ansible admin base role

Ansible role to define default admin permissions on linux servers.

Dependencies

This role uses the following ansible roles, which must be available in your ansible playbook:

• do1jlr.users create user and manage sudoers
• do1jlr.auth deploy ssh pubkeys
• do1jlr.sshd configure sshd

A collection of ssh keys is also needed. These must be located in the ssh_public_keys folder, for example. In the following example the files/ssh_public_keys/ folder contains the following files with ssh public key for alice, bob and two for eve. The file format is $(name)$(optional_identifier)_$(keytype).pub:

alice_ed25519.pub
bob_ed25519.pub
eve@device1_ed25519.pub
eve@device2_ed25519.pub

Usage

In this ansible role default admin accesses are defined, which can be used for a large number of ansible managed servers. The variable default_admins defines who is allowed to log in with which ssh key as which user by default and that he got sudo permissions. So if you want to use this role for yourself, it might make sense to fork it and adjust the default variables.

Customizations for hosts or groups

For each host or group of your ansible inventory, the list of admins can be extended with the following variable:

# Add you and the ssh key [email protected] to a server
local_admins:
  - name: you
    pubkeys:
      - [email protected]

Unprivileged users can also be added in this way:

# add unpriviledged users foo and bar
local_accounts:
  - foo
  - bar

Good to know

• By default, the do1jlr.sshd role only allow the login of defined users.
• By default, the do1jlr.sshd role only allow the login with ed25519 SSH Keys. Eliptic curve ssh key pairs can be created using ssh-keygen -t ed25519.
• The do1jlr.auth role is very picky about the filenames in which the public ssh keys must be stored. Better have a look at their readme.
• The following two ansible roles fit very good to this role. Maybe you want to use them too?
  • do1jlr.base install some useful packages
  • do1jlr.dotfiles deploy some fancy dotfiles