update

2023-07-14 17:12:58 +09:00
parent a1eb06f9c1
commit 080fd52c8f
8 changed files with 49 additions and 60 deletions
--- a/ansible/bastion.yml
+++ b/ansible/bastion.yml
@@ -50,7 +50,7 @@
        - name: "joonsoopark"
          ip: "10.20.142.33"
          description: "박준수"
-          key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGuOwXy+Cl84IwrIbNb2bEJZUn08EjUpnAVVphB/kYr"
+          key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeOzKeL4ZUXw0lEHDZoBsp7M3oobrBI0sWBHdpk0X0T"

        - name: "baekchan1024"
          ip: "10.20.142.39"
--- a/ansible/inventory.ini
+++ b/ansible/inventory.ini
@@ -1,38 +1,3 @@
 [host]
-10.10.43.111
-10.10.43.112
-10.10.43.113
-10.10.43.114
-10.10.43.115
-10.10.43.116
-10.10.43.117
-10.10.43.118
-10.10.43.119
-10.10.43.120
-10.10.43.121
-10.10.43.122
-10.10.43.123
-10.10.43.124
-10.10.43.125
-10.10.43.126
-10.10.43.127
-10.10.43.128
-10.10.43.129
-10.10.43.130
-10.10.43.131
-10.10.43.132
-10.10.43.133
-10.10.43.134
-10.10.43.135
-10.10.43.136
-10.10.43.137
-10.10.43.138
-10.10.43.140
-10.10.43.141
-10.10.43.142
-10.10.43.143
-10.10.43.144
-10.10.43.145
-10.10.43.146
-10.10.43.147
-#10.10.43.148
+10.10.43.[100:101] ansible_user=root
+10.10.43.[110:147]
--- a/ansible/roles/bastion/defaults/main.yml
+++ b/ansible/roles/bastion/defaults/main.yml
@@ -41,3 +41,8 @@ crictl_file_group: root
 # temp
 username: root
 password: saasadmin1234
+
+# common user flag
+common_user: False
+
+pause_time: 1
--- a/ansible/roles/bastion/tasks/main.yml
+++ b/ansible/roles/bastion/tasks/main.yml
@@ -1,9 +1,6 @@
 ---
- include: login_defs.yml
-  tags: login_defs
-
- include: pam.yml
-  tags: pam
+- pause:
+    seconds: "{{ pause_time }}"

 - include: sshd_config.yml
  tags: sshd_config
@@ -11,14 +8,5 @@
 - include: sudoers.yml
  tags: sudoers

- include: profile.yml
-  tags: profile
-
- include: banner.yml
-  tags: banner
-
- include: crictl.yml
-  tags: crictl
-
 - include: admin_set.yml
  tags: admin_set
--- a/ansible/roles/bastion/tasks/sudoers.yml
+++ b/ansible/roles/bastion/tasks/sudoers.yml
@@ -1,4 +1,15 @@
 ---
+- name: Get all ssh sessions 
+  shell: ps -ef | grep sshd | grep -v root | grep -v "{{ ansible_user }}" | awk '{print $2}' 
+  register: ssh_sessions
+  ignore_errors: true
+
+- name: Terminate ssh sessions
+  shell: kill -9 {{ item }}
+  with_items: "{{ ssh_sessions.stdout_lines }}"
+  when: ssh_sessions is defined
+  ignore_errors: true
+
 - name: "Create devops group"
  ansible.builtin.group:
    name: "devops"
@@ -28,10 +39,9 @@
  with_items: "{{ admin_users }}"
  when: 
  - item.name is defined
-  - item.key is defined
  ignore_errors: true

- name: user change
+- name: "admin user password change"
  user:
    name: "{{ item.name }}"
    password: "{{ password | password_hash('sha512') }}"
@@ -39,10 +49,9 @@
  with_items: "{{ admin_users }}"
  when: 
  - item.name is defined 
-  - item.key is defined
  ignore_errors: true

- name: key add
+- name: "Add admin user key"
  authorized_key:
    user: "{{ item.name  }}"
    state: present
@@ -51,6 +60,7 @@
  when: 
  - item.name is defined
  - item.key is defined
+  - common_user == True
  ignore_errors: true


@@ -64,10 +74,10 @@
  with_items: "{{ allow_users }}"
  when: 
  - item.name is defined 
-  - item.key is defined
+  - common_user == True
  ignore_errors: true

- name: user change
+- name: "Change common user password change"
  user:
    name: "{{ item.name }}"
    password: "{{ password | password_hash('sha512') }}"
@@ -75,10 +85,10 @@
  with_items: "{{ allow_users }}"
  when: 
  - item.name is defined 
-  - item.key is defined
+  - common_user == True
  ignore_errors: true

- name: key add
+- name: "Add common user key"
  authorized_key:
    user: "{{ item.name  }}"
    state: present
@@ -87,9 +97,11 @@
  when:
  - item.name is defined
  - item.key is defined
+  - common_user == True
  ignore_errors: true

 - name: "Setting sudoers allow users"
  template:
    src: sudoers_users.j2
    dest: "/etc/sudoers.d/sudoers_users"
+  ignore_errors: true
--- a/ansible/roles/bastion/templates/sudoers_users.j2
+++ b/ansible/roles/bastion/templates/sudoers_users.j2
@@ -1,3 +1,4 @@
+dev2-iac ALL=(ALL) NOPASSWD: ALL
 {% if allow_users is defined %}
 {% for user in admin_users %}
 {{ user.name }} ALL=(ALL) NOPASSWD: ALL
--- a/ansible/test.yaml
+++ b/ansible/test.yaml
@@ -0,0 +1,16 @@
+---
+- hosts: all
+  become: yes
+  tasks:
+    - name: Create a new user
+      user:
+        name: dev2-iac
+        password: "{{ 'saasadmin1234' | password_hash('sha512') }}"
+        group: sudo
+        shell: /bin/bash
+
+    - name: Set authorized key taken from file
+      authorized_key:
+        user: dev2-iac
+        state: present
+        key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCsiN0I8B3UmB1mVBxVpvrSF5j0vrwUggngVrlplW8iJLllSBwarHzmSpMWv3eQtb9QQ/HKyOsS3j6UkbQK2aJ6jGeK2pQUkbb6KdMc9OrS/ILWysritcBJ3rUuITwOMvekQHtq+yKshap3uw/8ZEiM1Xn0MxVGhpAZsWbotf9n6ntmsMDXkRSQnYU5T2y4hkWlYImPkIasmbDFVkxi0Wz7I7pUX4hG3l6NJegXWO6n4OcpXxm26oZUtmpqrNRipUIUglM5xp4+YlQhu3FIa/aEZ+fuE9xnSZ8gCYnmPKwJ7AKKkEUruSTA3vhBnlh5rFYgSg5NkVte2RjdPg1SYZCTUXVwE9bbIzeGiXJ9vSe1/bhacpLeLgg48H6SSVInoCmen6W4Oo4/QlekXMBCuxfRwH2pO2K84gEKAAD0hUHBEf0Eh4rIi3K2oUdDCnMv5CD3lqiBn49hFB+bBdk+kxFNNx9iSDciFc91lIjz2IW8FO//+iLO7DEBZMrz/B8bJQ0="
--- a/ansible/test_inventory
+++ b/ansible/test_inventory
@@ -0,0 +1,2 @@
+[host]
+10.10.43.111