init

2022-03-15 11:39:22 +01:00 · 2022-03-15 11:39:22 +01:00 · abafe10f2d
commit abafe10f2d
14 changed files with 213 additions and 0 deletions
--- a/.ansible-lint.yml
+++ b/.ansible-lint.yml
@ -0,0 +1,13 @@
 ---
 skip_list:
  - "106"
  - "204"
  - "207"
  - "208"
  - "301"
  - "305"
  - "503"
  - "602"
  - "no-log-password"
  - yaml
  - "risky-shell-pipe"
--- a/.drone.yml
+++ b/.drone.yml
@ -0,0 +1,14 @@
 ----
 kind: pipeline
 name: default
 steps:
  - name: integration test
    image: python:3.9-buster
    environment:
      REMOTE_USER: molecule
      HCLOUD_TOKEN:
        from_secret: HCLOUD_TOKEN
    commands:
      - pip install -r requirements.txt
      - export INSTANCE_UUID=$(pwgen 8 1)
      - molecule test
--- a/.envrc.sample
+++ b/.envrc.sample
@ -0,0 +1,18 @@
 # Your username that you use for accounts on our machines.
 export REMOTE_USER=
 export ANSIBLE_USER=$REMOTE_USER
 # The path to our pass credentials store
 export PASSWORD_STORE_DIR=
 # The Hetzner Cloud API token for managing our instances
 # Uncomment the prod/test line below depending on what you're doing
 # export HCLOUD_TOKEN=$(pass show logins/hetzner/prod/api_key)
 # export HCLOUD_TOKEN=$(pass show logins/hetzner/test/api_key)
 export HCLOUD_TOKEN=$(pass show logins/hetzner/cicd/api_key)
 # For molecule role testing
 export INSTANCE_UUID=$RANDOM
 # So molecule will show credentials in the logs
 export MOLECULE_NO_LOG=False
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,3 @@
 .env
 .envrc
 /.venv/
--- a/.yamllint.yml
+++ b/.yamllint.yml
@ -0,0 +1,16 @@
 ---
 extends: default
 yaml-files:
  - "*.yaml"
  - "*.yml"
 ignore: |
  .venv
  .drone.yml
 rules:
  line-length: disable
  braces:
    max-spaces-inside: 1
    level: error
--- a/README.md
+++ b/README.md
@ -0,0 +1,3 @@
 # autonomic.add-users
 [![Build Status](https://drone.autonomic.zone/api/badges/autonomic-cooperative/autonomic.add-users/status.svg?ref=refs/heads/main)](https://drone.autonomic.zone/autonomic-cooperative/autonomic.add-users)
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,4 @@
 ---
 pass_length: 30
 user_groups:
  - sudo
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,6 @@
 ---
 - name: Restart SSH
  become: true
  service:
    name: ssh
    state: restarted
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@ -0,0 +1,29 @@
 ---
 - name: Converge
  hosts: all
  vars:
    members: files/members.yml
  pre_tasks:
    - name: Wait for Hetzner VPS networking to come up
      pause:
        seconds: 10
        echo: false
    - name: Include resource variables
      include_vars: "{{ members }}"
    # Note(decentral1se): We create the accounts before the role since we do
    # not make molecule test this part of the role under test because we do not
    # setup the password store. So, instead, we ensure the other parts are
    # working.
    - name: Prepare user accounts for the new role
      user:
        name: "{{ item.username }}"
        shell: /bin/bash
        password: "$apr1$GILkREir$r2zDF8rr9Bl8We9UVXnZl1"
        groups: "{{ user_groups }}"
        append: true
        update_password: always
      with_items: "{{ members }}"
  roles:
    - role: autonomic.add-users
--- a/molecule/default/files/members.yml
+++ b/molecule/default/files/members.yml
@ -0,0 +1,6 @@
 ---
 members:
  - username: foobar
    email: barfoo
    ssh_key: "ssh-rsa foo bar@nowhere.com"
    uid: 1100
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@ -0,0 +1,19 @@
 ---
 dependency:
  name: galaxy
 driver:
  name: hetznercloud
 platforms:
  - name: "autonomic.add-users-${INSTANCE_UUID}"
    server_type: cx11
    image: debian-10
 provisioner:
  name: ansible
 lint: |
  set -e
  yamllint -c .yamllint.yml .
  ansible-lint --exclude .drone.yml -c .ansible-lint.yml .
--- a/requirements.txt
+++ b/requirements.txt
@ -0,0 +1,4 @@
 ansible-lint==6.0.0
 ansible==5.4.0
 molecule-hetznercloud==1.3.0
 molecule==3.6.1
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,18 @@
 ---
 - name: Ensure mandatory variables are configured
  assert:
    that: "{{ item }} is defined"
    fail_msg: "You must define the '{{ item }}' variable"
  with_items:
    - members
 - name: Include resource variables
  include_vars: "{{ members }}"
  tags:
    # Note(d1): we already load in converge.yml so skip here
    - molecule-notest
 # Note(d1): Done in this way because https://stackoverflow.com/a/39041069
 - name: Include user addition tasks
  include: users.yml user={{ item }}
  with_items: "{{ members }}"
--- a/tasks/users.yml
+++ b/tasks/users.yml
@ -0,0 +1,60 @@
 ---
 - name: "Create new user account"
  block:
    - name: Show which user account is being handled
      debug:
        msg: "Attempting to create account for {{ user.username }}..."
    - name: Check if the user accounts already exists
      getent:
        database: passwd
        key: "{{ user.username }}"
      register: user_exists
      ignore_errors: true
    - name: Prepare password store entry
      become: false
      delegate_to: localhost
      command: "pass init -p users/{{ user.username }}/sudo/ {{ item.email }}"
      when: user_exists is failed
      tags:
        - molecule-notest
    - name: Create a new user account with a new password
      user:
        name: "{{ user.username }}"
        uid: "{{ user.uid }}"
        shell: /bin/bash
        password: "{{ lookup('passwordstore', 'users/{{ user.username }}/sudo/{{ inventory_hostname }} create=true length={{ pass_length }}') | password_hash('sha512') }}"
        groups: "{{ user_groups }}"
        append: true
        update_password: always
      when: user_exists is failed
      tags:
        - molecule-notest
    - name: Make sure the user's .ssh directory exists
      file:
        path: "/home/{{ user.username }}/.ssh"
        state: directory
        owner: "{{ user.username }}"
        group: "{{ user.username }}"
        mode: "0700"
    - name: Add new member's SSH key to authorized_keys file
      blockinfile:
        path: "/home/{{ user.username }}/.ssh/authorized_keys"
        block: "{{ user.ssh_key }}"
        state: present
        create: true
        mode: "0600"
        owner: "{{ user.username }}"
        group: "{{ user.username }}"
    - name: "Add username to the SSH AllowUsers configuration"
      replace:
        backup: true
        dest: /etc/ssh/sshd_config
        regexp: '^(AllowUsers(?!.*\b{{ user.username }}\b).*)$'
        replace: '\1 {{ user.username }}'
      notify: Restart SSH
		`@ -0,0 +1,3 @@`
							`# autonomic.add-users`

							`[![Build Status](https://drone.autonomic.zone/api/badges/autonomic-cooperative/autonomic.add-users/status.svg?ref=refs/heads/main)](https://drone.autonomic.zone/autonomic-cooperative/autonomic.add-users)`