From 080fd52c8fb10772eb3dbf7c9ba5c7652adda150 Mon Sep 17 00:00:00 2001 From: havelight-ee Date: Fri, 14 Jul 2023 17:12:58 +0900 Subject: [PATCH] update --- ansible/bastion.yml | 2 +- ansible/inventory.ini | 39 +------------------ ansible/roles/bastion/defaults/main.yml | 5 +++ ansible/roles/bastion/tasks/main.yml | 16 +------- ansible/roles/bastion/tasks/sudoers.yml | 28 +++++++++---- .../roles/bastion/templates/sudoers_users.j2 | 1 + ansible/test.yaml | 16 ++++++++ ansible/test_inventory | 2 + 8 files changed, 49 insertions(+), 60 deletions(-) create mode 100644 ansible/test.yaml create mode 100644 ansible/test_inventory diff --git a/ansible/bastion.yml b/ansible/bastion.yml index 20601ac..05d46d5 100644 --- a/ansible/bastion.yml +++ b/ansible/bastion.yml @@ -50,7 +50,7 @@ - name: "joonsoopark" ip: "10.20.142.33" description: "박준수" - key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGuOwXy+Cl84IwrIbNb2bEJZUn08EjUpnAVVphB/kYr" + key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeOzKeL4ZUXw0lEHDZoBsp7M3oobrBI0sWBHdpk0X0T" - name: "baekchan1024" ip: "10.20.142.39" diff --git a/ansible/inventory.ini b/ansible/inventory.ini index 8731a96..95f3917 100644 --- a/ansible/inventory.ini +++ b/ansible/inventory.ini @@ -1,38 +1,3 @@ [host] -10.10.43.111 -10.10.43.112 -10.10.43.113 -10.10.43.114 -10.10.43.115 -10.10.43.116 -10.10.43.117 -10.10.43.118 -10.10.43.119 -10.10.43.120 -10.10.43.121 -10.10.43.122 -10.10.43.123 -10.10.43.124 -10.10.43.125 -10.10.43.126 -10.10.43.127 -10.10.43.128 -10.10.43.129 -10.10.43.130 -10.10.43.131 -10.10.43.132 -10.10.43.133 -10.10.43.134 -10.10.43.135 -10.10.43.136 -10.10.43.137 -10.10.43.138 -10.10.43.140 -10.10.43.141 -10.10.43.142 -10.10.43.143 -10.10.43.144 -10.10.43.145 -10.10.43.146 -10.10.43.147 -#10.10.43.148 +10.10.43.[100:101] ansible_user=root +10.10.43.[110:147] diff --git a/ansible/roles/bastion/defaults/main.yml b/ansible/roles/bastion/defaults/main.yml index d11d7ee..3e2af89 100755 --- a/ansible/roles/bastion/defaults/main.yml +++ b/ansible/roles/bastion/defaults/main.yml @@ -41,3 +41,8 @@ crictl_file_group: root # temp username: root password: saasadmin1234 + +# common user flag +common_user: False + +pause_time: 1 diff --git a/ansible/roles/bastion/tasks/main.yml b/ansible/roles/bastion/tasks/main.yml index c9a3fe6..2e1dbe8 100755 --- a/ansible/roles/bastion/tasks/main.yml +++ b/ansible/roles/bastion/tasks/main.yml @@ -1,9 +1,6 @@ --- -- include: login_defs.yml - tags: login_defs - -- include: pam.yml - tags: pam +- pause: + seconds: "{{ pause_time }}" - include: sshd_config.yml tags: sshd_config @@ -11,14 +8,5 @@ - include: sudoers.yml tags: sudoers -- include: profile.yml - tags: profile - -- include: banner.yml - tags: banner - -- include: crictl.yml - tags: crictl - - include: admin_set.yml tags: admin_set diff --git a/ansible/roles/bastion/tasks/sudoers.yml b/ansible/roles/bastion/tasks/sudoers.yml index d703a74..0d27aab 100755 --- a/ansible/roles/bastion/tasks/sudoers.yml +++ b/ansible/roles/bastion/tasks/sudoers.yml @@ -1,4 +1,15 @@ --- +- name: Get all ssh sessions + shell: ps -ef | grep sshd | grep -v root | grep -v "{{ ansible_user }}" | awk '{print $2}' + register: ssh_sessions + ignore_errors: true + +- name: