keith/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Multiple user config changes

Browse source 
Starting to make the system operable without using root.

Changes to groups, sudo, some file permissions.
Places all the user key config into users.pp
This commit is contained in:
Keith Whyte 2023-03-18 22:40:41 +01:00
parent 306bb24792
commit 51760b1bcf
8 changed files with 75 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

0
modules/rhizo_base/files/bin/install_callie Normal file → Executable file
View file

0
modules/rhizo_base/files/bin/notify-freeswitch.sh Normal file → Executable file
View file

2
modules/rhizo_base/files/etc/sudoers.Debian
View file

@ -16,7 +16,7 @@ Defaults env_keep+=SSH_AUTH_SOCK
# User alias specification # User alias specification
# Cmnd alias specification # Cmnd alias specification
Cmnd_Alias OP_CMDS = /usr/bin/sngrep Cmnd_Alias OP_CMDS = /usr/bin/sngrep, /usr/sbin/tcpdump
Cmnd_Alias DATABASE = /usr/bin/psql, /usr/bin/pg_dump Cmnd_Alias DATABASE = /usr/bin/psql, /usr/bin/pg_dump
# User privilege specification # User privilege specification

19
modules/rhizo_base/manifests/freeswitch.pp
View file

@ -243,25 +243,6 @@ class rhizo_base::freeswitch::common {
mode => '0750' mode => '0750'
} }
# SSH Deploy key and config for gitlab
file { '/root/.ssh/bsc_dev':
ensure => present,
mode => '0600',
content => hiera('rhizo::bsc_dev_deploy_key'),
}
file { '/root/.ssh/config':
ensure => present,
source => 'puppet:///modules/rhizo_base/ssh/config',
}
sshkey { 'dev_host_key':
name => 'dev.rhizomatica.org',
ensure => present,
key => hiera('rhizo::dev_host_key'),
type => 'ssh-rsa',
}
vcsrepo { '/usr/share/freeswitch/sounds/rccn': vcsrepo { '/usr/share/freeswitch/sounds/rccn':
schedule => 'always', schedule => 'always',
ensure => latest, ensure => latest,

19
modules/rhizo_base/manifests/init.pp
View file

@ -267,7 +267,7 @@ schedule { 'never':
ensure => present, ensure => present,
content => template('rhizo_base/vars.sh.erb'), content => template('rhizo_base/vars.sh.erb'),
owner => 'root', owner => 'root',
group => 'rhizomatica' group => 'operator'
} }
file { '/home/rhizomatica/bin/pg_backup_rotated.sh': file { '/home/rhizomatica/bin/pg_backup_rotated.sh':
@ -583,12 +583,6 @@ schedule { 'never':
mode => '0750' mode => '0750'
} }
file { '/root/.ssh/bts_key':
ensure => present,
mode => '0600',
content => hiera('rhizo::bts_key'),
}
file { '/var/log/rccn': file { '/var/log/rccn':
ensure => link, ensure => link,
target => '/var/rhizomatica/rccn/log', target => '/var/rhizomatica/rccn/log',
@ -613,10 +607,6 @@ schedule { 'never':
require => Vcsrepo['/var/rhizomatica'], require => Vcsrepo['/var/rhizomatica'],
} }
file { '/root/.ssh':
ensure => directory
}
#Python modules #Python modules
class { 'python': class { 'python':
version => 'system', version => 'system',
@ -719,4 +709,11 @@ schedule { 'never':
ensure => 'running' ensure => 'running'
} }
sshkey { 'dev_host_key':
name => 'dev.rhizomatica.org',
ensure => present,
key => hiera('rhizo::dev_host_key'),
type => 'ssh-rsa',
}
} }

53
modules/rhizo_base/manifests/users.pp
View file

@ -18,6 +18,8 @@ class rhizo_base::users {
user { 'rhizomatica': user { 'rhizomatica':
ensure => present, ensure => present,
gid => 'rhizomatica', gid => 'rhizomatica',
groups => ['sudo', 'dip', 'plugdev', 'netdev', 'operator'],
membership => inclusive,
home => '/home/rhizomatica', home => '/home/rhizomatica',
password => Sensitive($password_hash), password => Sensitive($password_hash),
uid => '1000', uid => '1000',
@ -60,6 +62,19 @@ class rhizo_base::users {
mode => '0600' mode => '0600'
} }
file { '/home/tic/.ssh/config':
content => template('rhizo_base/ssh_user_config.erb'),
owner => 'tic',
group => 'tic',
mode => '0600'
}
file { '/home/osmocom/.ssh/config':
content => template('rhizo_base/ssh_user_config.erb'),
owner => 'osmocom',
mode => '0600'
}
file { '/home/tic/.bash_aliases': file { '/home/tic/.bash_aliases':
content => template('rhizo_base/bash_aliases.erb'), content => template('rhizo_base/bash_aliases.erb'),
owner => 'tic', owner => 'tic',
@ -67,4 +82,42 @@ class rhizo_base::users {
mode => '0640' mode => '0640'
} }
file { '/root/.ssh':
ensure => directory
}
file { '/root/.ssh/bts_key':
ensure => present,
mode => '0600',
content => hiera('rhizo::bts_key'),
}
file { '/home/tic/.ssh/bts_key':
ensure => present,
mode => '0600',
owner => 'tic',
group => 'tic',
content => hiera('rhizo::bts_key'),
}
file { '/home/osmocom/.ssh/bts_key':
ensure => present,
mode => '0600',
owner => 'osmocom',
content => hiera('rhizo::bts_key'),
}
# SSH Deploy key and config for gitlab
file { '/root/.ssh/bsc_dev':
ensure => present,
mode => '0600',
content => hiera('rhizo::bsc_dev_deploy_key'),
}
file { '/root/.ssh/config':
ensure => present,
source => 'puppet:///modules/rhizo_base/ssh/config',
}
} }

1
modules/rhizo_base/templates/bash_aliases.erb
View file

@ -1,3 +1,4 @@
alias psql='psql postgresql://rhizomatica:<%= @pgsql_pwd %>@localhost/rhizomatica' alias psql='psql postgresql://rhizomatica:<%= @pgsql_pwd %>@localhost/rhizomatica'
alias systemctl='sudo systemctl' alias systemctl='sudo systemctl'
alias journalctl='sudo journalctl' alias journalctl='sudo journalctl'
alias sudo="/usr/bin/sudo -n"

11
modules/rhizo_base/templates/ssh_user_config.erb
View file

@ -1,10 +1,9 @@
Include config.local Include config.local
Host lc1 Host 172.16.0.??
Hostname 172.16.0.11
User root
Host lc2
Hostname 172.16.0.12
User root User root
IdentityFile ~/.ssh/bts_key
Host 172.16.0.???
User ubnt
IdentityFile ~/.ssh/ubnt_key