| ... |
... |
@@ -59,12 +59,6 @@ if 'ssh' in TAGS or 'all' in TAGS: |
|
59
|
59
|
src=resolve_file_location(config['ssh']['sshdConfigFile']),
|
|
60
|
60
|
dest='/etc/ssh/sshd_config'
|
|
61
|
61
|
))
|
|
62
|
|
- if config['ssh']['trustedUserCAKeysFile']:
|
|
63
|
|
- put_operations.append(files.put(
|
|
64
|
|
- name=f"Put file trusted-user-ca-keys.pem",
|
|
65
|
|
- src=resolve_file_location(config['ssh']['trustedUserCAKeysFile']),
|
|
66
|
|
- dest='/etc/ssh/trusted-user-ca-keys.pem'
|
|
67
|
|
- ))
|
|
68
|
62
|
if config['ssh']['motdFile']:
|
|
69
|
63
|
put_operations.append(files.put(
|
|
70
|
64
|
name=f"Put file motd",
|
| ... |
... |
@@ -90,9 +84,15 @@ netbox_users = get_netbox_users_from_dns_name(host.name, NETBOX_URL, NETBOX_TOKE |
|
90
|
84
|
if ('users/root' in TAGS or 'all' in TAGS):
|
|
91
|
85
|
# TODO: immutable?
|
|
92
|
86
|
if config['ssh']['manageRootKeys']:
|
|
|
87
|
+ root_keys = ''
|
|
|
88
|
+ if config['ssh']['trustedUserCAKeysFile']:
|
|
|
89
|
+ with open(resolve_file_location(config['ssh']['trustedUserCAKeysFile'])) as f:
|
|
|
90
|
+ root_keys += 'cert-authority,principals="ansible" ' + f.read()
|
|
|
91
|
+ with open(HOSTS_CONF / 'defaults' / 'other' / 'root_keys') as f:
|
|
|
92
|
+ root_keys += f.read()
|
|
93
|
93
|
files.put(
|
|
94
|
94
|
name="Configure root_keys",
|
|
95
|
|
- src=HOSTS_CONF / 'defaults' / 'other' / 'root_keys',
|
|
|
95
|
+ src=StringIO(root_keys),
|
|
96
|
96
|
dest='/root/.ssh/root_keys',
|
|
97
|
97
|
user='root',
|
|
98
|
98
|
group='root',
|
| ... |
... |
@@ -116,11 +116,6 @@ if ('users/root' in TAGS or 'all' in TAGS): |
|
116
|
116
|
# ----------
|
|
117
|
117
|
if ('users/etc' in TAGS or 'all' in TAGS):
|
|
118
|
118
|
apt.packages(name="Ensure sudo package is installed", packages='sudo')
|
|
119
|
|
- files.put(
|
|
120
|
|
- name="Configure sudo to allow no password",
|
|
121
|
|
- src=StringIO("%sudo ALL=(ALL) NOPASSWD:ALL\n"),
|
|
122
|
|
- dest="/etc/sudoers.d/sudo-nopasswd"
|
|
123
|
|
- )
|
|
124
|
119
|
netbox_groups = set(itertools.chain(*(user.groups for user in netbox_users))) - {'root'}
|
|
125
|
120
|
for group in netbox_groups:
|
|
126
|
121
|
server.group(name=f"Setup group {group}", group=group)
|
| ... |
... |
@@ -213,6 +208,16 @@ if ('users/etc' in TAGS or 'all' in TAGS): |
|
213
|
208
|
if found_users != set(netbox_user_names_that_exist):
|
|
214
|
209
|
print(f"[{host.name}] New found users: {found_users} - {set(netbox_user_names_that_exist)} = {found_users - set(netbox_user_names_that_exist)}")
|
|
215
|
210
|
|
|
|
211
|
+# ---
|
|
|
212
|
+# cleanup
|
|
|
213
|
+# ---
|
|
|
214
|
+
|
|
|
215
|
+server.user('ansible', present=False)
|
|
|
216
|
+server.group('ansible', present=False)
|
|
|
217
|
+files.file('/etc/howto', present=False)
|
|
|
218
|
+files.file('/etc/sudoers.d/ansible-nopasswd', present=False)
|
|
|
219
|
+files.file('/etc/ssh/trusted-user-ca-keys.pem', present=False)
|
|
|
220
|
+
|
|
216
|
221
|
# TODO: mail
|
|
217
|
222
|
# mailRcFile -> /etc/mail.rc
|
|
218
|
223
|
# msmtprcFile -> /etc/msmtprc (jinja2)
|