diff --git a/connection_plugins/lxc/lxc.py b/connection_plugins/lxc/lxc.py index c79645a..7c3fb1a 100644 --- a/connection_plugins/lxc/lxc.py +++ b/connection_plugins/lxc/lxc.py @@ -48,9 +48,9 @@ class Connection(object): def _generate_cmd(self, executable, cmd): if executable: - return [self.lxc_attach, "--name", self.host, "--", executable, "-c", cmd] + return [self.lxc_attach, "-e", "--name", self.host, "--", executable, "-c", cmd] else: - return "%s --name %s -- %s" % (self.lxc_attach, self.host, cmd) + return "%s -e --name %s -- %s" % (self.lxc_attach, self.host, cmd) def exec_command(self, cmd, tmp_path, sudo_user=None, sudoable=False, executable="/bin/sh", in_data=None, su=None, su_user=None): """ run a command on the chroot """ diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 40d3106..98d6858 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -12,6 +12,7 @@ - the_silver_searcher - zsh - git + - sudo - name: remove deprecated packages pacman: name={{ item }} state=absent with_items: diff --git a/roles/container/files/authorized_keys b/roles/container/files/authorized_keys new file mode 100644 index 0000000..6203006 --- /dev/null +++ b/roles/container/files/authorized_keys @@ -0,0 +1,7 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC43IBVYIwyhNBGAH8G0NxBecnfXYVhrKQhe0mx1H2UawuYy9HGBfco/q5d8SynlPHla4nQoLIGOm/OUY1Ijksg9W28rjCPfjHxeZ+2JoDLF4Qc9PiaKfW8LuOcgKCbK1jaRn+3Zw0iIK9CuMMpPGSP2QmMIRE5rU7OBfBkxz6Uz0W6IpZXmtXo52Vxlr4IGXDpeMdLLWgG/jD93qYiNLSP3PYiM5H2DbL3d4qpjOiw3h01s4CYAyxAqRWgISCMKyD7denacfSWHl8/7+4E1bBvo+UzTv908046asXcL1i/kwp4q761ocoU6ZNdl2O+Aunro0UQaNHgxik8wtMqmhVj devkid@ThinkPad +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzdS6xog803ySrz1+hTUYlL89Wbb5p+7hd1WvDXHP4ERICuouVYO/F54saCokpcZBSyMtBC11+Yvk5J+L6pNuDJki04y4fr0HMmIVc5khuvNAiiH/8IFZk9v8uf7dyHVJyKIB+4LFMXuFB5i9gtoTM8WpIu8lYzIK6BEG1xhnfmPrLTWOw4w1Ty3iE93VPt3qRYxsB6Dx4f2n3S0piLQ+sX/aHiDO+MNdZTKJMdzPkqp89b8kF6vRyAp8WuiQDJkZJK+QKG+dvMKAofv7G97eO01TKNLPLqtswDGCnkXjkBrQ2tY7Nq5fannLGKBl+qOu3SRq8FRBaiPDa7uzCV3Vr devkid@desktop +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqGFihjjWEF8yh/SkFl6vqjYHrYGAfdyqMcHSJdi38i9A6kUwFhAXREQ84PCOZbU35bkeNnZqb1ZATQR/clsTzEE3r3k4KzV6Qh+IYWdwh0QZ1JACOiC8Cv1+AafaCcK1LOzIJzghuoFjLeTvoCwQmc8+XXRsg/mDCAI0HFh5QeyWjVxw76KCPq/FqEBq0Gp+oN3RCKBnEGSa7qAG87rSqfeq1aidNLJi/KqbQ1SfwFhGd/kJqr/rNbnk+1l8Nc+DHOwyIApga+M8EPCrkfXO9yIEBMER3OLxcgyguOEZ42HD6elHKxo0sAH+XBKdEx30kc6zuKtG03OewUprWt8xl s4039299@e04003 +ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFEbRQAxq3GguBZh+O0YdgxLW3zGt4mkw1LLUbn5IQ49qa0jqfnJ/h4Dtvt2i9Pu4/mobB0w+jmFqjqQ5JIoFuFLwD+PxS3CN62hMwAc3mx7cPeXNHa/51PCDmSNNdPFprt4Wi1tyCXedlYAan/bFYYFHAVJLevFNgkCO4IyP/HQTxIPw== joerg@turingmachine +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmhREPkvzdhHA25RLPfczqbdvuxLTvjmboPNZtVoP/T+hnSyeGsWLSqZBlFIGFs/Hpb2eCwt98NR8j0JgHF4SyB89n9VEa4whbonGVNHceYbxfvIDcFMSYLBy0DYzMpaYesN/YK7leths4NLJqvTpf4by1dps8s/eVgvEkzUk8qgZ0HHdfLeHpP0tBI8tB5jqvGPgquJXG9z++HEKpHBlYlakpQSCn2owZexVKI6cKpUNZkYMVTvUFOlOOYpgHKgiu86t8M+k6Evr1rBFaWhpS1xeXvhLbcbRc3FaQSlIgkFUPYA7hUN3XzCbx6H+oMloJ9u2i3i89p1BtGGSK5EDf Albert@ipad albert +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/A9QBuYHRvKeueWKQxajqNhp9QOiQjdFTvrt8xG+URd6YHCkYHtCffyU6mftgP7x0jH0/ArHHfQWDujSguAn4UtXO90I4sZ3c01GWOSTit7I5aRh0/0J6Vjwfw2GorQMxyX/bBIzBQuyDX6k01gU8y4X0BfzhKMRI0CPBNjbGifSboAV1hEGXZiKFYLQWC5AD6JUhzu9dNyxOH8KcIogQiC/Rglwu25Y5NID5LR3IVhaX1nlLPe6BtfbiSF7Iid1z87f9Ff458TnZHNQBKR3Ak0u/iItmau56b0uDPmDVPDX25zMZ+F2gDZZzeiD8ePVOxY0lznn5ekmv9 albertschulz@Albert-Schulzs-MacBook-Pro.local + diff --git a/roles/container/files/bashrc b/roles/container/files/bashrc index c373144..d5a1228 100644 --- a/roles/container/files/bashrc +++ b/roles/container/files/bashrc @@ -9,9 +9,12 @@ export TTY=$(tty) export GPG_TTY=$TTY # shell opts: see bash(1) -shopt -s cdspell dirspell extglob histverify no_empty_cmd_completion checkwinsize +shopt -s autocd cdspell dirspell extglob no_empty_cmd_completion +shopt -s checkwinsize checkhash +shopt -s histverify histappend histreedit cmdhist set -o notify # notify of completed background jobs immediately +set -o noclobber # don\'t overwrite files by accident ulimit -S -c 0 # disable core dumps stty -ctlecho # turn off control character echoing @@ -82,10 +85,11 @@ mkcd() { [[ -d $1 ]] && builtin cd "$1" } +function ff() { find . -type f -iname '*'"$*"'*' -ls ; } + alias ..