refactor: split ansible book into roles

2024-12-10 11:31:46 -03:00 · 2024-12-10 11:31:46 -03:00 · 22d7e4a318
commit 22d7e4a318
parent 89a7bfa789
14 changed files with 983 additions and 215 deletions
--- a/roles/common/files/aleidk_key
+++ b/roles/common/files/aleidk_key
@ -0,0 +1,25 @@
+$ANSIBLE_VAULT;1.1;AES256
+61633965313636313234353338653466663733656339366561393932626364383439333034646136
+3839303430636532306232303430356132373865306232310a663265343738613034343036653761
+35303732633663323232633362373232366666393736376435653632666165656432646366656231
+3663323862623830650a306139323764353435616238396438313766643836313363636638613761
+33656566643763333962373063343734356639313564643934316439666664623432613135303963
+34346239313137616361336538636237623436323566626166616265663264326632663665623866
+31353938343938626631333635313661336263333132376231653030346664363863343939346435
+65613561376664633931363963633038623430643332663231363034396335346463306334613931
+62613334313363643832353136363434643034383939313463613838346639373536393264393066
+37346630303762663363313535346638633535323732636562306435316261323935323363363836
+66653133313264353861326637306131333437303261336362383336373061346231633064653139
+38326564636534373966336535343165363137346261386464326161613264393339393661356337
+62343062363530333339663932663366313030326533333239613265326135353264383835383036
+39643034353435353064316234313864653631313631376333313438306565373164613030383139
+62373836336262316237376433313964306337636263343233363530323831343163333265373536
+33383036393534326561626565366461623438643734306663333238623563383131306361306639
+31656537623931303830623338313630633562653762613532363338353938636463396138666363
+66666137663363653938323261653238396633653238346365323664316361353831353034376230
+66623733343233366632656461656632323839326530313532336139373636613966393238626234
+33343039343039623831323539616434356132303030663136373337633532363761383066353730
+62323263643264383163333962366239333363346366316562336339356637306563663632353337
+30376430643732373162333035383266663063663634663233313133363931333565386230326362
+36666633343661313039386662623861313761353163386662336536663866383463643338653066
+63326335356431646465
--- a/roles/common/files/aleidk_key.pub
+++ b/roles/common/files/aleidk_key.pub
@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+65316163633033323362323465383233343166663965353634623531343230333966383133633035
+3139663363333965636634326264633264303765323436610a336166663166376265366466353730
+39396532366562383935353234376563356332653637643737373930656331326135306236373137
+3865323265343231660a666130666430623239613731646332393762623066643964386130633538
+35346532656262363964656438613236323932306139663465383361393235326332383438623366
+65353833646365363832636333393161626535316535626534383462336233353061366566386138
+63353564326130633063383661343932363735326464346236373631643432363332623936376464
+31313765656133383536376334323335333439376162373432373462373266306131323639353136
+3931
--- a/roles/common/files/robo_key
+++ b/roles/common/files/robo_key
@ -0,0 +1,25 @@
+$ANSIBLE_VAULT;1.1;AES256
+34326137303139636664306330643433353766383839373262633531633336336434326136633331
+6266336136633662366234303339343435633935653835330a313337386531346535633164363732
+33333162663564343032323038353737663532616133353538626265646665393131336132393863
+3335613064643365380a366633363531363332663939343030373265343438633365633264376236
+30313862373337343961363164666166633137636232646365666333333261356264313235643365
+36663336636132376366396338346164303066343234613236633561393063313636616630303838
+33636231373465333830613630393366653363643561396465363765383764326538633464366530
+66626363336565343832373631363237653333653265616331623938356266343235656239656134
+66306565646333656337336632636162356531666337613766396439623135633430623132643335
+32373965613962336338633933346437396139393539656437326666363661653231653230313634
+61633032316436646663616437343161363534383365656364303131646636643232366361653231
+30643839343961366665653265666662386537623738356537393364336365396136346361656538
+38653936613261306632386665336162666539646564666232353064646564643036343437396566
+64656261633534316166656564326563323732316436316161303633373564653834356433366561
+39643164373866346531353037613563623038626536616434316266323130643534303736653263
+63643632316562616462333835343437613865363763323464646231343066393264653833383662
+30326332373432326665306338383963333137376538373839626631356236353838376332636132
+64636632336139396437356336326331343832346166386136356239323966376532346130613833
+36316633633536653163313166396238373139383763306532346334343466366136636339646235
+66326162323666306566616339353930353732336538303835366132363139336462373736366538
+39636138383536363332326534356366313362353739373666303133326364643832616431316363
