Multiple user config changes

Starting to make the system operable without using root. Changes to groups, sudo, some file permissions. Places all the user key config into users.pp
2023-03-18 22:40:41 +01:00 · 2023-03-18 22:40:41 +01:00 · 51760b1bcf
commit 51760b1bcf
parent 306bb24792
8 changed files with 75 additions and 44 deletions
--- a/modules/rhizo_base/files/bin/install_callie
+++ b/modules/rhizo_base/files/bin/install_callie
--- a/modules/rhizo_base/files/bin/notify-freeswitch.sh
+++ b/modules/rhizo_base/files/bin/notify-freeswitch.sh
--- a/modules/rhizo_base/files/etc/sudoers.Debian
+++ b/modules/rhizo_base/files/etc/sudoers.Debian
@ -16,7 +16,7 @@ Defaults	env_keep+=SSH_AUTH_SOCK
 # User alias specification

 # Cmnd alias specification
-Cmnd_Alias OP_CMDS = /usr/bin/sngrep
+Cmnd_Alias OP_CMDS = /usr/bin/sngrep, /usr/sbin/tcpdump
 Cmnd_Alias DATABASE = /usr/bin/psql, /usr/bin/pg_dump

 # User privilege specification
--- a/modules/rhizo_base/manifests/freeswitch.pp
+++ b/modules/rhizo_base/manifests/freeswitch.pp
@ -243,25 +243,6 @@ class rhizo_base::freeswitch::common {
      mode    => '0750'
    }

-  # SSH Deploy key and config for gitlab
-  file { '/root/.ssh/bsc_dev':
-      ensure  => present,
-      mode    => '0600',
-      content => hiera('rhizo::bsc_dev_deploy_key'),
-  }
-
-  file { '/root/.ssh/config':
-      ensure => present,
-      source => 'puppet:///modules/rhizo_base/ssh/config',
-  }
-
-  sshkey { 'dev_host_key':
-      name   => 'dev.rhizomatica.org',
-      ensure => present,
-      key    => hiera('rhizo::dev_host_key'),
-      type   => 'ssh-rsa',
-  }
-
  vcsrepo { '/usr/share/freeswitch/sounds/rccn':
    schedule  => 'always',
    ensure    => latest,
--- a/modules/rhizo_base/manifests/init.pp
+++ b/modules/rhizo_base/manifests/init.pp
@ -267,7 +267,7 @@ schedule { 'never':
      ensure  => present,
      content => template('rhizo_base/vars.sh.erb'),
      owner   => 'root',
-      group   => 'rhizomatica'
+      group   => 'operator'
    }

  file { '/home/rhizomatica/bin/pg_backup_rotated.sh':
@ -583,12 +583,6 @@ schedule { 'never':
      mode    => '0750'
    }

-  file { '/root/.ssh/bts_key':
-      ensure  => present,
-      mode    => '0600',
-      content => hiera('rhizo::bts_key'),
-  }
-
  file { '/var/log/rccn':
      ensure  => link,
      target  => '/var/rhizomatica/rccn/log',
@ -613,10 +607,6 @@ schedule { 'never':
      require => Vcsrepo['/var/rhizomatica'],
    }

-  file { '/root/.ssh':
-      ensure => directory
-    }
-
 #Python modules
  class { 'python':
      version => 'system',
@ -719,4 +709,11 @@ schedule { 'never':
    ensure   => 'running'
  }

+  sshkey { 'dev_host_key':
+      name   => 'dev.rhizomatica.org',
+      ensure => present,
+      key    => hiera('rhizo::dev_host_key'),
+      type   => 'ssh-rsa',
+  }
+
 }
--- a/modules/rhizo_base/manifests/users.pp
+++ b/modules/rhizo_base/manifests/users.pp
@ -16,11 +16,13 @@ class rhizo_base::users {
  $pgsql_pwd     = $rhizo_base::pgsql_pwd

  user { 'rhizomatica':
-      ensure   => present,
-      gid      => 'rhizomatica',
-      home     => '/home/rhizomatica',
-      password => Sensitive($password_hash),
-      uid      => '1000',
+      ensure     => present,
+      gid        => 'rhizomatica',
+      groups     => ['sudo', 'dip', 'plugdev', 'netdev', 'operator'],
+      membership => inclusive,
+      home       => '/home/rhizomatica',
+      password   => Sensitive($password_hash),
+      uid        => '1000',
      purge_ssh_keys => true
  }

@ -60,6 +62,19 @@ class rhizo_base::users {
      mode     => '0600'
  }

+  file { '/home/tic/.ssh/config':
+      content  => template('rhizo_base/ssh_user_config.erb'),
+      owner    => 'tic',
+      group    => 'tic',
+      mode     => '0600'
+  }
+
+  file { '/home/osmocom/.ssh/config':
+      content  => template('rhizo_base/ssh_user_config.erb'),
+      owner    => 'osmocom',
+      mode     => '0600'
+  }
+
  file { '/home/tic/.bash_aliases':
      content  => template('rhizo_base/bash_aliases.erb'),
      owner    => 'tic',
@ -67,4 +82,42 @@ class rhizo_base::users {
      mode     => '0640'
  }

-}
+  file { '/root/.ssh':
+      ensure => directory
+  }
+
+  file { '/root/.ssh/bts_key':
+      ensure  => present,
+      mode    => '0600',
+      content => hiera('rhizo::bts_key'),
+  }
+
+  file { '/home/tic/.ssh/bts_key':
+      ensure  => present,
+      mode    => '0600',
+      owner    => 'tic',
+      group    => 'tic',
+      content => hiera('rhizo::bts_key'),
+  }
+
+  file { '/home/osmocom/.ssh/bts_key':
+      ensure  => present,
+      mode    => '0600',
+      owner   => 'osmocom',
+      content => hiera('rhizo::bts_key'),
+  }
+
+  # SSH Deploy key and config for gitlab
+  file { '/root/.ssh/bsc_dev':
+      ensure  => present,
+      mode    => '0600',
+      content => hiera('rhizo::bsc_dev_deploy_key'),
+  }
+
+  file { '/root/.ssh/config':
+      ensure => present,
+      source => 'puppet:///modules/rhizo_base/ssh/config',
+  }
+
+
+}
--- a/modules/rhizo_base/templates/bash_aliases.erb
+++ b/modules/rhizo_base/templates/bash_aliases.erb
@ -1,3 +1,4 @@
 alias psql='psql postgresql://rhizomatica:<%= @pgsql_pwd %>@localhost/rhizomatica'
 alias systemctl='sudo systemctl'
 alias journalctl='sudo journalctl'
+alias sudo="/usr/bin/sudo -n"
--- a/modules/rhizo_base/templates/ssh_user_config.erb
+++ b/modules/rhizo_base/templates/ssh_user_config.erb
@ -1,10 +1,9 @@
 Include config.local

-Host lc1
-Hostname 172.16.0.11
-User root
-
-Host lc2
-Hostname 172.16.0.12
-User root
+Host 172.16.0.??
+  User root
+  IdentityFile ~/.ssh/bts_key

+Host 172.16.0.???
+  User ubnt
+  IdentityFile ~/.ssh/ubnt_key