='cd ..' alias ...='cd ../..' alias ....='cd ../../..' -alias ff='/usr/bin/find . -iname "*$@*"' alias gensums='[[ -f PKGBUILD ]] && makepkg -g >> PKGBUILD' alias info='info --vi-keys' alias j='jobs' diff --git a/roles/container/files/mirrorlist b/roles/container/files/mirrorlist new file mode 120000 index 0000000..cee9f6d --- /dev/null +++ b/roles/container/files/mirrorlist @@ -0,0 +1 @@ +/etc/pacman.d/mirrorlist \ No newline at end of file diff --git a/roles/container/files/ptmx.conf b/roles/container/files/ptmx.conf new file mode 100644 index 0000000..78caaf1 --- /dev/null +++ b/roles/container/files/ptmx.conf @@ -0,0 +1 @@ +L /dev/ptmx - - - - /dev/pts/ptmx diff --git a/roles/container/files/sshd_config b/roles/container/files/sshd_config new file mode 100644 index 0000000..e1980fb --- /dev/null +++ b/roles/container/files/sshd_config @@ -0,0 +1,12 @@ +Port 22 + +AuthorizedKeysFile .ssh/authorized_keys + +PasswordAuthentication no +ChallengeResponseAuthentication no + +UsePAM yes + +PrintMotd no +UsePrivilegeSeparation sandbox +Subsystem sftp /usr/lib/ssh/sftp-server diff --git a/roles/container/files/sudoers b/roles/container/files/sudoers new file mode 100644 index 0000000..888749b --- /dev/null +++ b/roles/container/files/sudoers @@ -0,0 +1,92 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top +# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +#Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!REBOOT !log_output + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +%wheel ALL=(ALL) ALL +admin ALL=(ALL) NOPASSWD: ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files from /etc/sudoers.d +## (the '#' here does not indicate a comment) +#includedir /etc/sudoers.d diff --git a/roles/container/tasks/main.yml b/roles/container/tasks/main.yml index d6d24e8..4607879 100644 --- a/roles/container/tasks/main.yml +++ b/roles/container/tasks/main.yml @@ -16,13 +16,27 @@ - name: delete .zshrc file: path=/root/.zshrs state=absent +- name: Allow wheel group to use sudo + lineinfile: "dest=/etc/sudoers state=present regexp='^%wheel' line='%wheel ALL=(ALL) NOPASSWD: ALL'" +- name: Write mirrorlist + copy: src=sudoers dest=/etc/sudoers mode=0644 +- user: name=admin shell=/bin/bash groups=wheel append=yes +- name: Create ~admin/.ssh + file: path=/home/admin/.ssh state=directory +- name: SSH Keys + copy: src=authorized_keys dest=/home/admin/.ssh/authorized_keys + - name: deploy dotfiles - copy: src={{ item }} dest=/root/.{{ item }} - with_items: - - bashrc - - dircolors - - vimrc + copy: src="{{ item[0] }}" dest="{{ item[1].dest }}/.{{ item[0] }}" owner="{{ item[1].owner }}" group="{{ item[1].group }}" + with_nested: + - ['bashrc', 'dircolors', 'vimrc'] + - + - {dest: "/home/admin", owner: "admin", group: "admin"} + - {dest: "/root", owner: "root", group: "root"} + - mount: name=/run/systemd/journal/ src=/mnt/journal fstype=none opts=bind,ro state=present - name: backup directory file: path=/root/.vim.backupdir state=directory + +- include: ssh.yml diff --git a/roles/container/tasks/ssh.yml b/roles/container/tasks/ssh.yml new file mode 100644 index 0000000..fab55b2 --- /dev/null +++ b/roles/container/tasks/ssh.yml @@ -0,0 +1,10 @@ +- name: install openssh + pacman: name=openssh state=present +- name: Write sshd_config + copy: src=sshd_config dest=/etc/ssh/sshd_config mode=0644 +- name: symlink /dev/pts/ptmx to /dev/ptmx for sshd pty + file: src=/dev/pts/ptmx dest=/dev/ptmx state=link +- name: tmpfiles.d/ptmx.conf + copy: src=ptmx.conf dest=/etc/tmpfiles.d/ptmx.conf mode=0644 +- name: start sshd.socket + service: name=sshd.socket state=started enabled=yes