From 26e57d7b6ff21db1884c41f10424a782aca3712c Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Tue, 19 Jul 2022 17:54:56 +0200 Subject: [PATCH] fix: config ssh client config --- defaults/default.yml | 42 +++++++++++++++++-------------- tasks/create_unix_user.yml | 48 ++++++++++++++++++++++++++++++++++-- tasks/main.yml | 20 +++++++-------- tasks/remove_unix_group.yml | 2 +- tasks/remove_unix_user.yml | 4 +-- templates/authorized_keys.j2 | 4 +-- templates/config.j2 | 14 +++++++++++ 7 files changed, 98 insertions(+), 36 deletions(-) create mode 100644 templates/config.j2 diff --git a/defaults/default.yml b/defaults/default.yml index ec41d61..e758271 100644 --- a/defaults/default.yml +++ b/defaults/default.yml @@ -1,26 +1,30 @@ --- -# unix_groups: -# kah: -# gid: 568 +unix_groups: {} +# alice: +# gid: 1001 # state: present -# markus: {} -# movies: +# bob: +# gid: 1001 # state: absent -# unix_users: -# markus: -# name: "Markus Pesch" -# ssh_keys: -# public: -# - markus@markus-pc.pub -# - markus@markus-nb.pub +unix_users: {} +# alice: +# state: "present" +# name: "Alice" +# uid: "1000" +# ssh: +# config: +# - Host: "*" +# StrictHostKeyChecking: "no" +# UserKnownHostFile: /dev/null +# authorized_keys: +# - alice@alice-pc.pub +# private_keys: +# - alice@alice-pc.ed25519.key +# home: /home/alice # shell: /bin/bash -# group: markus -# groups: -# - movies -# - music -# - series +# group: alice +# groups: [] # password: "" -# email: markus.pesch@cryptic.systems -# state: present +# email: alice@example.local diff --git a/tasks/create_unix_user.yml b/tasks/create_unix_user.yml index bc55074..eccbb55 100644 --- a/tasks/create_unix_user.yml +++ b/tasks/create_unix_user.yml @@ -71,13 +71,57 @@ owner: "{{ unix_user.key }}" group: "{{ unix_user.value.group | default('users') }}" mode: 0600 - when: unix_user.value.ssh_keys is defined and unix_user.value.ssh_keys.public | length > 0 + when: unix_user.value.ssh.authorized_keys is defined and unix_user.value.ssh.authorized_keys | length > 0 - name: Remove authorized_keys file for user {{ unix_user.key }} file: path: "{{ user_user_home }}/.ssh/authorized_keys" state: absent - when: unix_user.value.ssh_keys.public is not defined or unix_user.value.ssh_keys.public | length <= 0 + when: unix_user.value.ssh.authorized_keys is not defined or unix_user.value.ssh.authorized_keys | length <= 0 + +- name: Create private SSH keys for user {{ unix_user.key }} + copy: + src: "{{ playbook_dir }}/ssh/private_keys/{{ item }}" + dest: "{{ user_user_home }}/.ssh/{{ item }}" + owner: "{{ unix_user.key }}" + group: "{{ unix_user.value.group | default('users') }}" + mode: 0600 + with_items: + - "{{ unix_user.value.ssh.private_keys }}" + when: unix_user.value.ssh.private_keys is defined and unix_user.value.ssh.private_keys | length >= 0 + +- name: Extract public SSH keys from private keys for user {{ unix_user.key }} + command: "ssh-keygen -y -f {{ user_user_home }}/.ssh/{{ item }} > {{ user_user_home }}/.ssh/{{ item }}.pub" + args: + creates: "{{ user_user_home }}/.ssh/{{ item }}.pub" + with_items: + - "{{ unix_user.value.ssh.private_keys }}" + when: unix_user.value.ssh.private_keys is defined and unix_user.value.ssh.private_keys | length >= 0 + +- name: Correct permissions of public SSH keys for user {{ unix_user.key }} + file: + path: "{{ user_user_home }}/.ssh/{{ item }}.pub" + owner: "{{ unix_user.key }}" + group: "{{ unix_user.value.group | default('users') }}" + mode: 0644 + with_items: + - "{{ unix_user.value.ssh.private_keys }}" + when: unix_user.value.ssh.private_keys is defined and unix_user.value.ssh.private_keys | length >= 0 + +- name: Create custom SSH client config for user {{ unix_user.key }} + template: + src: config.j2 + dest: "{{ user_user_home }}/.ssh/config" + owner: "{{ unix_user.key }}" + group: "{{ unix_user.value.group | default('users') }}" + mode: 0644 + when: unix_user.value.ssh.config is defined and unix_user.value.ssh.config | length >= 0 + +- name: Remove custom SSH client config for user {{ unix_user.key }} + file: + path: "{{ user_user_home }}/.ssh/config" + state: absent + when: unix_user.value.ssh.config is not defined - name: Create .forward file to forward emails for user {{ unix_user.key }} template: diff --git a/tasks/main.yml b/tasks/main.yml index 70853d2..28bf3b9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,15 +1,5 @@ --- -- name: Remove unix groups - include_tasks: remove_unix_group.yml - with_dict: "{{ unix_groups }}" - loop_control: - loop_var: unix_group - when: unix_groups is defined and - unix_groups | length > 0 and - unix_group.value.state is defined and - unix_group.value.state == 'absent' - - name: Remove unix user include_tasks: remove_unix_user.yml with_dict: "{{ unix_users }}" @@ -20,6 +10,16 @@ unix_user.value.state is defined and unix_user.value.state == 'absent' +- name: Remove unix groups + include_tasks: remove_unix_group.yml + with_dict: "{{ unix_groups }}" + loop_control: + loop_var: unix_group + when: unix_groups is defined and + unix_groups | length > 0 and + unix_group.value.state is defined and + unix_group.value.state == 'absent' + - name: Create unix groups include_tasks: create_unix_group.yml with_dict: "{{ unix_groups }}" diff --git a/tasks/remove_unix_group.yml b/tasks/remove_unix_group.yml index 7f7e9c6..fd45ddd 100644 --- a/tasks/remove_unix_group.yml +++ b/tasks/remove_unix_group.yml @@ -2,5 +2,5 @@ - name: Remove unix group {{ unix_group.key }} group: - name: "{{ unix_group.value.name }}" + name: "{{ unix_group.key }}" state: absent \ No newline at end of file diff --git a/tasks/remove_unix_user.yml b/tasks/remove_unix_user.yml index 6205202..372b7a2 100644 --- a/tasks/remove_unix_user.yml +++ b/tasks/remove_unix_user.yml @@ -1,7 +1,7 @@ --- - name: Remove unix user {{ unix_user.key }} - group: - name: "{{ unix_user.value.name }}" + user: + name: "{{ unix_user.key }}" state: absent remove: yes \ No newline at end of file diff --git a/templates/authorized_keys.j2 b/templates/authorized_keys.j2 index 459c4c7..1a246ed 100644 --- a/templates/authorized_keys.j2 +++ b/templates/authorized_keys.j2 @@ -2,6 +2,6 @@ # # {{ ansible_managed }} # -{% for key in unix_user.value.ssh_keys.public %} -{{ lookup('file', 'ssh/pubkeys/' + key) }} +{% for key in unix_user.value.ssh.authorized_keys %} +{{ lookup('file', 'ssh/authorized_keys/' + key) }} {% endfor %} diff --git a/templates/config.j2 b/templates/config.j2 new file mode 100644 index 0000000..ec88203 --- /dev/null +++ b/templates/config.j2 @@ -0,0 +1,14 @@ +#jinja2: lstrip_blocks: True +# +# {{ ansible_managed }} +# + +{% for config in unix_user.value.ssh.config %} +{% for property, value in config.items() %} +{% if property == "Host" %} +{{ property }} {{ value }} +{% else %} + {{ property }} = {{ value }} +{% endif %} +{% endfor %} +{% endfor %} \ No newline at end of file