SSH user-management #77

8 years ago · 0945f54366
parent c19908c9b1
commit 0945f54366
2 changed files with 61 additions and 6 deletions
--- a/roles/ssh_tunneling/tasks/main.yml
+++ b/roles/ssh_tunneling/tasks/main.yml
@ -9,7 +9,7 @@
 - name: Ensure that the SSH users exist
  user:
    name: "{{ item }}"
-    group: algo
+    groups: algo
    home: '/var/jail/{{ item }}'
    createhome: yes
    generate_ssh_key: yes
@ -19,6 +19,7 @@
    ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
    ssh_key_passphrase: "{{ easyrsa_p12_export_password }}"
    state: present
+    append: yes
  with_items: "{{ users }}"
  
 - name: The authorized keys file created
@ -26,7 +27,7 @@
    src: '/var/jail/{{ item }}/.ssh/id_rsa.pub'
    dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
    owner: "{{ item }}"
-    group: algo
+    group: "{{ item }}"
    state: link
  with_items: "{{ users }}"

--- a/users.yml
+++ b/users.yml
@ -14,12 +14,17 @@
    - name: "server_user"
      prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n"
      default: "root"
-      private: no
+      private: no      
+      
+    - name: "ssh_tunneling_enabled"
+      prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
+      default: "y"
+      private: no      
      
    - name: "easyrsa_p12_export_password"
-      prompt: "Enter the password for p12 certificates:\n"
-      default: "vpn"
-      private: yes
+      prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
+      default: "vpnpw"
+      private: yes   

    - name: "IP_subject"
      prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
@ -33,6 +38,7 @@
        ansible_ssh_user: "{{ server_user }}"
        ansible_python_interpreter: "/usr/bin/python2.7"
        easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
+        ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
        IP_subject: "{{ IP_subject }}"

    - name: Wait for SSH to become available
@ -114,3 +120,51 @@
    
  - name: Fetch server CA certificate
    fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes
+    
+  # SSH
+  
+  - name: SSH | Ensure that the system users exist
+    user:
+      name: "{{ item }}"
+      groups: algo
+      home: '/var/jail/{{ item }}'
+      createhome: yes
+      generate_ssh_key: yes
+      shell: /bin/false
+      ssh_key_type: rsa
+      ssh_key_bits: 2048
+      ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
+      ssh_key_passphrase: "{{ easyrsa_p12_export_password }}"
+      state: present
+      append: yes
+    with_items: "{{ users }}"
+    when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" 
+    
+  - name: SSH | The authorized keys file created
+    file: 
+      src: '/var/jail/{{ item }}/.ssh/id_rsa.pub'
+      dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
+      owner: "{{ item }}"
+      group: "{{ item }}"
+      state: link
+    with_items: "{{ users }}"
+    when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
+
+  - name: SSH | Get active system users
+    shell: >
+      getent group algo | cut -f4 -d: | sed "s/,/\n/g"
+    register: valid_users
+    when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
+
+  - name: SSH | Delete non-existing users
+    user:
+      name: "{{ item }}"
+      state: absent
+      remove: yes      
+      force: yes
+    when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
+    with_items: "{{ valid_users.stdout_lines }}"
+    
+  - name: SSH | Fetch users SSH private keys
+    fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
+    with_items: "{{ users }}"