+35393364386536393761303733336230633832646531623264616463323862313565316566666137
+30306433313563313363643034356265316564393166336361663431633930663361356432313861
+38393732626237353131
--- a/roles/common/files/robo_key.pub
+++ b/roles/common/files/robo_key.pub
@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+36616136323264353336336436666430626334313133643336383035313531393930313764323362
+3133656632653262663266613130643162626535616130320a306435383930363131333035393834
+31633537313861373437326138656163613336376535346561666232316436613338396331313965
+3062366436363235630a656637373231363732643636353632366663386666613130656439386132
+34323061333866373131363236326564643637373539636366376631393538333664353834626230
+38386266623262343539356536313961393061346232386431666139303263613437376534633435
+66613466353864633532383561633861396164313565653765363530326366323164313231343838
+62643932623635646132316666303834653132396539363430666334633861336166313638323135
+6364
--- a/roles/common/handlers/main.yaml
+++ b/roles/common/handlers/main.yaml
@ -0,0 +1,4 @@
+- name: Restart sshd
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
--- a/roles/common/meta/arguments_specs.yaml
+++ b/roles/common/meta/arguments_specs.yaml
@ -0,0 +1,19 @@
+---
+argument_specs:
+  main:
+    short_description: Main entry point for the common role
+    author:
+      - aleidk
+    options:
+      extra_groups:
+        type: "list"
+        elements: "str"
+        required: false
+        description:
+          - "Additional groups that will be added to each user"
+      robo_allowed_commands:
+        type: "list"
+        elements: "str"
+        required: false
+        description:
+          - "Commands that robo will be allowed to execute over SSH"
--- a/roles/common/tasks/main.yaml
+++ b/roles/common/tasks/main.yaml
@ -0,0 +1,44 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/ansible/ansible-lint/refs/heads/main/src/ansiblelint/schemas/tasks.json
+
+- name: Create a user group named docker
+  loop: "{{ extra_groups }}"
+  ansible.builtin.group:
+    name: "{{ item }}"
+
+- name: Setup users
+  loop: "{{ users }}"
+  ansible.builtin.user:
+    state: present
+    name: "{{ item.name }}"
+    system: "{{ item.system }}"
+    shell: "{{ item.shell }}"
+    create_home: true
+    password: "{{ (item.password != '!' or item.password != '*') | ternary(item.password | password_hash('sha512'), item.password) }}"
+    groups: "{{ item.groups + extra_groups }}"
+
+- name: Add SSH public key to users
+  loop: "{{ users }}"
+  ansible.posix.authorized_key:
+    user: "{{ item.name }}"
+    state: present
+    exclusive: true
+    key: "{{ item.ssh_keys.pub }}"
+    key_options: "{{ 'command=\"' + robo_allowed_commands | join('; ') + '\"' if robo_allowed_commands is defined and item.name == 'robo' else omit }}"
+
+- name: Disable password authentication for SSH
+  become: true
+  notify: Restart sshd
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?PasswordAuthentication'
+    line: 'PasswordAuthentication no'
+    state: present
+
+- name: Allow authentication via ssh keys
+  become: true
+  notify: Restart sshd
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?PubkeyAuthentication'
+    line: 'PubkeyAuthentication yes'
+    state: present
--- a/roles/common/vars/main.yaml
+++ b/roles/common/vars/main.yaml
@ -0,0 +1,33 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/ansible/ansible-lint/refs/heads/main/src/ansiblelint/schemas/vars.json
+---
+users:
+  - name: aleidk
+    shell: /bin/sh
+    system: false
+    groups:
+      - wheel
+    password: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              36376130326263316235653963663466333735313338636630326230636636663938313532356231
+              6234333364653934653665353438353562313838616236310a323738346137373061366433306238
+              61333637663466646631353032613431333263336436313261373637356562343834326563643637
+              3861326166353836330a333563623030346563353264313333363132633238636463623761313635
+              3432
+    ssh_keys:
+      priv: "{{ lookup('file', 'files/aleidk_key') }}"
+      pub: "{{ lookup('file', 'files/aleidk_key.pub') }}"
+
+  - name: robo
+    shell: /bin/sh
+    system: true
+    groups: []
+    password: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              65633362306631393332636364393639336561353261613037346363633737363236616262613538
+              3061643566343533393838613261616362373965616538650a396638623038666635323739393038
+              66313636633963306663383631376264383761343534643465663135646162643339336266646264
+              6433373636316237330a343139363432653737376465633538636639626238613266646664366166
+              3136
+    ssh_keys:
+      priv: "{{ lookup('file', 'files/robo_key') }}"
+      pub: "{{ lookup('file', 'files/robo_key.pub') }}"