From e548cf9c172f615ec79e79ce47c4fec61f788ed9 Mon Sep 17 00:00:00 2001
From: Nico Boehr <nico@nicoboehr.de>
Date: Thu, 2 Nov 2023 20:45:58 +0100
Subject: [PATCH] users: allow more fine-grained login permissions with
users_group and users_root_group
---
README.md | 45 ++++++++++++++++++---
group_vars/all | 1 +
group_vars/dhcpserver | 4 +-
group_vars/ffs04 | 12 ------
group_vars/ffs05 | 4 +-
group_vars/ffs06 | 12 ------
group_vars/ffs07 | 4 +-
group_vars/ffs08 | 4 +-
group_vars/ffs09 | 4 +-
group_vars/ffs10 | 4 +-
group_vars/ffs11 | 8 +---
host_vars/ffs11.freifunk-stuttgart.de/users | 6 +++
inventory/ffs11 | 2 +
roles/users/tasks/main.yml | 4 +-
roles/users/tasks/root_pubkey.yml | 2 +-
roles/users/tasks/user_remove.yml | 4 +-
16 files changed, 68 insertions(+), 52 deletions(-)
delete mode 100644 group_vars/ffs04
delete mode 100644 group_vars/ffs06
create mode 100644 host_vars/ffs11.freifunk-stuttgart.de/users
diff --git a/README.md b/README.md
index 724f559..07ced05 100644
--- a/README.md
+++ b/README.md
@@ -75,9 +75,15 @@ user_database:
#### Creating user accounts
-Note that this doesn't create the user anywhere. To do so, define a variable
-`users` e.g. in `host_vars`. For example adding this somewhere in
-`host_vars/example.com/`:
+Note that this doesn't create the user anywhere.
+
+You can use a host var or a group var to actually create users.
+
+##### Creating accounts on hosts
+
+To create a user on a specific host, define the variable `users` in `host_vars`
+
+For example adding this to `host_vars/example.com/users`:
```
users:
- johndoe
@@ -85,16 +91,45 @@ users:
will deploy the johndoe user as defined in the `user_database` above on
`example.com`.
+##### Creating accounts on groups
+
+This can be a bit annoying if you just want to grant a group of people
+access to a bunch of hosts in a group. To grant a user access to a group of
+hosts, define the variable `users_group` in `group_vars`.
+
+For example adding this to `group_vars/dc01`:
+```
+users_group:
+ - johndoe
+```
+will deploy the johndoe user as defined in the `user_database` above on
+all hosts in the group `dc01`.
+
#### Deploying pubkeys for the root user
Pubkeys defined in the `user_database` can also be deployed for the root user.
-This is achieved by adding a user's name to the `users_root` list. For example:
+
+##### Deploying pubkeys for the root user on hosts
+
+This is achieved by adding a user's name to the `users_root` list. For example
+adding this to `host_vars/example.com/users`:
```
users_root:
- johndoe
```
will deploy all pubkeys defined in the `user_database` for johndoe in the root
-account.
+account on host `example.com.
+
+##### Deploying pubkeys for the root user on groups
+
+This is achieved by adding a user's name to the `users_root_group` list. For example
+adding this to `group_vars/dc01`:
+```
+users_root_group:
+ - johndoe
+```
+will deploy all pubkeys defined in the `user_database` for johndoe in the root
+account on all hosts in group `dc01`.
### DHCP Server
diff --git a/group_vars/all b/group_vars/all
index 86f71c6..2a51f1c 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -106,3 +106,4 @@ user_database:
fullname: Stefan Mehrens
pubkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDV9XOmFQU2uZiaka5IMhaHf7I3Yo/NcBclxTYVLG5rofs3V7PAZ01m3wdMauqo7oO4o+aV4vF9yZOx+rc0rOP2yY11Ao2r4ospA2SZI0yaaDX1mZGErhId+RLmHVc4zcNWas8gucASP0A8rObc/ZEX8rCFITegv0OEiH0lS6NX0s+EchjxZRP8rqohWc4uLsaNhZkuheotVeFS2ecCnnvm3HngLPtUY1ZRD3jSmBmghoz6Utp4HTkk88b4PYv/Kc6Bt72IxxL2wZvqaF/bVrngYk6w7ewq3zXJMwDZscYOUSP7C3ZkGBoEvyGGtDYbDhyuptoGQNTcmmHAnbxzTdnv smehrens@oxygen.fritz.box
+
diff --git a/group_vars/dhcpserver b/group_vars/dhcpserver
index c2df7fe..e6a8277 100644
--- a/group_vars/dhcpserver
+++ b/group_vars/dhcpserver
@@ -1,11 +1,11 @@
---
-users:
+users_group:
- are
- leonard
- roland
- nrb
-users_root:
+users_root_group:
- are
- leonard
- roland
diff --git a/group_vars/ffs04 b/group_vars/ffs04
deleted file mode 100644
index c2df7fe..0000000
--- a/group_vars/ffs04
+++ /dev/null
@@ -1,12 +0,0 @@
----
-users:
- - are
- - leonard
- - roland
- - nrb
-
-users_root:
- - are
- - leonard
- - roland
- - nrb
diff --git a/group_vars/ffs05 b/group_vars/ffs05
index 8133b87..b9a6f8a 100644
