From b666c4a0d3a99fa4364ab9ccfd48cf20aa49a4fa Mon Sep 17 00:00:00 2001 From: SequeI Date: Wed, 6 Nov 2024 11:55:25 +0000 Subject: [PATCH 1/3] adding non root user for tests --- molecule/default/prepare.yml | 9 ++++++ molecule/testing_user_setup.yaml | 51 ++++++++++++++++++++++++++++++ molecule/user_provided/prepare.yml | 32 ++++++++++++++----- 3 files changed, 84 insertions(+), 8 deletions(-) create mode 100644 molecule/testing_user_setup.yaml diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 1d81e9fa..9a380dc4 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -2,9 +2,18 @@ - name: Prepare hosts: molecule gather_facts: false + vars: + users: + - user: testingUser + password: testingPassword0x vars_files: - vars/vars.yml tasks: + - name: Configure Dex OIDC instance ansible.builtin.include_tasks: ../dex-config.yaml + + - name: Setup a non-root sudoer to replicate a user environment + ansible.builtin.include_tasks: ../testing_user_setup.yaml + with_items: "{{ users }}" diff --git a/molecule/testing_user_setup.yaml b/molecule/testing_user_setup.yaml new file mode 100644 index 00000000..19e1f123 --- /dev/null +++ b/molecule/testing_user_setup.yaml @@ -0,0 +1,51 @@ +--- +- name: Create a non-root sudoer user + ansible.builtin.user: + name: "{{ item.user }}" + shell: /bin/bash + group: wheel + create_home: yes + +- name: Set password for testingUser + ansible.builtin.shell: echo {{ item.password }} | passwd --stdin {{ item.user }} + +- name: Configure Sudoers for the user + ansible.builtin.lineinfile: + dest: /etc/sudoers + line: "{{ item.user }} ALL = (ALL) ALL" + validate: 'visudo -cf %s' + +- name: Create an .ssh directory + ansible.builtin.file: + path: "/home/{{ item.user }}/.ssh" + state: directory + mode: "0700" + owner: "{{ item.user }}" + +- name: Configure SSH access for new user + ansible.builtin.copy: + src: "{{ molecule_ephemeral_directory }}/id_rsa.pub" + dest: "/home/{{ item.user }}/.ssh/authorized_keys" + mode: "0600" + owner: "{{ item.user }}" + +- name: Edit SSH config to disallow root login + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^(#*)?PermitRootLogin' + line: "PermitRootLogin no" + +- name: Restart SSH + ansible.builtin.service: + name: sshd + state: restarted + +- name: Modify Molecule inventory + ansible.builtin.lineinfile: + path: "{{ molecule_ephemeral_directory }}/inventory/molecule_inventory.yml" + regexp: 'ansible_user:' + line: "ansible_user: {{ item.user }}, ansible_become_password: {{ item.password }}, ansible_become: true}" + delegate_to: localhost + +- name: Force refresh inventory + ansible.builtin.meta: refresh_inventory diff --git a/molecule/user_provided/prepare.yml b/molecule/user_provided/prepare.yml index bb744480..1e6c6366 100644 --- a/molecule/user_provided/prepare.yml +++ b/molecule/user_provided/prepare.yml @@ -2,10 +2,14 @@ - name: Prepare hosts: molecule gather_facts: true - become: yes + vars: + users: + - user: testingUser + password: testingUser0x vars_files: - vars/vars.yml tasks: + - name: Configure Dex OIDC instance ansible.builtin.include_tasks: ../dex-config.yaml @@ -17,19 +21,27 @@ - mariadb-server state: latest + - name: Set Redis password + shell: | + echo "CONFIG SET requirepass "password"" | redis-cli + + - name: Allow external connections for Redis + ansible.builtin.lineinfile: + path: /etc/redis/redis.conf + regexp: 'bind 127.0.0.1 -::1' + line: "#bind 127.0.0.1 -::1" + - name: Enable and start Redis ansible.builtin.service: name: redis enabled: yes state: started - - name: Set Redis password - shell: | - echo "CONFIG SET requirepass "password"" | redis-cli - - - name: Allow external connections for Redis - shell: | - sed -i 's/#bind_address=0.0.0.0/bind_address=0.0.0.0/g' /etc/my.cnf.d/mariadb-server.cnf + - name: Allow external connections for MariaDB + ansible.builtin.lineinfile: + path: /etc/my.cnf.d/mariadb-server.cnf + regexp: '#bind_address=0.0.0.0' + line: "bind_address=0.0.0.0" - name: Enable and start MariaDB ansible.builtin.service: @@ -63,3 +75,7 @@ GRANT ALL ON trillian.* to 'mysql'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION; FLUSH PRIVILEGES; EOF + + - name: Set up a non-root sudoer to replicate a user environment + ansible.builtin.include_tasks: ../testing_user_setup.yaml + with_items: "{{ users }}" From b1850e387aebde411bf69b2a7596ca7dba99c6b9 Mon Sep 17 00:00:00 2001 From: SequeI Date: Mon, 2 Dec 2024 16:13:24 +0000 Subject: [PATCH 2/3] config --- molecule/default/prepare.yml | 2 +- molecule/user_provided/prepare.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 9a380dc4..8710f5d8 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -5,7 +5,7 @@ vars: users: - user: testingUser - password: testingPassword0x + password: password123 vars_files: - vars/vars.yml diff --git a/molecule/user_provided/prepare.yml b/molecule/user_provided/prepare.yml index 1e6c6366..1ffb1441 100644 --- a/molecule/user_provided/prepare.yml +++ b/molecule/user_provided/prepare.yml @@ -5,7 +5,7 @@ vars: users: - user: testingUser - password: testingUser0x + password: password123 vars_files: - vars/vars.yml tasks: From c2fca543672eacb19f05cfc6b0ed33db8a3f2c44 Mon Sep 17 00:00:00 2001 From: SequeI Date: Tue, 3 Dec 2024 09:50:45 +0000 Subject: [PATCH 3/3] adding passlib --- molecule/testing_user_setup.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/molecule/testing_user_setup.yaml b/molecule/testing_user_setup.yaml index 19e1f123..9356f254 100644 --- a/molecule/testing_user_setup.yaml +++ b/molecule/testing_user_setup.yaml @@ -1,14 +1,18 @@ --- +- name: Make sure Passlib is present + ansible.builtin.pip: + name: passlib + state: present + delegate_to: localhost + - name: Create a non-root sudoer user ansible.builtin.user: name: "{{ item.user }}" shell: /bin/bash group: wheel + password: "{{ item.password | password_hash }}" create_home: yes -- name: Set password for testingUser - ansible.builtin.shell: echo {{ item.password }} | passwd --stdin {{ item.user }} - - name: Configure Sudoers for the user ansible.builtin.lineinfile: dest: /etc/sudoers