From 73720b049a2c07e59a6eb38c026322626156e804 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arturo=20Filast=C3=B2?= <arturo@filasto.net>
Date: Wed, 3 Jul 2024 11:25:48 +0200
Subject: [PATCH] Add playbook to run on controller node

---
 ansible/controller-playbook.yml               |  4 ++
 ansible/group_vars/all/vars.yml               | 22 ++++++++++
 ansible/roles/user_setup/tasks/main.yml       | 42 +++++++++++++++++++
 .../user_setup/templates/authorized_keys      |  5 +++
 .../templates/authorized_keys_ubuntu          |  6 +++
 5 files changed, 79 insertions(+)
 create mode 100644 ansible/controller-playbook.yml
 create mode 100644 ansible/group_vars/all/vars.yml
 create mode 100644 ansible/roles/user_setup/tasks/main.yml
 create mode 100644 ansible/roles/user_setup/templates/authorized_keys
 create mode 100644 ansible/roles/user_setup/templates/authorized_keys_ubuntu

diff --git a/ansible/controller-playbook.yml b/ansible/controller-playbook.yml
new file mode 100644
index 00000000..984ff661
--- /dev/null
+++ b/ansible/controller-playbook.yml
@@ -0,0 +1,4 @@
+---
+- hosts: 127.0.0.1
+  connection: local
+
diff --git a/ansible/group_vars/all/vars.yml b/ansible/group_vars/all/vars.yml
new file mode 100644
index 00000000..ad49290b
--- /dev/null
+++ b/ansible/group_vars/all/vars.yml
@@ -0,0 +1,22 @@
+ssh_users:
+  agrabeli:
+    login: agrabeli
+    comment: Maria Xynou
+    keys: ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDD0JSwM+t3Uz9lS3Mjoz9oo4vOToWyzboZhYQbP8JY5HvFtAvWanWHnUBO91t6hkgKIMiUqhdCJn26fqkhSGe/bRBaFUocOmuyfcmZoRdi0qzAskmycJsj/w6vWR4x6MYkmJvSeI/MGxjEFt4s2MfOG1tP8CBLUYft9qUleeJa7Jln8c+xbnqB7YngaI190icQHE9NuIB2CXvzbmo3tLtHNMagEwI7VoBDj6mxzTxBd9JhuhF4w5uGxxm0Gp1hzk+15obNnaBS+Anr7jXz8FPwwxCH+XhBZxB1PPpcIayKrf9iLyGtwmhkdDoWCqYAr1mue3LxFso+TZF4bwE4Cjt1 agrabelh@agrabelh"]
+  art:
+    login: art
+    comment: Arturo Filasto
+    keys: ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsibU0nsQFFIdolD1POzXOws4VetV0ZNByINRzY8Hx0 arturo@ooni.org"]
+  majakomel:
+    login: majakomel
+    comment: Maja Komel
+    keys:
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7gWQL4h/IyMbwDuMIXbTVmNEm8Yx19Ftt0P2e3OyWctSMH7WGaHc6b0dGoGh6Y4x0Kpw5h0iHWshP8Rg0pckNG9LeDjLY9nLR3Jv66ogFQtFi1DAlg4CXe369N70rBN9iurndgXjShW9OV+bY+MOlW8Fmmm67Vg0xFiYuYzjgUOpl4ofkbLGAQ7sJRBzpDV6TqHhGfOdYMDJyfFvurVz0oSyEZPFFRv4Css9iVk7BGsBukCCpUuax8akEeEjxWWCvjYXva7OA0jHKayfPAroZx/OJh01rhFe7wxlu5JwUKOcevvAZqeHh6200C82ijZOCN+Qq9yvxOH+OgzhnQwnoetIbGFgnb4CkDxo7dVLc/DFyObznC4f26f5D1OyPMUX8AEarEVdEPwsEfD2ePQr6qek0XWCWtYvGklb+GRLk9Yn0VL1qwvgrtstHdeXsKONTPKRxaCjWHu18dQaG2qOUnZ+St6SHeL49CN9aav2azNI/YKoQ9SGR4D23XeBRsW8="
+  mehul:
+    login: mehul
+    comment: Mehul Gulati
+    keys:
