From 46fdeef29ae02baee161398daddba5aefc00ec17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pelayo=20Garc=C3=ADa?= Date: Sat, 28 Jan 2023 00:22:17 +0100 Subject: [PATCH 1/4] feat: enable multiuser mode by default --- defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index ecce23c..db8b399 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,3 @@ --- -# defaults file for sys-admins \ No newline at end of file +# defaults file for sys-admins +sysadmin_multi_user: true From 8ea54420e7604bca3d70f04672864fbf8ecdae32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pelayo=20Garc=C3=ADa?= Date: Sat, 28 Jan 2023 00:23:41 +0100 Subject: [PATCH 2/4] feat: add single user task --- tasks/singleuser.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 tasks/singleuser.yml diff --git a/tasks/singleuser.yml b/tasks/singleuser.yml new file mode 100644 index 0000000..dce4fe7 --- /dev/null +++ b/tasks/singleuser.yml @@ -0,0 +1,13 @@ +--- +- name: Install sudo command + apt: + pkg: sudo + state: present + +- name: Add SSH public keys to system administrators + authorized_key: + user: "{{ sysadmin_username }}" + key: "{{ lookup('file', item.ssh_key) }}" + state: "{{ item.state }}" + when: item.state == "present" + with_items: "{{ sys_admins }}" From 0ddbafbe6f73e82ccb218aafbfc2905fa6738936 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pelayo=20Garc=C3=ADa?= Date: Sat, 28 Jan 2023 00:23:48 +0100 Subject: [PATCH 3/4] refactor: split the logic between single/multiuser --- tasks/main.yml | 46 +++++++++++++-------------------------------- tasks/multiuser.yml | 34 +++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 33 deletions(-) create mode 100644 tasks/multiuser.yml diff --git a/tasks/main.yml b/tasks/main.yml index 79a8f5d..2c0417f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,34 +1,14 @@ --- -- name: Install sudo command - apt: - pkg: sudo - state: present - -- name: Create group for system administration - group: - name: "{{ sys_admin_group }}" - state: present - -- name: Create users for system administration - user: - name: "{{ item.name }}" - state: "{{ item.state }}" - shell: "/bin/bash" - groups: "{{ sys_admin_group }}" - append: yes - with_items: "{{ sys_admins }}" - -- name: Add SSH public keys to system administrators - authorized_key: - user: "{{ item.name }}" - key: "{{ lookup('file', item.ssh_key) }}" - state: "{{ item.state }}" - when: item.state == "present" - with_items: "{{ sys_admins }}" - -- name: Copy sudoers configuration for system administrators - template: - src: sudoers.j2 - dest: "/etc/sudoers.d/90-sys-admins" - mode: 0440 - group: "{{ sys_admin_group }}" +- import_tasks: multiuser.yml + when: sysadmin_multi_user + +- import_tasks: singleuser.yml + when: not sysadmin_multi_user + +- name: Fail if multiusers vars are not not set + fail: + msg: "sysadmin_multi_user must be set to true or false. If false, sysadmin_username must be set." + when: + - sysadmin_multi_user is not defined + - sysadmin_multi_user is not boolean + - sysadmin_multi_user is false and sysadmin_username is not defined diff --git a/tasks/multiuser.yml b/tasks/multiuser.yml new file mode 100644 index 0000000..79a8f5d --- /dev/null +++ b/tasks/multiuser.yml @@ -0,0 +1,34 @@ +--- +- name: Install sudo command + apt: + pkg: sudo + state: present + +- name: Create group for system administration + group: + name: "{{ sys_admin_group }}" + state: present + +- name: Create users for system administration + user: + name: "{{ item.name }}" + state: "{{ item.state }}" + shell: "/bin/bash" + groups: "{{ sys_admin_group }}" + append: yes + with_items: "{{ sys_admins }}" + +- name: Add SSH public keys to system administrators + authorized_key: + user: "{{ item.name }}" + key: "{{ lookup('file', item.ssh_key) }}" + state: "{{ item.state }}" + when: item.state == "present" + with_items: "{{ sys_admins }}" + +- name: Copy sudoers configuration for system administrators + template: + src: sudoers.j2 + dest: "/etc/sudoers.d/90-sys-admins" + mode: 0440 + group: "{{ sys_admin_group }}" From 464b99097d9cc2c73fd9b3b41a1a74b262b41db0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pelayo=20Garc=C3=ADa?= Date: Sat, 28 Jan 2023 00:24:13 +0100 Subject: [PATCH 4/4] docs: add single user mode documentation --- README.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b764bb9..a8ea405 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ With this role you can: * Create system administrator users * Remove system administrator users * Add `sudo` permissions to system administrator users +* Add multiple ssh keys to a single system administrator user This role need be runned with `sudo` access. @@ -41,11 +42,24 @@ System Administrators vars: ### `sys_admin_group` -The name of the system adnimistrators group +The name of the system administrators group ```yaml sys_admin_group: sysadmin-group ``` + +## Single user mode +When you are restricted to a single user, you must set the `sysadmin_multi_user` variable to `false` and set the `sysadmin_user` variable with the user name. The user must be already created on the server with root privileges. + +This will iterate over the `sys_admins` list and add each user key to the authorized keys for the user defined in `sysadmin_user` variable. + +This mode is disabled by default. + + ```yaml + sysadmin_multi_user: false + sysadmin_user: "sysadmin" + ``` + Example Playbook ----------------