--- a/group_vars/ffs05
+++ b/group_vars/ffs05
@@ -1,12 +1,12 @@
---
-users:
+users_group:
- are
- leonard
- roland
- nrb
- wilhelm
-users_root:
+users_root_group:
- are
- leonard
- roland
diff --git a/group_vars/ffs06 b/group_vars/ffs06
deleted file mode 100644
index c2df7fe..0000000
--- a/group_vars/ffs06
+++ /dev/null
@@ -1,12 +0,0 @@
----
-users:
- - are
- - leonard
- - roland
- - nrb
-
-users_root:
- - are
- - leonard
- - roland
- - nrb
diff --git a/group_vars/ffs07 b/group_vars/ffs07
index c2df7fe..e6a8277 100644
--- a/group_vars/ffs07
+++ b/group_vars/ffs07
@@ -1,11 +1,11 @@
---
-users:
+users_group:
- are
- leonard
- roland
- nrb
-users_root:
+users_root_group:
- are
- leonard
- roland
diff --git a/group_vars/ffs08 b/group_vars/ffs08
index c2df7fe..e6a8277 100644
--- a/group_vars/ffs08
+++ b/group_vars/ffs08
@@ -1,11 +1,11 @@
---
-users:
+users_group:
- are
- leonard
- roland
- nrb
-users_root:
+users_root_group:
- are
- leonard
- roland
diff --git a/group_vars/ffs09 b/group_vars/ffs09
index 8133b87..b9a6f8a 100644
--- a/group_vars/ffs09
+++ b/group_vars/ffs09
@@ -1,12 +1,12 @@
---
-users:
+users_group:
- are
- leonard
- roland
- nrb
- wilhelm
-users_root:
+users_root_group:
- are
- leonard
- roland
diff --git a/group_vars/ffs10 b/group_vars/ffs10
index ced0a17..5ea265e 100644
--- a/group_vars/ffs10
+++ b/group_vars/ffs10
@@ -1,12 +1,12 @@
---
-users:
+users_group:
- are
- leonard
- roland
- nrb
- gratuxri
-users_root:
+users_root_group:
- are
- leonard
- roland
diff --git a/group_vars/ffs11 b/group_vars/ffs11
index 96ce3d2..cb2df9c 100644
--- a/group_vars/ffs11
+++ b/group_vars/ffs11
@@ -1,5 +1,5 @@
---
-users:
+users_group:
- are
- leonard
- roland
@@ -9,12 +9,8 @@ users:
- thommie
- docloy
- wilhelm
- - jochen
- - gratuxri
- - flip
- - smehrens
-users_root:
+users_root_group:
- are
- leonard
- roland
diff --git a/host_vars/ffs11.freifunk-stuttgart.de/users b/host_vars/ffs11.freifunk-stuttgart.de/users
new file mode 100644
index 0000000..ce5f638
--- /dev/null
+++ b/host_vars/ffs11.freifunk-stuttgart.de/users
@@ -0,0 +1,6 @@
+---
+users:
+ - jochen
+ - gratuxri
+ - flip
+ - smehrens
diff --git a/inventory/ffs11 b/inventory/ffs11
index b2a6e29..a3e1f35 100644
--- a/inventory/ffs11
+++ b/inventory/ffs11
@@ -77,3 +77,5 @@ ffs11:
ansible_ssh_host: 3201.ffs11
sso01.freifunk-stuttgart.net:
ansible_ssh_host: 3203.ffs11
+ vpn-1nce.freifunk-stuttgart.net:
+ ansible_ssh_host: 3174.ffs11
diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
index bf6b7e3..fb23f80 100644
--- a/roles/users/tasks/main.yml
+++ b/roles/users/tasks/main.yml
@@ -1,7 +1,7 @@
---
- name: Creating users
include: user.yml
- loop: "{{ users }}"
+ loop: "{{ users|default([]) + users_group|default([]) }}"
loop_control:
loop_var: user
@@ -14,6 +14,6 @@
- name: Deploying public key for users with root access
include: root_pubkey.yml
vars:
- loop: '{{ users }}'
+ loop: '{{ user_database.keys() | list }}'
loop_control:
loop_var: user
diff --git a/roles/users/tasks/root_pubkey.yml b/roles/users/tasks/root_pubkey.yml
index efc0164..4c9b9ed 100644
--- a/roles/users/tasks/root_pubkey.yml
+++ b/roles/users/tasks/root_pubkey.yml
@@ -2,7 +2,7 @@
- name: "Deploying {{ user }} public keys for root"
authorized_key:
user: "root"
- state: '{{ (user in users_root) | ternary("present", "absent") }}'
+ state: '{{ (user in users_root|default([]) or user in users_root_group|default([]) ) | ternary("present", "absent") }}'
key: '{{ item }}'
comment: '{{ user }}'
follow: yes
diff --git a/roles/users/tasks/user_remove.yml b/roles/users/tasks/user_remove.yml
index f3a140e..d5ef4bb 100644
--- a/roles/users/tasks/user_remove.yml
+++ b/roles/users/tasks/user_remove.yml
@@ -4,7 +4,7 @@
name: "{{ user.key }}"
uid: "{{ user_database[user.key].uid }}"
state: absent
- when: 'user.key not in users'
+ when: 'user.key not in users|default([]) and user.key not in users_group|default([])'
- name: "Remove root ssh keys for {{ user.key }}"
authorized_key:
@@ -12,7 +12,7 @@
state: absent
key: '{{ pubkey }}'
follow: yes
- when: 'user.key not in users'
+ when: 'user.key not in users|default([]) and user.key not in users_group|default([])'
loop: '{{ user.value.pubkeys }}'
loop_control:
loop_var: pubkey
--
GitLab