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEZSA9TKUaYWG8gfnMoyDZO2S6vsy87xma4R/EzNpveZiOZTYSNn+UDL8NpQRuH5YgdWuQV2E7sKw/PIYA0lC/QTiq8Btqf6sEK5YWXtQy+yn9q5kB/rmi8zjaz0FUNigRrjL+26ao+c7NKpgmR+TRqbRd5VeJ46PuFD5M3c+MBeUoF1PT0zfioQFJ1mQoXwVix0n260clEXQDp4t0GZuNpWGTS+YTuJZ2vl6TDZtt8jrnENd99QArr2KU+NMTq8T2KYcPeQOoYsm7v/1TBkbv9UStllhjdE7HZSivPT8oRkF2YZYgytDxtCZG8i5iCK+vbNn6QmZMjuXPoBUeW+Njm70tlsirrKpUX+QiogA2qljxPD9st2eUkA7cATyOBkK7WLh1HYv2xyKpPtkkaELG+EHjmaVjVdyVAgUYwqg+MbIw1OyDpNmMZcW3iOpGpflXPMmLjKNMhee0//G7NxcGfwmIMbIiBkeofOnWDrMo+0PRULFtn6C7aA7ddirck+k="
+
+admin_usernames: [ art, majakomel, mehul ]
+non_admin_usernames: [ agrabeli ]
diff --git a/ansible/roles/user_setup/tasks/main.yml b/ansible/roles/user_setup/tasks/main.yml
new file mode 100644
index 00000000..abc733b1
--- /dev/null
+++ b/ansible/roles/user_setup/tasks/main.yml
@@ -0,0 +1,42 @@
+---
+- name: create admin users
+  tags: ssh_users
+  user:
+    name: "{{ item }}"
+    group: "admin"
+    comment: "{{ ssh_users[item].comment }}"
+    shell: /bin/bash
+    state: present
+  with_items: "{{ admin_usernames }}"
+
+- name: create non-admin users
+  tags: ssh_users
+  user:
+    name: "{{ item }}"
+    group: "{{ item }}"
+    comment: "{{ ssh_users[item].comment }}"
+    shell: /bin/bash
+    state: present
+  with_items: "{{ non_admin_usernames }}"
+
+- name: create .ssh dir in user homes
+  tags: ssh_users
+  file: path=/home/{{item}}/.ssh state=directory owner={{item}} group={{item}} mode=0700
+  with_items: "{{ admin_usernames | union(non_admin_usernames) }}"
+
+- name: create .ssh/authorized_keys for each user
+  tags: ssh_users
+  template: src=authorized_keys dest=/home/{{item}}/.ssh/authorized_keys owner={{item}} group={{item}} mode=0400
+  with_items: "{{ admin_usernames | union(non_admin_usernames) }}"
+
+- name: list all users currently on the system
+  shell: "getent passwd | awk -F: '$3 > 1000 {print $1}'"
+  register: user_list
+
+- name: remove any stale users
+  user:
+    name: "{{ item }}"
+    state: "absent"
+    remove: "yes"
+  with_items: user_list.stdout_lines
+  when: "item is not nobody and item not in admin_usernames | union(non_admin_usernames)"
diff --git a/ansible/roles/user_setup/templates/authorized_keys b/ansible/roles/user_setup/templates/authorized_keys
new file mode 100644
index 00000000..9be257ad
--- /dev/null
+++ b/ansible/roles/user_setup/templates/authorized_keys
@@ -0,0 +1,5 @@
+# managed by ansible
+# see roles/adm/templates/authorized_keys
+{% for k in passwd[item]['keys'] %}
+{{ k }}
+{% endfor %}
diff --git a/ansible/roles/user_setup/templates/authorized_keys_ubuntu b/ansible/roles/user_setup/templates/authorized_keys_ubuntu
new file mode 100644
index 00000000..c43e28f2
--- /dev/null
+++ b/ansible/roles/user_setup/templates/authorized_keys_ubuntu
@@ -0,0 +1,6 @@
+# ansible-managed in ooni-sysadmin.git
+{% for login in adm_logins %}
+{% for k in passwd[login]['keys'] %}
+{{ k }}
+{% endfor %}
+{% endfor %}