add ssh + admin account for every container
This commit is contained in:
parent
baaee38387
commit
4120ca752b
@ -48,9 +48,9 @@ class Connection(object):
|
|||||||
|
|
||||||
def _generate_cmd(self, executable, cmd):
|
def _generate_cmd(self, executable, cmd):
|
||||||
if executable:
|
if executable:
|
||||||
return [self.lxc_attach, "--name", self.host, "--", executable, "-c", cmd]
|
return [self.lxc_attach, "-e", "--name", self.host, "--", executable, "-c", cmd]
|
||||||
else:
|
else:
|
||||||
return "%s --name %s -- %s" % (self.lxc_attach, self.host, cmd)
|
return "%s -e --name %s -- %s" % (self.lxc_attach, self.host, cmd)
|
||||||
|
|
||||||
def exec_command(self, cmd, tmp_path, sudo_user=None, sudoable=False, executable="/bin/sh", in_data=None, su=None, su_user=None):
|
def exec_command(self, cmd, tmp_path, sudo_user=None, sudoable=False, executable="/bin/sh", in_data=None, su=None, su_user=None):
|
||||||
""" run a command on the chroot """
|
""" run a command on the chroot """
|
||||||
|
@ -12,6 +12,7 @@
|
|||||||
- the_silver_searcher
|
- the_silver_searcher
|
||||||
- zsh
|
- zsh
|
||||||
- git
|
- git
|
||||||
|
- sudo
|
||||||
- name: remove deprecated packages
|
- name: remove deprecated packages
|
||||||
pacman: name={{ item }} state=absent
|
pacman: name={{ item }} state=absent
|
||||||
with_items:
|
with_items:
|
||||||
|
7
roles/container/files/authorized_keys
Normal file
7
roles/container/files/authorized_keys
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC43IBVYIwyhNBGAH8G0NxBecnfXYVhrKQhe0mx1H2UawuYy9HGBfco/q5d8SynlPHla4nQoLIGOm/OUY1Ijksg9W28rjCPfjHxeZ+2JoDLF4Qc9PiaKfW8LuOcgKCbK1jaRn+3Zw0iIK9CuMMpPGSP2QmMIRE5rU7OBfBkxz6Uz0W6IpZXmtXo52Vxlr4IGXDpeMdLLWgG/jD93qYiNLSP3PYiM5H2DbL3d4qpjOiw3h01s4CYAyxAqRWgISCMKyD7denacfSWHl8/7+4E1bBvo+UzTv908046asXcL1i/kwp4q761ocoU6ZNdl2O+Aunro0UQaNHgxik8wtMqmhVj devkid@ThinkPad
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzdS6xog803ySrz1+hTUYlL89Wbb5p+7hd1WvDXHP4ERICuouVYO/F54saCokpcZBSyMtBC11+Yvk5J+L6pNuDJki04y4fr0HMmIVc5khuvNAiiH/8IFZk9v8uf7dyHVJyKIB+4LFMXuFB5i9gtoTM8WpIu8lYzIK6BEG1xhnfmPrLTWOw4w1Ty3iE93VPt3qRYxsB6Dx4f2n3S0piLQ+sX/aHiDO+MNdZTKJMdzPkqp89b8kF6vRyAp8WuiQDJkZJK+QKG+dvMKAofv7G97eO01TKNLPLqtswDGCnkXjkBrQ2tY7Nq5fannLGKBl+qOu3SRq8FRBaiPDa7uzCV3Vr devkid@desktop
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqGFihjjWEF8yh/SkFl6vqjYHrYGAfdyqMcHSJdi38i9A6kUwFhAXREQ84PCOZbU35bkeNnZqb1ZATQR/clsTzEE3r3k4KzV6Qh+IYWdwh0QZ1JACOiC8Cv1+AafaCcK1LOzIJzghuoFjLeTvoCwQmc8+XXRsg/mDCAI0HFh5QeyWjVxw76KCPq/FqEBq0Gp+oN3RCKBnEGSa7qAG87rSqfeq1aidNLJi/KqbQ1SfwFhGd/kJqr/rNbnk+1l8Nc+DHOwyIApga+M8EPCrkfXO9yIEBMER3OLxcgyguOEZ42HD6elHKxo0sAH+XBKdEx30kc6zuKtG03OewUprWt8xl s4039299@e04003
