From aed8122abaab63568e43cd39d5b672cb8fd7ac09 Mon Sep 17 00:00:00 2001 From: vincent Date: Sun, 6 Nov 2022 19:14:27 +0100 Subject: [PATCH] dedicated ansible user and dedicated sssd playbook --- ansible/group_vars/all/sssd | 2 +- ansible/makefile | 5 +---- ansible/molecule/default/molecule.yml | 2 +- ansible/playbooks/sssd.yml | 23 +++++++++++++++++++++++ ansible/site.yml | 1 + 5 files changed, 27 insertions(+), 6 deletions(-) create mode 100644 ansible/playbooks/sssd.yml diff --git a/ansible/group_vars/all/sssd b/ansible/group_vars/all/sssd index 6778875..9650a7c 100644 --- a/ansible/group_vars/all/sssd +++ b/ansible/group_vars/all/sssd @@ -5,5 +5,5 @@ ldap_uri: "ldaps://ldap.ducamps.win" ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=win" ldap_default_bind_dn : "uid=vaultserviceaccount,cn=users,dc=ducamps,dc=win" ldap_password : "{{lookup('hashi_vault', 'secret=secrets/data/ansible/other:vaulserviceaccount')}}" - +userPassword: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/user:userPassword')}}" diff --git a/ansible/makefile b/ansible/makefile index 63d5616..ce111e0 100644 --- a/ansible/makefile +++ b/ansible/makefile @@ -3,10 +3,7 @@ requirements: ansible-galaxy install -g -r roles/requirements.yml deploy_production: - ansible-playbook site.yml -i production - -deploy_staging: - ansible-playbook site.yml -i staging + ansible-playbook site.yml -i production -u ansible generate-token: @echo export VAULT_TOKEN=`vault token create -policy=ansible -field="token" -period 6h` diff --git a/ansible/molecule/default/molecule.yml b/ansible/molecule/default/molecule.yml index 0e21f6b..38f1219 100644 --- a/ansible/molecule/default/molecule.yml +++ b/ansible/molecule/default/molecule.yml @@ -25,7 +25,7 @@ platforms: provisioner: name: ansible connection_options: - ansible_ssh_user: vincent + ansible_ssh_user: ansible ansible_become: true env: ANSIBLE_CONFIG: ../../ansible.cfg diff --git a/ansible/playbooks/sssd.yml b/ansible/playbooks/sssd.yml new file mode 100644 index 0000000..eae6837 --- /dev/null +++ b/ansible/playbooks/sssd.yml @@ -0,0 +1,23 @@ +--- +- hosts: all + roles: + - role: ansible-role-sssd + become: True + tasks: + - name: simulate login + stat: + path: "/home/{{user.name}}" + become: true + become_user: "{{user.name}}" + when: sssd_configure == true + - name: create profil + user: + name: "{{user.name}}" # required. Name of the user to create, remove or modify. + create_home: yes # not required. Unless set to C(no), a home directory will be made for the user when the account is created or if the home directory does not exist.,Changed from C(createhome) to C(create_home) in version 2.5. + password: "{{userPassword}}" # not required. Optionally set the user's password to this crypted value.,On macOS systems, this value has to be cleartext. Beware of security issues.,See U(https://docs.ansible.com/ansible/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module) for details on various ways to generate these password values. + system: no # not required. When creating an account C(state=present), setting this to C(yes) makes the user a system account. This setting cannot be changed on existing users. + state: present # not required. choices: absent;present. Whether the account should exist or not, taking action if the state is different from what is stated. + ssh_key_file: .ssh/id_rsa # not required. Optionally specify the SSH key filename. If this is a relative filename then it will be relative to the user's home directory. + uid: "{{ user.uid }}" + shell: /bin/bash + when: sssd_configure is not defined or sssd_configure == false diff --git a/ansible/site.yml b/ansible/site.yml index 1af2f57..4458a73 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -1,4 +1,5 @@ --- +- import_playbook: playbooks/sssd.yml - import_playbook: playbooks/server.yml - import_playbook: playbooks/wireguard.yml - import_playbook: playbooks/HashicorpStack.yml