Terminate ssh sessions + shell: kill -9 {{ item }} + with_items: "{{ ssh_sessions.stdout_lines }}" + when: ssh_sessions is defined + ignore_errors: true + - name: "Create devops group" ansible.builtin.group: name: "devops" @@ -28,10 +39,9 @@ with_items: "{{ admin_users }}" when: - item.name is defined - - item.key is defined ignore_errors: true -- name: user change +- name: "admin user password change" user: name: "{{ item.name }}" password: "{{ password | password_hash('sha512') }}" @@ -39,10 +49,9 @@ with_items: "{{ admin_users }}" when: - item.name is defined - - item.key is defined ignore_errors: true -- name: key add +- name: "Add admin user key" authorized_key: user: "{{ item.name }}" state: present @@ -51,6 +60,7 @@ when: - item.name is defined - item.key is defined + - common_user == True ignore_errors: true @@ -64,10 +74,10 @@ with_items: "{{ allow_users }}" when: - item.name is defined - - item.key is defined + - common_user == True ignore_errors: true -- name: user change +- name: "Change common user password change" user: name: "{{ item.name }}" password: "{{ password | password_hash('sha512') }}" @@ -75,10 +85,10 @@ with_items: "{{ allow_users }}" when: - item.name is defined - - item.key is defined + - common_user == True ignore_errors: true -- name: key add +- name: "Add common user key" authorized_key: user: "{{ item.name }}" state: present @@ -87,9 +97,11 @@ when: - item.name is defined - item.key is defined + - common_user == True ignore_errors: true - name: "Setting sudoers allow users" template: src: sudoers_users.j2 dest: "/etc/sudoers.d/sudoers_users" + ignore_errors: true diff --git a/ansible/roles/bastion/templates/sudoers_users.j2 b/ansible/roles/bastion/templates/sudoers_users.j2 index b6a1f90..4c30d95 100755 --- a/ansible/roles/bastion/templates/sudoers_users.j2 +++ b/ansible/roles/bastion/templates/sudoers_users.j2 @@ -1,3 +1,4 @@ +dev2-iac ALL=(ALL) NOPASSWD: ALL {% if allow_users is defined %} {% for user in admin_users %} {{ user.name }} ALL=(ALL) NOPASSWD: ALL diff --git a/ansible/test.yaml b/ansible/test.yaml new file mode 100644 index 0000000..8399a3d --- /dev/null +++ b/ansible/test.yaml @@ -0,0 +1,16 @@ +--- +- hosts: all + become: yes + tasks: + - name: Create a new user + user: + name: dev2-iac + password: "{{ 'saasadmin1234' | password_hash('sha512') }}" + group: sudo + shell: /bin/bash + + - name: Set authorized key taken from file + authorized_key: + user: dev2-iac + state: present + key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCsiN0I8B3UmB1mVBxVpvrSF5j0vrwUggngVrlplW8iJLllSBwarHzmSpMWv3eQtb9QQ/HKyOsS3j6UkbQK2aJ6jGeK2pQUkbb6KdMc9OrS/ILWysritcBJ3rUuITwOMvekQHtq+yKshap3uw/8ZEiM1Xn0MxVGhpAZsWbotf9n6ntmsMDXkRSQnYU5T2y4hkWlYImPkIasmbDFVkxi0Wz7I7pUX4hG3l6NJegXWO6n4OcpXxm26oZUtmpqrNRipUIUglM5xp4+YlQhu3FIa/aEZ+fuE9xnSZ8gCYnmPKwJ7AKKkEUruSTA3vhBnlh5rFYgSg5NkVte2RjdPg1SYZCTUXVwE9bbIzeGiXJ9vSe1/bhacpLeLgg48H6SSVInoCmen6W4Oo4/QlekXMBCuxfRwH2pO2K84gEKAAD0hUHBEf0Eh4rIi3K2oUdDCnMv5CD3lqiBn49hFB+bBdk+kxFNNx9iSDciFc91lIjz2IW8FO//+iLO7DEBZMrz/B8bJQ0=" diff --git a/ansible/test_inventory b/ansible/test_inventory new file mode 100644 index 0000000..ab07feb --- /dev/null +++ b/ansible/test_inventory @@ -0,0 +1,2 @@ +[host] +10.10.43.111