[Git][root/services/setup-hosts][main] feat: use user "root" instead of ansible

Fernando K pushed to branch main at Root / Serviços / Setup Hosts Commits: fbcb69e3 by Fernando Monteiro Kiotheka at 2025-08-06T16:12:11-03:00 feat: use user "root" instead of ansible - - - - - 3 changed files: - configure_hosts.py - env_inventory.py - ssh_config Changes: ===================================== configure_hosts.py ===================================== @@ -59,12 +59,6 @@ if 'ssh' in TAGS or 'all' in TAGS: src=resolve_file_location(config['ssh']['sshdConfigFile']), dest='/etc/ssh/sshd_config' )) - if config['ssh']['trustedUserCAKeysFile']: - put_operations.append(files.put( - name=f"Put file trusted-user-ca-keys.pem", - src=resolve_file_location(config['ssh']['trustedUserCAKeysFile']), - dest='/etc/ssh/trusted-user-ca-keys.pem' - )) if config['ssh']['motdFile']: put_operations.append(files.put( name=f"Put file motd", @@ -90,9 +84,15 @@ netbox_users = get_netbox_users_from_dns_name(host.name, NETBOX_URL, NETBOX_TOKE if ('users/root' in TAGS or 'all' in TAGS): # TODO: immutable? if config['ssh']['manageRootKeys']: + root_keys = '' + if config['ssh']['trustedUserCAKeysFile']: + with open(resolve_file_location(config['ssh']['trustedUserCAKeysFile'])) as f: + root_keys += 'cert-authority,principals="ansible" ' + f.read() + with open(HOSTS_CONF / 'defaults' / 'other' / 'root_keys') as f: + root_keys += f.read() files.put( name="Configure root_keys", - src=HOSTS_CONF / 'defaults' / 'other' / 'root_keys', + src=StringIO(root_keys), dest='/root/.ssh/root_keys', user='root', group='root', @@ -116,11 +116,6 @@ if ('users/root' in TAGS or 'all' in TAGS): # ---------- if ('users/etc' in TAGS or 'all' in TAGS): apt.packages(name="Ensure sudo package is installed", packages='sudo') - files.put( - name="Configure sudo to allow no password", - src=StringIO("%sudo ALL=(ALL) NOPASSWD:ALL\n"), - dest="/etc/sudoers.d/sudo-nopasswd" - ) netbox_groups = set(itertools.chain(*(user.groups for user in netbox_users))) - {'root'} for group in netbox_groups: server.group(name=f"Setup group {group}", group=group) @@ -213,6 +208,16 @@ if ('users/etc' in TAGS or 'all' in TAGS): if found_users != set(netbox_user_names_that_exist): print(f"[{host.name}] New found users: {found_users} - {set(netbox_user_names_that_exist)} = {found_users - set(netbox_user_names_that_exist)}") +# --- +# cleanup +# --- + +server.user('ansible', present=False) +server.group('ansible', present=False) +files.file('/etc/howto', present=False) +files.file('/etc/sudoers.d/ansible-nopasswd', present=False) +files.file('/etc/ssh/trusted-user-ca-keys.pem', present=False) + # TODO: mail # mailRcFile -> /etc/mail.rc # msmtprcFile -> /etc/msmtprc (jinja2) ===================================== env_inventory.py ===================================== @@ -1,8 +1,8 @@ import os -HOSTS = os.environ['HOSTS'] +HOSTS = os.environ['HOSTS'].replace(',', ' ').split() hosts = [ - (host, { 'ssh_config_file': 'ssh_config', '_sudo': True }) + (host, { 'ssh_config_file': 'ssh_config' }) for host in HOSTS ] ===================================== ssh_config ===================================== @@ -1,4 +1,4 @@ Host * - User ansible + User root IdentityFile key CertificateFile key-cert.pub View it on GitLab: https://gitlab.c3sl.ufpr.br/root/services/setup-hosts/-/commit/fbcb69e340015... -- View it on GitLab: https://gitlab.c3sl.ufpr.br/root/services/setup-hosts/-/commit/fbcb69e340015... You're receiving this email because of your account on gitlab.c3sl.ufpr.br.
participantes (1)
-
Fernando K (@fmkiotheka)