Initial commit

8c6b55bb · jurgenhaas · 8c6b55bb · 8c6b55bb · 8c6b55bb · 8c6b55bb
Commit 8c6b55bb authored 9 years ago by jurgenhaas
--- a/defaults/main.yml
+++ b/defaults/main.yml
+commonauth_extras: []
+auth_certs: []
--- a/tasks/commonauth.yml
+++ b/tasks/commonauth.yml
+---
+# file: roles/commonauth/tasks/commonauth.yml
+
+- name: 'Common | Create The /etc/hosts File'
+  template: src=etc_hosts
+            dest=/etc/hosts
+            owner=root
+            group=root
+            mode=0644
+  when: scope == 'all'
+
+- name: 'User | Create All Required Users'
+  user: name={{item}}
+        group=root
+        groups=root,sudo,www-data
+        home=/home/{{item}}
+        generate_ssh_key=yes
+        ssh_key_bits=2048
+        password={{initial_password}}
+        update_password=on_create
+  with_items: admins
+
+- name: 'User | Copy SSH Config For Server-To-Server Communication For Admins'
+  template: src=ssh_config
+            dest=/home/{{item}}/.ssh/config
+            owner={{item}}
+            group=root
+            mode=644
+  with_items: admins
+
+- include: distribute_certs.yml
+  when: distribute_certs
+
+- name: 'User | Install Public Key For Extra Users'
+  authorized_key: user={{item.username}}
+                  key="{{lookup('file', inventory_dir + '/files/certs/' + item.certname + '.d2s.pub')}}"
+  with_items: auth_certs
+
--- a/tasks/distribute_certs.yml
+++ b/tasks/distribute_certs.yml
+# ================= Rebuild cert auth for all admins ===========================
+
+---
+# file: roles/commonauth/tasks/distribute_certs.yml
+
+- name: 'Certs | Remove the fresh auth file in case it does already exist'
+  file:
+    path=/home/{{item}}/.ssh/auth_keys_fresh
+    state=absent
+  with_items: admins
+
+- name: 'Certs | Install Public Keys For Desktop-To-Server Communication in a fresh file'
+  authorized_key: user={{item}}
+                  key="{{lookup('file', inventory_dir + '/files/certs/' + item + '.d2s.pub')}}"
+                  path="/home/{{item}}/.ssh/fresh_auth_keys_{{item}}"
+  with_items: admins
+
+- name: 'Certs | Read public key of tunnel user'
+  command: more /home/{{tunnel_user_name}}/.ssh/id_rsa.pub
+  register: pubkey
+
+- name: 'Certs | Distribute public key of tunnel user'
+  authorized_key: user={{tunnel_user_name}}
+                  key="{{pubkey.stdout}} {{inventory_hostname}}"
+                  path="/home/{{tunnel_user_name}}/.ssh/fresh_auth_keys_tunnel_{{inventory_hostname}}"
+  delegate_to: '{{item}}'
+  with_items: groups.all
+
+- name: 'Certs | Merge all public keys'
+  shell: cat /home/{{item}}/.ssh/fresh_auth_keys* > /home/{{item}}/.ssh/auth_keys_fresh
+  with_items: admins
+
+- name: 'Certs | Remove temp files'
+  shell: rm /home/{{item}}/.ssh/fresh_auth_keys_*
+  with_items: admins
+
+- name: 'Certs | Set ownership of authorized key file'
+  shell: chown {{item}}:root /home/{{item}}/.ssh/auth_keys_fresh
+  with_items: admins
+
+- name: 'Certs | Set permission for authorized key file'
+  shell: chmod 600 /home/{{item}}/.ssh/auth_keys_fresh
+  with_items: admins
+
+- name: 'Certs | Make sure the authorized_keys file exists'
+  file: name='/home/{{item}}/.ssh/authorized_keys'
+        state=touch
+  with_items: admins
+
+- name: 'Certs | Move the fresh auth file to replace the old one'
+  shell: rm /home/{{item}}/.ssh/authorized_keys && mv /home/{{item}}/.ssh/auth_keys_fresh /home/{{item}}/.ssh/authorized_keys
+  with_items: admins
--- a/tasks/main.yml
+++ b/tasks/main.yml
+---
+# file: roles/commonauth/tasks/main.yml
+
+- include: commonauth.yml
+  when: role_commonauth_completed is not defined
+
+- name: 'Commonauth | Remember that this role had been run'
+  set_fact: role_commonauth_completed=true
+  when: role_commonauth_completed is not defined
--- a/templates/etc_hosts
+++ b/templates/etc_hosts
+127.0.0.1 localhost.localdomain localhost
+::1       localhost6.localdomain6 localhost6
+127.0.0.1 localhost
+::1	      localhost ip6-localhost ip6-loopback
+fe00::0	  ip6-localnet
+ff00::0	  ip6-mcastprefix
+ff02::1	  ip6-allnodes
+ff02::2	  ip6-allrouters
+
+127.0.0.1 {{inventory_hostname}}
+{% for host in groups['all'] %}
+{% if hostvars[host] is defined %}
+{% if default_proxy is defined and default_proxy %}
+{% if hostvars[host]['default_domain'] is defined %}
+{{hostvars[default_proxy]['proxy_address']}} {{hostvars[host]['default_domain']}}
+{% endif %}
+{% if hostvars[host]['proxy_domains'] is defined %}
+{% for domain in hostvars[host]['proxy_domains'] %}
+{{hostvars[default_proxy]['proxy_address']}} {{domain}}
+{% endfor %}
+{% endif %}
+{% if hostvars[host]['proxy_ssl_domains'] is defined %}
+{% for domain in hostvars[host]['proxy_ssl_domains'] %}
+{{hostvars[default_proxy]['proxy_address']}} {{domain}}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% if hostvars[host]['static_ipv4'] is defined %}
+{{hostvars[host]['static_ipv4']}} {{host}}
+{% elif hostvars[host]['ansible_default_ipv4'] is defined %}
+{{hostvars[host]['ansible_default_ipv4']['address']}} {{host}}
+{% endif %}
+{% endif %}
+{% endfor %}
+
+{% for host in commonauth_extras %}
+{{host.ip}}{% for name in host['names'] %} {{name}}{% endfor %}
+
+{% endfor %}
--- a/templates/ssh_config
+++ b/templates/ssh_config
+# See all parameters at http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config
+
+StrictHostKeyChecking no
+ForwardAgent yes
+
+{% for host in commonauth_extras %}
+{% if host[certfile] is defined %}
+{% for name in host['names'] %}
+Host {{name}}
+  IdentityFile ~/.ssh/{{host[certfile]}}
+
+{% endfor %}
+{% endif %}
+{% endfor %}
+Host *
+  IdentityFile ~/.ssh/id_rsa