diff options
Diffstat (limited to 'roles')
-rw-r--r-- | roles/ad/hosts/default.yml | 4 | ||||
-rw-r--r-- | roles/ssh_keys/main.yml | 2 | ||||
-rw-r--r-- | roles/ssh_keys/tasks/main.yml.2016-10-03.01 | 63 | ||||
-rw-r--r-- | roles/sudo/main.yml | 6 | ||||
-rw-r--r-- | roles/sudo/tasks/2 | 25 | ||||
-rw-r--r-- | roles/sudo/tasks/main.yml | 63 | ||||
-rw-r--r-- | roles/sudo/tests/test.yml | 12 | ||||
-rw-r--r-- | roles/sudo/vars/FreeBSD.yml | 4 | ||||
-rw-r--r-- | roles/sudo/vars/default.yml | 4 |
9 files changed, 181 insertions, 2 deletions
diff --git a/roles/ad/hosts/default.yml b/roles/ad/hosts/default.yml new file mode 100644 index 0000000..d7bc1a7 --- /dev/null +++ b/roles/ad/hosts/default.yml @@ -0,0 +1,4 @@ +# This file exists to ensure the directory is generated if ever packed in a tarball or something. +# This directory, hosts/, may be used for specific hosts to get specific variables +--- +ad_access_filter: SHOULD NEVER SEE THIS diff --git a/roles/ssh_keys/main.yml b/roles/ssh_keys/main.yml index 9022768..430c387 100644 --- a/roles/ssh_keys/main.yml +++ b/roles/ssh_keys/main.yml @@ -4,5 +4,3 @@ - vars/default.yml tasks: - include: tasks/main.yml - handlers: - - handlers/main.yml diff --git a/roles/ssh_keys/tasks/main.yml.2016-10-03.01 b/roles/ssh_keys/tasks/main.yml.2016-10-03.01 new file mode 100644 index 0000000..89d8d89 --- /dev/null +++ b/roles/ssh_keys/tasks/main.yml.2016-10-03.01 @@ -0,0 +1,63 @@ +--- +- name: ssh_keys get vars + include_vars: default.yml + +- name: ssh_keys get OS vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_distribution }}.yml' + - default.yml + +#- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}" +# with_fileglob: +# - '*.pubkey' +# - '*.pubkeys' +# register: users_to_check + +#- debug: var=ssh_key_strings +#- debug: var=ssh_key_files + +- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh' + with_items: + - '{{ ssh_key_strings }}' + register: "s" + when: ssh_key_strings is defined + +- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh' + with_items: + - '{{ ssh_key_files }}' + register: "r" + when: ssh_key_files is defined + +#- debug: msg='{{ item.stat.exists }}' +# with_flattened: +# - '{{ r.results }}' + +- name: ssh_keys deploy keys from files + template: + src: "roles/ssh_keys/files/{{ item.item.file }}" + dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys' + mode: 0600 + owner: '{{ item.item.user }}' + with_items: + - '{{ r.results }}' + when: + - item.stat.exists is defined + - '{{ item.stat.exists }}' + - r is defined + +- name: ssh_keys deploy keys from strings + lineinfile: + line: '{{ item.item.string }}' + regexp: "{{ item.item.string | regex_replace('^(.{40}).*$','\\1') }}" + dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys' + mode: 0600 + owner: '{{ item.item.user }}' + create: yes + state: present + with_items: + - '{{ s.results }}' + when: + - item.stat.exists is defined + - '{{ item.stat.exists }}' + - s is defined diff --git a/roles/sudo/main.yml b/roles/sudo/main.yml new file mode 100644 index 0000000..430c387 --- /dev/null +++ b/roles/sudo/main.yml @@ -0,0 +1,6 @@ +--- +- hosts: all + vars_files: + - vars/default.yml + tasks: + - include: tasks/main.yml diff --git a/roles/sudo/tasks/2 b/roles/sudo/tasks/2 new file mode 100644 index 0000000..5dd7b7f --- /dev/null +++ b/roles/sudo/tasks/2 @@ -0,0 +1,25 @@ +--- +- name: sudo get vars + include_vars: default.yml + +- name: sudo get OS vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_distribution }}.yml' + - default.yml + +- debug: msg="{{ item | regex_replace('^.