir: /usr/local/bastille/jails/pubnix/root + state: present + groups: "" storage: volume: diff --git a/roles/pubnix/bin/user.sh b/roles/pubnix/bin/user.sh new file mode 100755 index 0000000..9c53d74 --- /dev/null +++ b/roles/pubnix/bin/user.sh @@ -0,0 +1,114 @@ +#!/bin/sh + +rootdir="" +user="" +groups="" +home="" +shell="/usr/local/bin/bash" +comment="" +action="" + +usage() { + echo "Usage: $0 -u user [-h home] [-s shell] [-g groups] [-d rootdir] [-c comment] -a action" + echo "Valid actions: present, absent, locked" + exit 1 +} + +run() { + echo $* + $* +} + +OPTIND=1 +while getopts d:u:h:g:s:c:a: opt ; do + case $opt in + d) + rootdir="$OPTARG" + ;; + u) + user="$OPTARG" + ;; + h) + home="$OPTARG" + ;; + g) + groups="$OPTARG" + ;; + s) + shell="$OPTARG" + ;; + c) + comment="$OPTARG" + ;; + a) + action="$OPTARG" + ;; + *) + usage + ;; + esac +done + +shift $(($OPTIND - 1)) + +if test -z "$user" -o -z "$action"; then + usage +fi + +args="" +root="" + +if test -n "$rootdir"; then + root="-R $rootdir" +fi + +if test -n "$groups"; then + args="-G $groups" +fi + +if test -n "$home"; then + args="$args -d $home -k /etc/skel -m -M 700" +else + args="$args -d /home/$user -k /etc/skel -m -M 700" +fi + +if test -n "$shell"; then + args="$args -s $shell" +else + args="$args -s /usr/local/bin/bash" +fi + +if test -n "$comment"; then + args="$args -c $comment" +fi + +case "$action" in + present) + if pw $root user show "$user" > /dev/null 2>&1; then + if pw $root user show "$user" | grep -q LOCKED; then + run pw unlock "$user" + else + echo "$user exists." + fi + else + run pw $root user add "$user" $args + fi + ;; + absent) + if pw $root user show "$user" > /dev/null 2>&1; then + run pw $root user del "$user" + fi + ;; + locked) + if pw $root user show "$user" > /dev/null 2>&1; then + if pw $root user show "$user" | grep -q LOCKED; then + echo "$user is already locked." + else + run pw lock "$user" + fi + fi + ;; + *) + usage + ;; +esac diff --git a/roles/pubnix/tasks/main.yaml b/roles/pubnix/tasks/main.yaml index 2cead36..1e5b3d4 100644 --- a/roles/pubnix/tasks/main.yaml +++ b/roles/pubnix/tasks/main.yaml @@ -54,6 +54,13 @@ - name: template jail shell: "bastille template {{ role_name }} services/{{ role_name }}" + +# FIXME: loop over files and check size somehow, or always copy? use file module? +- name: copy skel files + shell: cp -r /usr/local/bastille/templates/services/{{ role_name }}/usr/share/skel /usr/local/bastille/jails/{{ role_name }}/root/etc/ + args: + creates: /usr/local/bastille/jails/{{ role_name }}/root/etc/skel + # The normal ansible user module can't be used here, because we're # talking about jail users here. I tried to patch the module to # support the -R flag (https://github.com/ansible/ansible/pull/84371) @@ -62,13 +69,7 @@ # # So, instead I'm just using this simple script, which does the job as # well. -- name: Create users +- name: Manage users loop: "{{ users }}" - shell: | - if pw -V {{ item.rootdir }}/etc user show {{ item.name }} > /dev/null 2>&1; then \ - pw -V {{ item.rootdir }}/etc user mod {{ item.name }} -d /home/{{ item.name }} -G {{ item.groups }} -m -s {{ item.shell }}; \ - echo "user {{ item.name }} modified"; \ - else \ - pw -V {{ item.rootdir }}/etc user add {{ item.name }} -d /home/{{ item.name }} -G {{ item.groups }} -m -s {{ item.shell }}; \ - echo "user {{ item.name }} created"; \ - fi + ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups }}' -c {{ role_name }}-user -a {{ item.state }} -d /usr/local/bastille/jails/{{ role_name }}/root" +