From fe6cdb2443c77c3fd0858df10f8b60ce3c4b1481 2015-08-30 19:14:54 From: Branko Majic Date: 2015-08-30 19:14:54 Subject: [PATCH] MAR-19: Simplified the parameters for common role, making a lot of them optional with some sane defaults. Switched to using an actual list for additional groups. --- diff --git a/docs/rolereference.rst b/docs/rolereference.rst index a69fbe9d7e6d5148e994cff742dc78c988ed3279..04b87d3d456137b40d51976a56387c9ccf2bc972 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -227,11 +227,11 @@ The role implements the following: Parameters ~~~~~~~~~~ -**apt_proxy** (string, optional) +**apt_proxy** (string, optional, ``None``) URI of a caching proxy that should be used when retrieving the packages via - apt. Default is no proxy. + apt. -**os_users** (list, optional) +**os_users** (list, optional, ``[]``) A list of operating system users that should be set-up on a server. Each item is a dictionary with the following options describing the user parameters: @@ -239,50 +239,48 @@ Parameters Name of the operating system user that should be created. User's default group will have the same name as the user. - **uid** (number, mandatory) + **uid** (number, optional, ``whatever OS picks``) UID for the operating system user. User's default group will have a GID - identical to the user's UID. + identical to the user's UID if specified. Otherwise user's default group + will have OS-determined GID. - **additional_groups** (string, mandatory) - Comma-separated list of additional groups that a user should belong to. If - no additional groups should be appended to user's list of groups, set it to - empty string (``""``). + **additional_groups** (list, optional, ``[]``) + Comma-separated list of additional groups that a user should belong to. - **authorized_keys** (list, mandatory) + **authorized_keys** (list, optional, ``[]``) List of SSH public keys that should be deployed to user's authorized_keys - truststore. If no authorized keys should be deployed, set it to empty list - (``[]``). + truststore. - **password** (string, mandatory) + **password** (string, optional, ``!`` - no password) Encrypted password that should be set for the user. -**os_groups** (list, optional) +**os_groups** (list, optional, ``[]``) A list of operating system groups that should be set-up on a server. Each item is a dictionary with the following options describing the group parameters: **name** (string, mandatory) Name of the operating system group that should be created. - **gid** (number, mandatory) + **gid** (number, optional, ``whatever OS picks``) GID for the operating system group. -**common_packages** (list, optional) +**common_packages** (list, optional, ``[]``) List of additional operating system packages that should be installed on the server. Each element of the list should be a simple string denoting the name of the package. -**ca_certificates** (list, optional) +**ca_certificates** (list, optional, ``[]``) List of additional CA certificate files that should be deployed on the server. Each element of the list should be a filepath to a CA certificate file on originating (Ansible) host that should be copied to destination server. -**incoming_connection_limit** (string, mandatory) +**incoming_connection_limit** (string, optional, ``3/second``) Rate at which the incoming ICMP echo-request packages and new TCP connections will be accepted at. The value should be specified in the same format as value for the ``iptables hashlimit`` option ``--hashlimit-upto``. -**incoming_connection_limit_burst** (string, mandatory) +**incoming_connection_limit_burst** (string, optional, ``9``) Initial burst of packages that should be accepted when the client with distinct source IP address connects to the server for the first time (usually higher than ``incoming_connection_limit``), even if it would go above the @@ -302,14 +300,13 @@ packages on all servers: os_users: - name: admin uid: 1000 - additional_groups: sudo + additional_groups: + - sudo authorized_keys: - "{{ lookup('file', '/home/admin/.ssh/id_rsa.pub') }}" password: '$6$AaJRWtqyX5pk$IP8DUjgY0y2zqMom9BAc.O9qHoQWLFCmEsPRCika6l/Xh87cp2SnlMywH0.r4uEcbHnoicQG46V9VrJ8fxp2d.' - name: john uid: 1001 - additional_groups: "" - authorized_keys: [] password: '$6$AaJRWtqyX5pk$IP8DUjgY0y2zqMom9BAc.O9qHoQWLFCmEsPRCika6l/Xh87cp2SnlMywH0.r4uEcbHnoicQG46V9VrJ8fxp2d.' os_groups: diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 1eff92c9daba7cecc1cba597a171f9100d87c7af..606782c3309774266df367e3fd6511c0f9c62812 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -3,4 +3,6 @@ packages: [] os_users: [] os_groups: [] -ca_certificates: [] \ No newline at end of file +ca_certificates: [] +incoming_connection_limit: 3/second +incoming_connection_limit_burst: 9 \ No newline at end of file diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 5c08716f0dcad4317739488fb59cc1176753bb71..b173a4058f7808c386cbacaa7a8e47e65fcde973 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -30,23 +30,23 @@ with_items: common_packages - name: Set-up operating system groups - group: name="{{ item.name }}" gid="{{ item.gid }}" state=present + group: name="{{ item.name }}" gid="{{ item.gid | default(omit) }}" state=present with_items: os_groups - name: Set-up operating system user groups - group: name="{{ item.name }}" gid="{{ item.uid }}" state=present + group: name="{{ item.name }}" gid="{{ item.uid | default(omit) }}" state=present with_items: os_users - name: Set-up operating system users - user: name="{{ item.name }}" uid="{{ item.uid }}" group="{{ item.name }}" - groups="{{ item.additional_groups }}" append=yes shell=/bin/bash state=present - password="{{ item.password }}" + user: name="{{ item.name }}" uid="{{ item.uid | default(omit) }}" group="{{ item.name }}" + groups="{{ ",".join(item.additional_groups | default([])) }}" append=yes shell=/bin/bash state=present + password="{{ item.password | default('!') }}" with_items: os_users - name: Set-up authorised keys authorized_key: user="{{ item.0.name }}" key="{{ item.1 }}" with_subelements: - - os_users + - "{{ os_users | selectattr('authorized_keys', 'defined') | list }}" - authorized_keys - name: Disable remote logins for root diff --git a/testsite/group_vars/all.yml b/testsite/group_vars/all.yml index 5d1da81cd183639a9233fb9c1ac4d1b8a86e4fe7..2cdfa0a62e94bbf9ddf7df81b146c1695c04893c 100644 --- a/testsite/group_vars/all.yml +++ b/testsite/group_vars/all.yml @@ -15,14 +15,16 @@ ansible_key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" os_users: - name: admin uid: 1000 - additional_groups: sudo + additional_groups: + - sudo authorized_keys: - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" password: '$6$/aerscJY6aevRG$ABBCymEDtk2mHW/dklre9dMEdgZNJvVHsGLCzgjGmy61FssZ.KW7ePcO2wsMGIkHcg3mZlrA4dhYh.APq9OQu0' - name: johndoe uid: 1001 - additional_groups: "office,developer" - authorized_keys: [] + additional_groups: + - office + - developer password: '$6$cJnUatae7cMz23fl$O3HE2TslnEaKaTDSZnvuDDrfqILAiuMV1wOPGVnkUQFxUu3gIWZOyO7AI1OWYkqeQMVBiezpSqYNiQy6NF6bi0' os_groups: