0wn: manage admin access to netinstall nodes

asheplyakov · Jul 29, 2021 · 657511d · 657511d
1 parent 5e0b8bf
commit 657511d
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 53 deletions.
diff --git a/0wn.yml b/0wn.yml
@@ -7,6 +7,8 @@
   gather_facts: no
 
 - hosts:
-    - altlinux
+    - altinstall
   roles:
     - 0wn
+  vars_files:
+    - admins.yml
diff --git a/admins.yml b/admins.yml
@@ -0,0 +1,2 @@
+---
+
diff --git a/roles/0wn/tasks/admin_account.yml b/roles/0wn/tasks/admin_account.yml
@@ -0,0 +1,57 @@
+---
+
+- name: check if account exists
+  command: >
+    getent passwd "{{ admin.username }}"
+  register: getent_admin
+  failed_when: False
+  changed_when: False
+
+- name: bail out if getent invocation fails
+  fail:
+    msg: "failed to figure out if {{ admin.username }} account exists"
+  when:
+    - getent_admin.rc != 0
+    - getent_admin.rc != 2
+
+- name: create admin account
+  user:
+    name: "{{ admin.username }}"
+    comment: "{{ admin.name }}"
+    state: present
+    shell: /bin/bash
+    password_lock: yes
+  when:
+    - getent_admin.rc == 2
+
+- name: add admin to the wheel group
+  user:
+    name: "{{ admin.username }}"
+    groups: wheel
+    append: true
+  when:
+    - ansible_distribution_file_path == '/etc/altlinux-release'
+
+- name: enable passwordless sudo for admin
+  copy:
+    dest: "/etc/sudoers.d/{{ admin.username }}"
+    owner: root
+    group: root
+    mode: 0600
+    content: "{{ admin.username }} ALL=(ALL) NOPASSWD: ALL"
+
+- name: configure ssh authentication by keys
+  authorized_key:
+    user: "{{ admin.username }}"
+    key: "{{ item }}"
+    state: present
+  loop: "{{ admin.ssh_public_keys }}"
+
+- name: enable root login by ssh public keys
+  authorized_key:
+    user: root
+    key: "{{ item }}"
+    state: present
+  when:
+    - admin.enable_ssh_as_root|default('false')|bool
+  loop: "{{ admin.ssh_public_keys }}"
diff --git a/roles/0wn/tasks/main.yml b/roles/0wn/tasks/main.yml
@@ -10,14 +10,6 @@
 - name: install sudo 
   package: name=sudo state=present
 
-- name: configure passwordless sudo for admin user
-  copy:
-    dest: "/etc/sudoers.d/{{ admin_user|default(current_local_user) }}"
-    owner: root
-    group: root
-    mode: 0600
-    content: "{{ admin_user|default(current_local_user) }} ALL=(ALL) NOPASSWD: ALL"
-
 - name: enable sudo for root on ALT Linux
   copy:
     dest: "/etc/sudoers.d/root"
@@ -28,47 +20,9 @@
   when:
     - ansible_distribution_file_path == '/etc/altlinux-release'
 
-- name: check if user account exists
-  command: >
-    getent passwd "{{ admin_user|default(current_local_user) }}"
-  register: getent_admin
-  failed_when: False
-  changed_when: False
-
-- name: terminate if getent invocation fails
-  fail:
-    msg: "failed to figure out if {{ admin_user|default(current_local_user) }} account exists"
-  when:
-    - getent_admin.rc != 0
-    - getent_admin.rc != 2
-
-- name: create my account
-  user:
-    name: "{{ admin_user|default(current_local_user) }}"
-    state: present
-    shell: /bin/bash
-    password_lock: yes
-  when:
-    - getent_admin.rc == 2
-
-- name: set ssh authorized keys from local key
-  authorized_key:
-    user: "{{ admin_user|default(current_local_user) }}"
-    key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
-    state: present
-
-- name: configure root login by ssh public key
-  authorized_key:
-    user: root
-    key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
-    state: present
-
-- name: add user to the wheel group
-  user:
-    name: "{{ admin_user|default(current_local_user) }}"
-    groups: wheel
-    append: true
-  when:
-    - ansible_distribution_file_path == '/etc/altlinux-release'
-
-
+- name: setup admin access
+  include_tasks: admin_account.yml
+  loop: "{{ admin_users }}" 
+  loop_control:
+    loop_var: admin
+    label: "{{ admin.name }}"