*\/','') }}" + with_items: + - '{{ sudo_files }}' + +- name: sudo deploy rules from files + template: + src: "roles/sudo/files/{{ item.file }}" + dest: "{{ sudo_rules_dir }}/{{ item.file | regex_replace('^.*\/','a') }}" + mode: 0440 + owner: '{{ sudo_root_user }}' + group: '{{ sudo_root_group }}' + with_items: + - '{{ sudo_files }}' + when: + - sudo_files is defined diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml new file mode 100644 index 0000000..07fda25 --- /dev/null +++ b/roles/sudo/tasks/main.yml @@ -0,0 +1,63 @@ +--- +- name: sudo get vars + include_vars: default.yml + +- name: sudo get OS vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_distribution }}.yml' + - default.yml + +- stat: path='{{ sudo_rules_dir }}/{{ item.priority }}_{{ item.name }}' #' + with_items: + - '{{ sudo_strings }}' + register: "s" + when: sudo_strings is defined + +- name: sudo deploy rules from files + template: + src: "roles/sudo/files/{{ item.file }}" + dest: "{{ sudo_rules_dir }}/{{ item.file | regex_replace('.*/','') }}" + mode: 0440 + owner: '{{ sudo_root_user }}' + group: '{{ sudo_root_group }}' + with_items: + - '{{ sudo_files }}' + when: + - sudo_files is defined + +- name: sudo remove rules from files + file: path='{{ sudo_rules_dir }}/{{ item.file | regex_replace('.*/','') }}' state='absent' + with_items: + - '{{ sudo_files }}' + when: + - sudo_files is defined + - ( not item.exists ) or ( '{{ item.exists | lower }}' == 'false' ) + +#- debug: msg='foo' +# with_items: '{{ s.results }}' + +- name: sudo deploy rules from strings + lineinfile: + line: "{{ item.item.content }}" + regexp: "{{ item.item.content | regex_replace('^(.{8}).*$','\\1') }}" + dest: '{{ sudo_rules_dir }}/{{ item.item.priority }}_{{ item.item.name }}' + mode: 0600 + owner: '{{ sudo_root_user }}' + group: '{{ sudo_root_group }}' + create: yes + state: present + with_items: + - '{{ s.results }}' + when: + - item.stat.exists is defined + - s is defined + - '{{ item.item.exists }}' + +- name: sudo remove rules from strings + file: path='{{ sudo_rules_dir }}/{{ item.item.priority }}_{{ item.item.name }}' state='absent' + with_items: + - '{{ s.results }}' + when: + - s is defined + - ( not item.item.exists ) or ( '{{ item.item.exists | lower }}' == 'false' ) diff --git a/roles/sudo/tests/test.yml b/roles/sudo/tests/test.yml new file mode 100644 index 0000000..e15f798 --- /dev/null +++ b/roles/sudo/tests/test.yml @@ -0,0 +1,12 @@ +--- +- name: Test playbook for sudo + hosts: test + remote_user: root + roles: + - sudo + vars: + sudo_strings: + - { priority: 42, exists: 'false', name: 'admins-do-all', content: 'User_Alias ADMINS = bgstack15, bgstack15, user16, user16' } + - { priority: 43, exists: false, name: 'a', content: "ADMINS ALL=(ALL) ALL" } + sudo_files: + - { exists: 'false', file: '../../../company/sudo-files/40_bgstack15' } diff --git a/roles/sudo/vars/FreeBSD.yml b/roles/sudo/vars/FreeBSD.yml new file mode 100644 index 0000000..0205496 --- /dev/null +++ b/roles/sudo/vars/FreeBSD.yml @@ -0,0 +1,4 @@ +--- +sudo_rules_dir: /usr/local/etc/sudoers.d/ +sudo_root_user: root +sudo_root_group: wheel diff --git a/roles/sudo/vars/default.yml b/roles/sudo/vars/default.yml new file mode 100644 index 0000000..80e6de4 --- /dev/null +++ b/roles/sudo/vars/default.yml @@ -0,0 +1,4 @@ +--- +sudo_rules_dir: /etc/sudoers.d/ +sudo_root_user: root +sudo_root_group: root |