|
||||||
|
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFEbRQAxq3GguBZh+O0YdgxLW3zGt4mkw1LLUbn5IQ49qa0jqfnJ/h4Dtvt2i9Pu4/mobB0w+jmFqjqQ5JIoFuFLwD+PxS3CN62hMwAc3mx7cPeXNHa/51PCDmSNNdPFprt4Wi1tyCXedlYAan/bFYYFHAVJLevFNgkCO4IyP/HQTxIPw== joerg@turingmachine
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmhREPkvzdhHA25RLPfczqbdvuxLTvjmboPNZtVoP/T+hnSyeGsWLSqZBlFIGFs/Hpb2eCwt98NR8j0JgHF4SyB89n9VEa4whbonGVNHceYbxfvIDcFMSYLBy0DYzMpaYesN/YK7leths4NLJqvTpf4by1dps8s/eVgvEkzUk8qgZ0HHdfLeHpP0tBI8tB5jqvGPgquJXG9z++HEKpHBlYlakpQSCn2owZexVKI6cKpUNZkYMVTvUFOlOOYpgHKgiu86t8M+k6Evr1rBFaWhpS1xeXvhLbcbRc3FaQSlIgkFUPYA7hUN3XzCbx6H+oMloJ9u2i3i89p1BtGGSK5EDf Albert@ipad albert
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/A9QBuYHRvKeueWKQxajqNhp9QOiQjdFTvrt8xG+URd6YHCkYHtCffyU6mftgP7x0jH0/ArHHfQWDujSguAn4UtXO90I4sZ3c01GWOSTit7I5aRh0/0J6Vjwfw2GorQMxyX/bBIzBQuyDX6k01gU8y4X0BfzhKMRI0CPBNjbGifSboAV1hEGXZiKFYLQWC5AD6JUhzu9dNyxOH8KcIogQiC/Rglwu25Y5NID5LR3IVhaX1nlLPe6BtfbiSF7Iid1z87f9Ff458TnZHNQBKR3Ak0u/iItmau56b0uDPmDVPDX25zMZ+F2gDZZzeiD8ePVOxY0lznn5ekmv9 albertschulz@Albert-Schulzs-MacBook-Pro.local
|
||||||
|
|
@ -9,9 +9,12 @@ export TTY=$(tty)
|
|||||||
export GPG_TTY=$TTY
|
export GPG_TTY=$TTY
|
||||||
|
|
||||||
# shell opts: see bash(1)
|
# shell opts: see bash(1)
|
||||||
shopt -s cdspell dirspell extglob histverify no_empty_cmd_completion checkwinsize
|
shopt -s autocd cdspell dirspell extglob no_empty_cmd_completion
|
||||||
|
shopt -s checkwinsize checkhash
|
||||||
|
shopt -s histverify histappend histreedit cmdhist
|
||||||
|
|
||||||
set -o notify # notify of completed background jobs immediately
|
set -o notify # notify of completed background jobs immediately
|
||||||
|
set -o noclobber # don\'t overwrite files by accident
|
||||||
ulimit -S -c 0 # disable core dumps
|
ulimit -S -c 0 # disable core dumps
|
||||||
stty -ctlecho # turn off control character echoing
|
stty -ctlecho # turn off control character echoing
|
||||||
|
|
||||||
@ -82,10 +85,11 @@ mkcd() {
|
|||||||
[[ -d $1 ]] && builtin cd "$1"
|
[[ -d $1 ]] && builtin cd "$1"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function ff() { find . -type f -iname '*'"$*"'*' -ls ; }
|
||||||
|
|
||||||
alias ..='cd ..'
|
alias ..='cd ..'
|
||||||
alias ...='cd ../..'
|
alias ...='cd ../..'
|
||||||
alias ....='cd ../../..'
|
alias ....='cd ../../..'
