fixed user management, incl skel dir

2024-11-25 18:29:17 +01:00 · 2024-11-25 18:29:17 +01:00 · fe04b3fe87
commit fe04b3fe87
parent 09e2be2ab7
5 changed files with 132 additions and 19 deletions
--- a/4
+++ b/4
@ -19,6 +19,8 @@ DEBUG_COMMAND = ansible-playbook debug.yaml $(OPTIONS)
 ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
 x:
 	@echo $(TOKEN)
 all: create deploy
@ -38,7 +40,7 @@ clean:
 	$(ENV) $(CLEAN_COMMAND)
 check:
-	ansible-playbook -vvv --ask-vault-pass deploy.yaml -i inventory --syntax-check
+	$(ENV) ansible-playbook deploy.yaml  --syntax-check
 editvars:
 	ansible-vault decrypt $(VARS)
--- a/TODO.md
+++ b/TODO.md
@ -27,12 +27,10 @@ or using e3 using wrapper script around `jaildk exec dns knotc ...`
 - remove pkg function from root .bashrc
 ## fix home mount
 nullfs into jail
 ## Add users with authorized_keys files
 Users script ready, add ssh keys support
 ## Add quota config and enable/configure rctl
 ## DNS
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@ -40,13 +40,11 @@ jails:
 users:
  - name: scip
    state: present
    groups: wheel
    shell: /usr/local/bin/bash
    rootdir: /usr/local/bastille/jails/pubnix/root
  - name: tom
-    groups: nobody
+    state: present
-    shell: /usr/local/bin/bash
+    groups: ""
    rootdir: /usr/local/bastille/jails/pubnix/root
 storage:
  volume:
--- a/roles/pubnix/bin/user.sh
+++ b/roles/pubnix/bin/user.sh
@ -0,0 +1,114 @@
 #!/bin/sh
 rootdir=""
 user=""
 groups=""
 home=""
 shell="/usr/local/bin/bash"
 comment=""
 action=""
 usage() {
    echo "Usage: $0 -u user [-h home] [-s shell] [-g groups] [-d rootdir] [-c comment] -a action"
    echo "Valid actions: present, absent, locked"
    exit 1
 }
 run() {
    echo $*
    $*
 }
 OPTIND=1
 while getopts d:u:h:g:s:c:a: opt ; do
    case $opt in
        d)
            rootdir="$OPTARG"
            ;;
        u)
            user="$OPTARG"
            ;;
        h)
            home="$OPTARG"
            ;;
        g)
            groups="$OPTARG"
            ;;
        s)
            shell="$OPTARG"
            ;;
        c)
            comment="$OPTARG"
            ;;
        a)
            action="$OPTARG"
            ;;
        *)
            usage
            ;;
    esac
 done
 shift $(($OPTIND - 1))
 if test -z "$user" -o -z "$action"; then
    usage
 fi
 args=""
 root=""
 if test -n "$rootdir"; then
    root="-R $rootdir"
 fi
 if test -n "$groups"; then
    args="-G $groups"
 fi
 if test -n "$home"; then
    args="$args -d $home -k /etc/skel -m -M 700"
 else
    args="$args -d /home/$user -k /etc/skel -m -M 700"
 fi
 if test -n "$shell"; then
    args="$args -s $shell"
 else
    args="$args -s /usr/local/bin/bash"
 fi
 if test -n "$comment"; then
    args="$args -c $comment"
 fi
 case "$action" in
    present)
        if pw $root user show "$user" > /dev/null 2>&1; then
            if pw $root user show "$user" | grep -q LOCKED; then
                run pw unlock "$user"
            else
                echo "$user exists."
            fi
        else
            run pw $root user add "$user" $args
        fi
        ;;
    absent)
        if pw $root user show "$user" > /dev/null 2>&1; then
            run pw $root user del "$user"
        fi
        ;;
    locked)
        if pw $root user show "$user" > /dev/null 2>&1; then
            if pw $root user show "$user" | grep -q LOCKED; then
                echo "$user is already locked."
            else
                run pw lock "$user"
            fi
        fi
        ;;
    *)
        usage
        ;;
 esac
--- a/roles/pubnix/tasks/main.yaml
+++ b/roles/pubnix/tasks/main.yaml
@ -54,6 +54,13 @@
 - name: template jail
  shell: "bastille template {{ role_name }} services/{{ role_name }}"
 # FIXME: loop over files and check size somehow, or always copy? use file module?
 - name: copy skel files
  shell: cp -r /usr/local/bastille/templates/services/{{ role_name }}/usr/share/skel /usr/local/bastille/jails/{{ role_name }}/root/etc/
  args:
    creates: /usr/local/bastille/jails/{{ role_name }}/root/etc/skel
 # The normal  ansible user  module can't be  used here,  because we're
 # talking  about jail  users  here. I  tried to  patch  the module  to
 # support the  -R flag (https://github.com/ansible/ansible/pull/84371)
@ -62,13 +69,7 @@
 #
 # So, instead I'm just using this simple script, which does the job as
 # well.
- name: Create users
+- name: Manage users
  loop: "{{ users }}"
-  shell: |
+  ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups }}' -c {{ role_name }}-user -a {{ item.state }} -d /usr/local/bastille/jails/{{ role_name }}/root"
-    if pw -V {{ item.rootdir }}/etc user show {{ item.name }} > /dev/null 2>&1; then \
+  
       pw -V {{ item.rootdir }}/etc user mod  {{ item.name }} -d /home/{{ item.name }} -G {{ item.groups }} -m -s {{ item.shell }}; \
       echo "user {{ item.name }} modified"; \
    else \
       pw -V {{ item.rootdir }}/etc user add  {{ item.name }} -d /home/{{ item.name }} -G {{ item.groups }} -m -s {{ item.shell }}; \
       echo "user {{ item.name }} created"; \
    fi