From 330d321b645bebb553973b281f4d88f0b02a0a1f Mon Sep 17 00:00:00 2001 From: Kienan Stewart Date: Fri, 18 Oct 2024 11:24:56 -0400 Subject: [PATCH] ansible: Add access tag for managing users Change-Id: I6668b982a1bf470b68f868ed680d9216fc2b2741 Signed-off-by: Kienan Stewart --- automation/ansible/README.md | 10 ++- .../ansible/roles/common-node/tasks/main.yml | 2 + .../ansible/roles/common/tasks/main.yml | 6 ++ .../roles/common/tasks/users-Windows.yml | 33 +++++----- .../ansible/roles/common/tasks/users.yml | 62 ++++++++++--------- 5 files changed, 68 insertions(+), 45 deletions(-) diff --git a/automation/ansible/README.md b/automation/ansible/README.md index 9bb4328..faf76d5 100644 --- a/automation/ansible/README.md +++ b/automation/ansible/README.md @@ -30,11 +30,19 @@ bw sync -f ``` ansible-playbook -i hosts [-l SUBSET] site.yaml ``` +## Tags -## Skip slow tasks +* access: Any user / ssh access tasks +* slow: Any tasks that may take a long time + +### Example: Skip slow tasks `ansible-playbook --skip-tags slow` +### Example: Only manage users/SSH keys + +`ansible-playbook -t access` + # Bootstrapping hosts ## CI host diff --git a/automation/ansible/roles/common-node/tasks/main.yml b/automation/ansible/roles/common-node/tasks/main.yml index c55884d..c9c5470 100644 --- a/automation/ansible/roles/common-node/tasks/main.yml +++ b/automation/ansible/roles/common-node/tasks/main.yml @@ -1,6 +1,8 @@ --- # Include variables and define needed variables. - name: Include OS-specific variables. + tags: + - always ansible.builtin.include_vars: "{{ item }}" with_first_found: - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml" diff --git a/automation/ansible/roles/common/tasks/main.yml b/automation/ansible/roles/common/tasks/main.yml index 6a562d4..c77b473 100644 --- a/automation/ansible/roles/common/tasks/main.yml +++ b/automation/ansible/roles/common/tasks/main.yml @@ -1,6 +1,8 @@ --- # Include variables and define needed variables. - name: Include OS-specific variables. + tags: + - always ansible.builtin.include_vars: "{{ item }}" with_first_found: - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml" @@ -26,7 +28,11 @@ # Setup user accounts - ansible.builtin.include_tasks: users.yml + tags: + - access when: ansible_os_family != 'Windows' - ansible.builtin.include_tasks: users-Windows.yml + tags: + - access when: ansible_os_family == 'Windows' diff --git a/automation/ansible/roles/common/tasks/users-Windows.yml b/automation/ansible/roles/common/tasks/users-Windows.yml index 0a61c88..a164707 100644 --- a/automation/ansible/roles/common/tasks/users-Windows.yml +++ b/automation/ansible/roles/common/tasks/users-Windows.yml @@ -1,18 +1,21 @@ --- -- name: Create jenkins user - ansible.windows.win_user: - name: jenkins - state: "{{ (jenkins_user|bool) | ternary('present', 'absent') }}" +- tags: + - access + block: + - name: Create jenkins user + ansible.windows.win_user: + name: jenkins + state: "{{ (jenkins_user|bool) | ternary('present', 'absent') }}" -- name: Create jenkins user dotssh folder - when: jenkins_user|bool - ansible.windows.win_file: - state: directory - path: "c:/users/jenkins/.ssh" + - name: Create jenkins user dotssh folder + when: jenkins_user|bool + ansible.windows.win_file: + state: directory + path: "c:/users/jenkins/.ssh" -- name: Deploy jenkins authorized_keys - when: jenkins_user|bool - ansible.windows.win_copy: - # yamllint disable-line rule:line-length - content: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA3fwpioVLDoCQsQkYK5bOwPb8N0EXeYm2MleBQTfqxtKaqWWbmUtFXAiyclKHRspjcAiIKwwqLyhPopHBqJzmXnB0GsfGmxXJ6wSBgKJ4kdBVRM+nKlK0wCl1oQkFeV/Xl3jzt1Ey96XiNWlesfkvgcMCpsJzQ7/xRb9IcghskzlQbLOwDNir/156JgAYUYvOLqNCcE+xcgPxJGanfZDXTLkfBYxaeaB8isBPeEU6fhPvu/W055M1uB7E0qhcbFtuKCBu1Fg4jzsW4yDU8+ZB1b5mAXwEAuMbVGMrOf4rjtTpGpQd6XFsXpFT28NU1u5j2cUbtANJalkNDX/UY6XJ jenkins@ci-master-02' - dest: 'c:/users/jenkins/.ssh/authorized_keys' + - name: Deploy jenkins authorized_keys + when: jenkins_user|bool + ansible.windows.win_copy: + # yamllint disable-line rule:line-length + content: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA3fwpioVLDoCQsQkYK5bOwPb8N0EXeYm2MleBQTfqxtKaqWWbmUtFXAiyclKHRspjcAiIKwwqLyhPopHBqJzmXnB0GsfGmxXJ6wSBgKJ4kdBVRM+nKlK0wCl1oQkFeV/Xl3jzt1Ey96XiNWlesfkvgcMCpsJzQ7/xRb9IcghskzlQbLOwDNir/156JgAYUYvOLqNCcE+xcgPxJGanfZDXTLkfBYxaeaB8isBPeEU6fhPvu/W055M1uB7E0qhcbFtuKCBu1Fg4jzsW4yDU8+ZB1b5mAXwEAuMbVGMrOf4rjtTpGpQd6XFsXpFT28NU1u5j2cUbtANJalkNDX/UY6XJ jenkins@ci-master-02' + dest: 'c:/users/jenkins/.ssh/authorized_keys' diff --git a/automation/ansible/roles/common/tasks/users.yml b/automation/ansible/roles/common/tasks/users.yml index d4c05ec..8f7e1cf 100644 --- a/automation/ansible/roles/common/tasks/users.yml +++ b/automation/ansible/roles/common/tasks/users.yml @@ -1,34 +1,38 @@ --- -- name: Set up authorized_keys for the root user - authorized_key: - user: 'root' - key: "{% for key in query('fileglob', 'public_keys/*.pub') %}{{ lookup('file', key) ~ '\n'}}{% endfor %}\n{% for key in lookup('vars', 'extra_root_ssh_authorized_keys', default=[]) %}{{ key ~ '\n' }}{% endfor %}" - exclusive: true +- tags: + - access + block: + - name: Set up authorized_keys for the root user + authorized_key: + user: 'root' + key: "{% for key in query('fileglob', 'public_keys/*.pub') %}{{ lookup('file', key) ~ '\n'}}{% endfor %}\n{% for key in lookup('vars', 'extra_root_ssh_authorized_keys', default=[]) %}{{ key ~ '\n' }}{% endfor %}" + exclusive: true -- name: Remove ubuntu user - user: - name: ubuntu - state: absent - remove: yes + - name: Remove ubuntu user + user: + name: ubuntu + state: absent + remove: yes -- name: Remove debian user - user: - name: debian - state: absent - remove: yes + - name: Remove debian user + user: + name: debian + state: absent + remove: yes -- name: Create jenkins user - when: jenkins_user | bool - user: - name: 'jenkins' + - name: Create jenkins user + when: jenkins_user | bool + user: + name: 'jenkins' -- name: Set up authorized_keys for the jenkins user - when: jenkins_user | bool - authorized_key: - user: 'jenkins' - # yamllint disable-line rule:line-length - key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA3fwpioVLDoCQsQkYK5bOwPb8N0EXeYm2MleBQTfqxtKaqWWbmUtFXAiyclKHRspjcAiIKwwqLyhPopHBqJzmXnB0GsfGmxXJ6wSBgKJ4kdBVRM+nKlK0wCl1oQkFeV/Xl3jzt1Ey96XiNWlesfkvgcMCpsJzQ7/xRb9IcghskzlQbLOwDNir/156JgAYUYvOLqNCcE+xcgPxJGanfZDXTLkfBYxaeaB8isBPeEU6fhPvu/W055M1uB7E0qhcbFtuKCBu1Fg4jzsW4yDU8+ZB1b5mAXwEAuMbVGMrOf4rjtTpGpQd6XFsXpFT28NU1u5j2cUbtANJalkNDX/UY6XJ jenkins@ci-master-02' -- name: Remove jenkins sudoers file - file: - path: "/etc/sudoers.d/jenkins" - state: absent + - name: Set up authorized_keys for the jenkins user + when: jenkins_user | bool + authorized_key: + user: 'jenkins' + # yamllint disable-line rule:line-length + key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA3fwpioVLDoCQsQkYK5bOwPb8N0EXeYm2MleBQTfqxtKaqWWbmUtFXAiyclKHRspjcAiIKwwqLyhPopHBqJzmXnB0GsfGmxXJ6wSBgKJ4kdBVRM+nKlK0wCl1oQkFeV/Xl3jzt1Ey96XiNWlesfkvgcMCpsJzQ7/xRb9IcghskzlQbLOwDNir/156JgAYUYvOLqNCcE+xcgPxJGanfZDXTLkfBYxaeaB8isBPeEU6fhPvu/W055M1uB7E0qhcbFtuKCBu1Fg4jzsW4yDU8+ZB1b5mAXwEAuMbVGMrOf4rjtTpGpQd6XFsXpFT28NU1u5j2cUbtANJalkNDX/UY6XJ jenkins@ci-master-02' + + - name: Remove jenkins sudoers file + file: + path: "/etc/sudoers.d/jenkins" + state: absent -- 2.34.1