|
||||||
alias ff='/usr/bin/find . -iname "*$@*"'
|
|
||||||
alias gensums='[[ -f PKGBUILD ]] && makepkg -g >> PKGBUILD'
|
alias gensums='[[ -f PKGBUILD ]] && makepkg -g >> PKGBUILD'
|
||||||
alias info='info --vi-keys'
|
alias info='info --vi-keys'
|
||||||
alias j='jobs'
|
alias j='jobs'
|
||||||
|
1
roles/container/files/mirrorlist
Symbolic link
1
roles/container/files/mirrorlist
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
/etc/pacman.d/mirrorlist
|
1
roles/container/files/ptmx.conf
Normal file
1
roles/container/files/ptmx.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
L /dev/ptmx - - - - /dev/pts/ptmx
|
12
roles/container/files/sshd_config
Normal file
12
roles/container/files/sshd_config
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
Port 22
|
||||||
|
|
||||||
|
AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
|
PasswordAuthentication no
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
|
||||||
|
UsePAM yes
|
||||||
|
|
||||||
|
PrintMotd no
|
||||||
|
UsePrivilegeSeparation sandbox
|
||||||
|
Subsystem sftp /usr/lib/ssh/sftp-server
|
92
roles/container/files/sudoers
Normal file
92
roles/container/files/sudoers
Normal file
@ -0,0 +1,92 @@
|
|||||||
|
## sudoers file.
|
||||||
|
##
|
||||||
|
## This file MUST be edited with the 'visudo' command as root.
|
||||||
|
## Failure to use 'visudo' may result in syntax or file permission errors
|
||||||
|
## that prevent sudo from running.
|
||||||
|
##
|
||||||
|
## See the sudoers man page for the details on how to write a sudoers file.
|
||||||
|
##
|
||||||
|
|
||||||
|
##
|
||||||
|
## Host alias specification
|
||||||
|
##
|
||||||
|
## Groups of machines. These may include host names (optionally with wildcards),
|
||||||
|
## IP addresses, network numbers or netgroups.
|
||||||
|
# Host_Alias WEBSERVERS = www1, www2, www3
|
||||||
|
|
||||||
|
##
|
||||||
|
## User alias specification
|
||||||
|
##
|
||||||
|
## Groups of users. These may consist of user names, uids, Unix groups,
|
||||||
|
## or netgroups.
|
||||||
|
# User_Alias ADMINS = millert, dowdy, mikef
|
||||||
|
|
||||||
|
##
|
||||||
|
## Cmnd alias specification
|
||||||
|
##
|
||||||
|
## Groups of commands. Often used to group related commands together.
|
||||||
|
# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
|
||||||
|
# /usr/bin/pkill, /usr/bin/top
|
||||||
|
# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
|
||||||
|
|
||||||
|
##
|
||||||
|
## Defaults specification
|
||||||
|
##
|
||||||
|
## You may wish to keep some of the following environment variables
|
||||||
|
## when running commands via sudo.
|
||||||
|
##
|
||||||
|
## Locale settings
|
||||||
|
Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
|
||||||
|
##
|
||||||
|
## Run X applications through sudo; HOME is used to find the
|
||||||
|
## .Xauthority file. Note that other programs use HOME to find
|
||||||
|
## configuration files and this may lead to privilege escalation!
|
||||||
|
#Defaults env_keep += "HOME"
