ansible: import osx_setup.yml.

2018-04-09 15:05:57 +01:00 · 2018-04-09 15:05:57 +01:00 · c14f6c98d1
parent 98ee3e177a
commit c14f6c98d1
2 changed files with 68 additions and 0 deletions
--- a/tests/ansible/README.md
+++ b/tests/ansible/README.md
@ -8,6 +8,11 @@ It will be tidied up over time, meanwhile, the playbooks here are a useful
 demonstrator for what does and doesn't work.


+## Preparation
+
+For OS X, run the ``osx_setup.yml`` script to create a bunch of users.
+
+
 ## ``run_ansible_playbook.sh``

 This is necessary to set some environment variables used by future tests, as
--- a/tests/ansible/osx_setup.yml
+++ b/tests/ansible/osx_setup.yml
@ -0,0 +1,63 @@
+
+#
+# Add users expected by tests to an OS X machine. Assumes passwordless sudo to
+# root.
+#
+# WARNING: this creates non-privilged accounts with pre-set passwords!
+#
+
+- hosts: all
+  become: true
+  tasks:
+    - name: Disable non-localhost SSH for Mitogen users
+      blockinfile:
+        path: /etc/ssh/sshd_config
+        block: |
+          Match User mitogen__* Address !127.0.0.1
+            DenyUsers *
+
+    - name: Create Mitogen test users
+      user:
+        name: "{{item}}"
+        shell: /bin/bash
+        password: mitogen__password
+      with_items:
+        - mitogen__require_tty
+        - mitogen__pw_required
+        - mitogen__require_tty_pw_required
+
+    - name: Hide test users from login window.
+      shell: >
+        defaults
+        write
+        /Library/Preferences/com.apple.loginwindow
+        HiddenUsersList
+        -array-add '{{item}}'
+      with_items:
+        - mitogen__require_tty
+        - mitogen__pw_required
+        - mitogen__require_tty_pw_required
+
+    - name: Require a TTY for two accounts
+      lineinfile:
+        path: /etc/sudoers
+        line: "{{item}}"
+      with_items:
+        - Defaults>mitogen__pw_required targetpw
+        - Defaults>mitogen__require_tty requiretty
+        - Defaults>mitogen__require_tty_pw_required requiretty,targetpw
+
+    - name: Require password for two accounts
+      lineinfile:
+        path: /etc/sudoers
+        line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}) ALL"
+      with_items:
+        - mitogen__pw_required
+        - mitogen__require_tty_pw_required
+
+    - name: Allow passwordless for one account
+      lineinfile:
+        path: /etc/sudoers
+        line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}) NOPASSWD:ALL"
+      with_items:
+        - mitogen__require_tty