From 197ec0834123a5fa7b17e4ab01d10208deb6396d Mon Sep 17 00:00:00 2001 From: Roxedus Date: Wed, 19 Oct 2022 00:18:29 +0200 Subject: [PATCH] Prox QoL --- ansible/group_vars/all.yml | 2 - ansible/group_vars/prox.yml | 5 ++- ansible/roles/proxmox/tasks/create_user.yml | 14 ------- ansible/roles/proxmox/tasks/main.yml | 24 +++--------- .../roles/proxmox/templates/get_cert.sh.j2 | 37 +++++++++++++++++++ ansible/run.yml | 32 ++-------------- ansible/tasks/omp.yml | 37 ++++++++++++++++--- ansible/tasks/users.yml | 10 ++++- 8 files changed, 92 insertions(+), 69 deletions(-) delete mode 100644 ansible/roles/proxmox/tasks/create_user.yml create mode 100644 ansible/roles/proxmox/templates/get_cert.sh.j2 diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 0dcee37..49bacdf 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -17,8 +17,6 @@ users: passwordless: True github: Roxedus password: "{{ secret_rox_pass }}" - system: - - proxmox package_list: - name: bash-completion diff --git a/ansible/group_vars/prox.yml b/ansible/group_vars/prox.yml index 3656882..d926879 100644 --- a/ansible/group_vars/prox.yml +++ b/ansible/group_vars/prox.yml @@ -1 +1,4 @@ -do_become: true +do_become: false + +security_ssh_permit_root_login: "yes" +security_sudoers_passwordless: [] diff --git a/ansible/roles/proxmox/tasks/create_user.yml b/ansible/roles/proxmox/tasks/create_user.yml deleted file mode 100644 index 8fc71d2..0000000 --- a/ansible/roles/proxmox/tasks/create_user.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Create user - become: "{{ do_become }}" - command: - argv: - - pvesh - - create - - /access/users - - --userid - - "{{ item.username }}@pam" - - --comment - - "Managed by Ansible" - - --password - - "{{ item.password | default(None) }}" - - --output-format=json diff --git a/ansible/roles/proxmox/tasks/main.yml b/ansible/roles/proxmox/tasks/main.yml index 169119e..2d009da 100644 --- a/ansible/roles/proxmox/tasks/main.yml +++ b/ansible/roles/proxmox/tasks/main.yml @@ -1,34 +1,22 @@ -# - name: Get users -# become: "{{ do_become }}" -# command: -# argv: -# - pvesh -# - get -# - /access/users -# - --output-format=json -# register: pve_users - -# - name: Create users -# when: item.username not in (pve_users.stdout | from_json | community.general.json_query('[*].userid') |replace("@pam", "")) -# include_tasks: create_user.yml -# loop: "{{ users | selectattr('system', 'contains', 'proxmox') | flatten(levels=1) }}" - - name: Disable SWAP sysctl on host - become: true ansible.posix.sysctl: name: vm.swappiness value: "0" state: present - name: Disable SWAP on host - become: true ansible.builtin.command: swapoff -a - name: Remove swapfile from /etc/fstab on host - become: true ansible.posix.mount: name: "{{ item }}" fstype: swap state: absent with_items: - swap + +- name: Place script to grab certificate from Proxmox + ansible.builtin.template: + src: get_cert.sh.j2 + dest: "/root/get_cert.sh" + mode: "0760" diff --git a/ansible/roles/proxmox/templates/get_cert.sh.j2 b/ansible/roles/proxmox/templates/get_cert.sh.j2 new file mode 100644 index 0000000..035e7ba --- /dev/null +++ b/ansible/roles/proxmox/templates/get_cert.sh.j2 @@ -0,0 +1,37 @@ +#!/usr/bin/env sh + +# Based on https://gist.github.com/danie1k/c3d866eb6eed93bbc16b0628639efefe + +HOSTNAME="gateway.rostvik.site" +CERT_ID="2" +USERNAME="root" +PASSWORD="{{ secret_rox_pass }}" + +echo "Downloading certificate id=${CERT_ID} from ${HOSTNAME} into cert.pem file..." + +# Open login screen +curl --cookie /tmp/opnsense_cookies.txt --cookie-jar /tmp/opnsense_cookies.txt \ + https://$HOSTNAME/system_certmanager.php \ + | grep hidden | sed -E 's/.*name="([^"\]+)" value="([^"]+)".*/\1=\2/' > /tmp/opnsense_csrf.txt + +POST_DATA="usernamefld=${USERNAME}&passwordfld=${PASSWORD}&login=1&$(cat /tmp/opnsense_csrf.txt)" + +# Perform login +curl --cookie /tmp/opnsense_cookies.txt --cookie-jar /tmp/opnsense_cookies.txt \ + https://$HOSTNAME/system_certmanager.php \ + -X POST --data "${POST_DATA}" > /dev/null + +# Export user key +curl --cookie /tmp/opnsense_cookies.txt --cookie-jar /tmp/opnsense_cookies.txt \ + "https://$HOSTNAME/system_certmanager.php?act=key&id=$CERT_ID" > /etc/pve/local/pve-ssl.key + +# Export user cert +curl --cookie /tmp/opnsense_cookies.txt --cookie-jar /tmp/opnsense_cookies.txt \ + "https://$HOSTNAME/system_certmanager.php?act=exp&id=$CERT_ID" > /etc/pve/local/pve-ssl.pem + +rm -f /tmp/opnsense_csrf.txt /tmp/opnsense_cookies.txt + +# Restart pveproxy +systemctl restart pveproxy.service + +echo "Done." \ No newline at end of file diff --git a/ansible/run.yml b/ansible/run.yml index fa7a824..f3a73a6 100644 --- a/ansible/run.yml +++ b/ansible/run.yml @@ -17,27 +17,6 @@ vars_files: - "vars/vault.yml" - collections: - - ansible.builtin.apt - - ansible.builtin.apt_key - - ansible.builtin.apt_repository - - ansible.builtin.command - - ansible.builtin.copy - - ansible.builtin.dpkg_selections - - ansible.builtin.file - - ansible.builtin.get_url - - ansible.builtin.git - - ansible.builtin.group - - ansible.builtin.hostname - - ansible.builtin.lineinfile - - ansible.builtin.pip - - ansible.builtin.reboot - - ansible.builtin.stat - - ansible.builtin.template - - ansible.builtin.user - - ansible.posix.authorized_key - - ansible.posix.mount - pre_tasks: - include_tasks: tasks/users.yml with_items: "{{ users }}" @@ -185,11 +164,6 @@ tags: - prox - update - pre_tasks: - - name: Install sudo - ansible.builtin.apt: - name: sudo - state: latest roles: - role: ironicbadger_ansible-role-proxmox-nag-removal - role: proxmox @@ -273,6 +247,7 @@ state: absent loop: - 10-help-text + - 10-uname - 50-landscape-sysinfo - 50-motd-news - 80-livepatch @@ -280,8 +255,9 @@ - 90-updates-available - 91-contract-ua-esm-status - 91-release-upgrade + - 92-unattended-upgrades - 95-hwe-eol - when: ansible_distribution == 'Ubuntu' + when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' - name: Place MoTD become: "{{ do_become }}" @@ -309,7 +285,7 @@ - pihole - -up - - name: Install and update OMP + - name: Install and update chezmoi include_tasks: tasks/omp.yml - include_tasks: tasks/remove_prox_ee_apt.yml diff --git a/ansible/tasks/omp.yml b/ansible/tasks/omp.yml index b039c66..c581a69 100644 --- a/ansible/tasks/omp.yml +++ b/ansible/tasks/omp.yml @@ -10,12 +10,13 @@ - name: Check if OMP is installed ansible.builtin.stat: - path: /opt/scripts/oh-my-posh + path: /usr/local/bin/oh-my-posh register: omp_bin - name: Check OMP version when: omp_bin.stat.exists - ansible.builtin.command: /opt/scripts/oh-my-posh -version + ansible.builtin.command: /usr/local/bin/oh-my-posh --version + changed_when: false register: omp_ver - name: Get latest release of OMP @@ -26,20 +27,46 @@ register: omp_latest - name: Download OMP - when: not omp_bin.stat.exists or omp_latest != ( "v" + omp_ver ) + when: not omp_bin.stat.exists or omp_latest.tag != ( "v" + omp_ver.stdout ) become: "{{ do_become }}" ansible.builtin.get_url: url: https://github.com/JanDeDobbeleer/oh-my-posh/releases/download/{{ omp_latest.tag }}/posh-linux-{{ apt_arch }} dest: /usr/local/bin/oh-my-posh mode: "0744" - owner: "{{ users.0.username }}" - group: "{{ users.0.groupname }}" + force: "yes" + +- name: Check if Chezmoi is installed + ansible.builtin.stat: + path: /usr/local/bin/chezmoi + register: chezmoi_bin + +- name: Check Chezmoi version + when: chezmoi_bin.stat.exists + ansible.builtin.command: /usr/local/bin/chezmoi --version + changed_when: false + register: chezmoi_ver + +- name: Get latest release of Chezmoi + community.general.github_release: + user: twpayne + repo: chezmoi + action: latest_release + register: chezmoi_latest + +- name: Download Chezmoi + when: not chezmoi_bin.stat.exists or chezmoi_latest.tag.split(",")[0] != ( "chezmoi version v" + chezmoi_ver.stdout ) + become: "{{ do_become }}" + ansible.builtin.get_url: + url: https://github.com/twpayne/chezmoi/releases/download/{{ chezmoi_latest.tag }}/chezmoi-linux-{{ apt_arch }} + dest: /usr/local/bin/chezmoi + mode: "0744" force: "yes" - name: Add OMP to bash ansible.builtin.lineinfile: mode: "0644" path: /home/{{ users.0.username }}/.bashrc + search_string: oh-my-posh line: eval "$(oh-my-posh init bash --config https://gist.github.com/Roxedus/6a11a5dbd37c24ecacf02fb9aef06e15/raw)" create: yes diff --git a/ansible/tasks/users.yml b/ansible/tasks/users.yml index 19d59c6..55152ba 100644 --- a/ansible/tasks/users.yml +++ b/ansible/tasks/users.yml @@ -1,10 +1,12 @@ - name: Ensure groups exists + when: "inventory_hostname not in groups['prox']" ansible.builtin.group: name: "{{ user.groupname | default(user.username) }}" gid: "{{ user.gid | default(omit) }}" state: present - name: Add users + when: "inventory_hostname not in groups['prox']" ansible.builtin.user: name: "{{ user.username }}" uid: "{{ user.uid | default(omit) }}" @@ -14,7 +16,13 @@ password: "{{ user.password | password_hash('sha512') | default(omit) }}" - name: Add a Github key ssh key - when: "user.github is defined" + when: "user.github is defined and inventory_hostname not in groups['prox']" ansible.posix.authorized_key: user: "{{ user.username }}" key: "https://github.com/{{ user.github }}.keys" + +- name: Add a Github key ssh key + when: inventory_hostname in groups['prox'] + ansible.posix.authorized_key: + user: root + key: "https://github.com/{{ user.github }}.keys"