|
||||||
|
##
|
||||||
|
## X11 resource path settings
|
||||||
|
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
|
||||||
|
##
|
||||||
|
## Desktop path settings
|
||||||
|
# Defaults env_keep += "QTDIR KDEDIR"
|
||||||
|
##
|
||||||
|
## Allow sudo-run commands to inherit the callers' ConsoleKit session
|
||||||
|
# Defaults env_keep += "XDG_SESSION_COOKIE"
|
||||||
|
##
|
||||||
|
## Uncomment to enable special input methods. Care should be taken as
|
||||||
|
## this may allow users to subvert the command being run via sudo.
|
||||||
|
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
|
||||||
|
##
|
||||||
|
## Uncomment to enable logging of a command's output, except for
|
||||||
|
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
|
||||||
|
# Defaults log_output
|
||||||
|
# Defaults!/usr/bin/sudoreplay !log_output
|
||||||
|
# Defaults!/usr/local/bin/sudoreplay !log_output
|
||||||
|
# Defaults!REBOOT !log_output
|
||||||
|
|
||||||
|
##
|
||||||
|
## Runas alias specification
|
||||||
|
##
|
||||||
|
|
||||||
|
##
|
||||||
|
## User privilege specification
|
||||||
|
##
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Uncomment to allow members of group wheel to execute any command
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
admin ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Uncomment to allow members of group sudo to execute any command
|
||||||
|
# %sudo ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Uncomment to allow any user to run sudo if they know the password
|
||||||
|
## of the user they are running the command as (root by default).
|
||||||
|
# Defaults targetpw # Ask for the password of the target user
|
||||||
|
# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d
|
||||||
|
## (the '#' here does not indicate a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
@ -16,13 +16,27 @@
|
|||||||
- name: delete .zshrc
|
- name: delete .zshrc
|
||||||
file: path=/root/.zshrs state=absent
|
file: path=/root/.zshrs state=absent
|
||||||
|
|
||||||
|
- name: Allow wheel group to use sudo
|
||||||
|
lineinfile: "dest=/etc/sudoers state=present regexp='^%wheel' line='%wheel ALL=(ALL) NOPASSWD: ALL'"
|
||||||
|
- name: Write mirrorlist
|
||||||
|
copy: src=sudoers dest=/etc/sudoers mode=0644
|
||||||
|
- user: name=admin shell=/bin/bash groups=wheel append=yes
|
||||||
|
- name: Create ~admin/.ssh
|
||||||
|
file: path=/home/admin/.ssh state=directory
|
||||||
|
- name: SSH Keys
|
||||||
|
copy: src=authorized_keys dest=/home/admin/.ssh/authorized_keys
|
||||||
|
|
||||||
- name: deploy dotfiles
|
- name: deploy dotfiles
|
||||||
copy: src={{ item }} dest=/root/.{{ item }}
|
copy: src="{{ item[0] }}" dest="{{ item[1].dest }}/.{{ item[0] }}" owner="{{ item[1].owner }}" group="{{ item[1].group }}"
|
||||||
with_items:
|
with_nested:
|
||||||
- bashrc
|
- ['bashrc', 'dircolors', 'vimrc']
|
||||||
- dircolors
|
-
|
||||||
- vimrc
|
- {dest: "/home/admin", owner: "admin", group: "admin"}
|
||||||
|
- {dest: "/root", owner: "root", group: "root"}
|
||||||
|
|
||||||
- mount: name=/run/systemd/journal/ src=/mnt/journal fstype=none opts=bind,ro state=present
|
- mount: name=/run/systemd/journal/ src=/mnt/journal fstype=none opts=bind,ro state=present
|
||||||
|
|
||||||
- name: backup directory
|
- name: backup directory
|
||||||
file: path=/root/.vim.backupdir state=directory
|
file: path=/root/.vim.backupdir state=directory
|
||||||
|
|
||||||
|
- include: ssh.yml
|
||||||
|
10
roles/container/tasks/ssh.yml
Normal file
10
roles/container/tasks/ssh.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
- name: install openssh
|
||||||
|
pacman: name=openssh state=present
|
||||||
|
- name: Write sshd_config
|
||||||
|
copy: src=sshd_config dest=/etc/ssh/sshd_config mode=0644
|
||||||
|
- name: symlink /dev/pts/ptmx to /dev/ptmx for sshd pty
|
||||||
|
file: src=/dev/pts/ptmx dest=/dev/ptmx state=link
|
||||||
|
- name: tmpfiles.d/ptmx.conf
|
||||||
|
copy: src=ptmx.conf dest=/etc/tmpfiles.d/ptmx.conf mode=0644
|
||||||
|
- name: start sshd.socket
|
||||||
|
service: name=sshd.socket state=started enabled=yes
|
Loading…
Reference in New Issue
Block a user