├── .gitignore ├── LICENSE ├── README.md ├── meta └── main.yml ├── tasks └── main.yml └── vars └── main.yml /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | ._* 3 | .ideas 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2014 Servers For Hackers 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ansible-user 2 | ============ 3 | 4 | Ansible Role for User Management 5 | 6 | The `vars/main.yml` file should contain your user passwords. 7 | 8 | ```yml 9 | --- 10 | admin_password: some_password 11 | deploy_password: another_password 12 | ``` 13 | 14 | You should not save these in plaintext, however. 15 | 16 | ## Ansible Vault 17 | 18 | Rather than save SSL contents in plaintext, we can instead (with Ansible 1.5), use [Ansible Vault](http://www.ansible.com/blog/2014/02/19/ansible-vault). This will let you encrypt any YAML file contents. 19 | 20 | ### 1. Create An Encrypted File 21 | 22 | ansible-vault create vars/main.yml 23 | 24 | This will ask you for a password, which you'll need to later use the variable file (so Ansible can read its contents). 25 | 26 | You can encrypt an already-existing existing file as well: 27 | 28 | ansible-vault encrypt vars/main.yml 29 | 30 | ### 2. Edit the YAML File 31 | 32 | You'll be brought into the file to edit. This defaults to vim. When you save the file, the file's contents will be encrypted. 33 | 34 | In order to go back and edit the file later, you can go back into via the `ansible-vault` command again: 35 | 36 | ansible-vault edit vars/main.yml 37 | 38 | You'll be prompted for the password to get back into the file for editing. 39 | 40 | This `admin_password` and `deploy_password` variables I defined in `vars/main.yml` are used inside of the `tasks/main.yml` file to set the user passwords. 41 | 42 | ### 3. Run Ansible Playbooks 43 | 44 | Setup a main playbook which uses the roles: 45 | 46 | ```yml 47 | --- 48 | - hosts: web 49 | roles: 50 | - server 51 | - user 52 | - ssl 53 | - nginx 54 | - php 55 | ``` 56 | 57 | Then you can run it. Note we need to use the `--ask-vault-pass` so that Ansible can decrypt the encrypted variable file: 58 | 59 | ansible-playbook sfh.yml -s -k -u vagrant --ask-vault-pass 60 | 61 | The above command is what I use when testing in Vagrant: 62 | 63 | * `ansible-playbook` - run a playbook 64 | * `sfh.yml` - use the `sfh.yml` file 65 | * `-s` - Use "sudo" for running commands 66 | * `-k` - Use password authentication (I don't have an SSH keys setup in this case). Since user Vagrant has passwordless sudo abilities, this technically isn't needed to run commands, but we need to tell Ansible not to assume that we're using key-based authentication 67 | * `-u vagrant` - Use user "vagrant" when running commands 68 | * `--ask-vault-pass` - Ask the Vault password so Ansible can read encrypted files 69 | 70 | ## Generating User Passwords 71 | 72 | Linux passwords are encrypted using SHA-512. Ansible's documentation on [generated encrypted passwords](http://docs.ansible.com/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module) point out the command `mkpasswd --method=SHA-512`. This asks for a password and returns the encrypted version of it after encrypting it used the SHA-512 method. 73 | 74 | On Ubuntu 14.04, the `mkpasswd` command comes with package `whois`: 75 | 76 | sudo apt-get install -y whois 77 | 78 | After installing `whois`, you can use the `mkpasswd` command. 79 | 80 | ```bash 81 | mkpasswd --method=SHA-512 82 | Password: 83 | $6$hCDK.2eB3VXD4$fz95AiqRvc7DHbFWYMbTiRWJza5SCHclueFkISsivF3u6dDkHQmIds1uNrVb5Fk6.6WEes6iQ25GuJx0Fteos/ 84 | ``` 85 | 86 | This generated hash should be what you set as your `admin_password` and `deploy_password` values. 87 | 88 | 89 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: [] -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create Admin User 3 | user: name=admin password={{admin_password}} groups=sudo append=yes shell=/bin/bash 4 | 5 | - name: Add Admin Authorized Key 6 | authorized_key: user=admin 7 | key="{{ common_public_key }}" 8 | state=present 9 | 10 | - name: Create Deploy User 11 | user: name=deploy password={{deploy_password}} groups=www-data append=yes shell=/bin/bash 12 | 13 | - name: Add Admin Authorized Key 14 | authorized_key: user=deploy 15 | key="{{ common_public_key }}" 16 | state=present -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | admin_password: some_password 3 | deploy_password: another_password 4 | common_public_key: some_public_key --------------------------------------------------------------------------------