155 lines
4.2 KiB
YAML
155 lines
4.2 KiB
YAML
|
|
#
|
|
# Add users expected by tests to an OS X machine. Assumes passwordless sudo to
|
|
# root.
|
|
#
|
|
# WARNING: this creates non-privilged accounts with pre-set passwords!
|
|
#
|
|
|
|
- hosts: test-targets
|
|
gather_facts: true
|
|
become: true
|
|
tasks:
|
|
- name: Disable non-localhost SSH for Mitogen users
|
|
blockinfile:
|
|
path: /etc/ssh/sshd_config
|
|
block: |
|
|
Match User mitogen__* Address !127.0.0.1
|
|
DenyUsers *
|
|
|
|
#
|
|
# Hashed passwords.
|
|
#
|
|
- name: Create Mitogen test group
|
|
group:
|
|
name: "mitogen__group"
|
|
|
|
- name: Create Mitogen test users
|
|
user:
|
|
name: "mitogen__{{item}}"
|
|
shell: /bin/bash
|
|
groups: mitogen__group
|
|
password: "{{ (item + '_password') | password_hash('sha256') }}"
|
|
with_items:
|
|
- has_sudo
|
|
- has_sudo_pubkey
|
|
- require_tty
|
|
- pw_required
|
|
- require_tty_pw_required
|
|
- slow_user
|
|
when: ansible_system != 'Darwin'
|
|
|
|
- name: Create Mitogen test users
|
|
user:
|
|
name: "mitogen__user{{item}}"
|
|
shell: /bin/bash
|
|
password: "{{ ('user' + item + '_password') | password_hash('sha256') }}"
|
|
with_sequence: start=1 end=21
|
|
when: ansible_system != 'Darwin'
|
|
|
|
#
|
|
# Plaintext passwords
|
|
#
|
|
- name: Create Mitogen test users
|
|
user:
|
|
name: "mitogen__{{item}}"
|
|
shell: /bin/bash
|
|
groups: mitogen__group
|
|
password: "{{item}}_password"
|
|
with_items:
|
|
- has_sudo
|
|
- has_sudo_pubkey
|
|
- require_tty
|
|
- pw_required
|
|
- require_tty_pw_required
|
|
- readonly_homedir
|
|
- slow_user
|
|
when: ansible_system == 'Darwin'
|
|
|
|
- name: Create Mitogen test users
|
|
user:
|
|
name: "mitogen__user{{item}}"
|
|
shell: /bin/bash
|
|
password: "user{{item}}_password"
|
|
with_sequence: start=1 end=21
|
|
when: ansible_system == 'Darwin'
|
|
|
|
- name: Hide test users from login window.
|
|
shell: >
|
|
defaults
|
|
write
|
|
/Library/Preferences/com.apple.loginwindow
|
|
HiddenUsersList
|
|
-array-add '{{item}}'
|
|
with_items:
|
|
- mitogen__require_tty
|
|
- mitogen__pw_required
|
|
- mitogen__require_tty_pw_required
|
|
when: ansible_system == 'Darwin'
|
|
|
|
- name: Hide test users from login window.
|
|
shell: >
|
|
defaults
|
|
write
|
|
/Library/Preferences/com.apple.loginwindow
|
|
HiddenUsersList
|
|
-array-add 'mitogen__user{{item}}'
|
|
with_sequence: start=1 end=21
|
|
when: ansible_distribution == 'MacOSX'
|
|
|
|
- name: Readonly homedir for one account
|
|
shell: "chown -R root: ~mitogen__readonly_homedir"
|
|
|
|
- name: Slow bash profile for one account
|
|
copy:
|
|
dest: ~mitogen__slow_user/.{{item}}
|
|
src: ../data/docker/mitogen__slow_user.profile
|
|
with_items:
|
|
- bashrc
|
|
- profile
|
|
|
|
- name: Install pubkey for one account
|
|
file:
|
|
path: ~mitogen__has_sudo_pubkey/.ssh
|
|
state: directory
|
|
mode: go=
|
|
owner: mitogen__has_sudo_pubkey
|
|
|
|
- name: Install pubkey for one account
|
|
copy:
|
|
dest: ~mitogen__has_sudo_pubkey/.ssh/authorized_keys
|
|
src: ../data/docker/mitogen__has_sudo_pubkey.key.pub
|
|
mode: go=
|
|
owner: mitogen__has_sudo_pubkey
|
|
|
|
- name: Require a TTY for two accounts
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
line: "{{item}}"
|
|
with_items:
|
|
- Defaults>mitogen__pw_required targetpw
|
|
- Defaults>mitogen__require_tty requiretty
|
|
- Defaults>mitogen__require_tty_pw_required requiretty,targetpw
|
|
|
|
- name: Require password for two accounts
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}) ALL"
|
|
with_items:
|
|
- mitogen__pw_required
|
|
- mitogen__require_tty_pw_required
|
|
|
|
- name: Allow passwordless for two accounts
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}) NOPASSWD:ALL"
|
|
with_items:
|
|
- mitogen__require_tty
|
|
- mitogen__readonly_homedir
|
|
|
|
- name: Allow passwordless for many accounts
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
line: "{{lookup('pipe', 'whoami')}} ALL = (mitogen__user{{item}}) NOPASSWD:ALL"
|
|
with_sequence: start=1 end=21
|