Skip to content

Commit

Permalink
Configuring non root sudoer for molecule tests (#96)
Browse files Browse the repository at this point in the history
  • Loading branch information
SequeI committed Jan 10, 2025
1 parent 5298ed0 commit 618561f
Show file tree
Hide file tree
Showing 3 changed files with 88 additions and 8 deletions.
9 changes: 9 additions & 0 deletions molecule/default/prepare.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,18 @@
- name: Prepare
hosts: molecule
gather_facts: false
vars:
users:
- user: testingUser
password: password123
vars_files:
- vars/vars.yml

tasks:

- name: Configure Dex OIDC instance
ansible.builtin.include_tasks: ../dex-config.yaml

- name: Setup a non-root sudoer to replicate a user environment
ansible.builtin.include_tasks: ../testing_user_setup.yaml
with_items: "{{ users }}"
55 changes: 55 additions & 0 deletions molecule/testing_user_setup.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
---
- name: Make sure Passlib is present
ansible.builtin.pip:
name: passlib
state: present
delegate_to: localhost

- name: Create a non-root sudoer user
ansible.builtin.user:
name: "{{ item.user }}"
shell: /bin/bash
group: wheel
password: "{{ item.password | password_hash }}"
create_home: yes

- name: Configure Sudoers for the user
ansible.builtin.lineinfile:
dest: /etc/sudoers
line: "{{ item.user }} ALL = (ALL) ALL"
validate: 'visudo -cf %s'

- name: Create an .ssh directory
ansible.builtin.file:
path: "/home/{{ item.user }}/.ssh"
state: directory
mode: "0700"
owner: "{{ item.user }}"

- name: Configure SSH access for new user
ansible.builtin.copy:
src: "{{ molecule_ephemeral_directory }}/id_rsa.pub"
dest: "/home/{{ item.user }}/.ssh/authorized_keys"
mode: "0600"
owner: "{{ item.user }}"

- name: Edit SSH config to disallow root login
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^(#*)?PermitRootLogin'
line: "PermitRootLogin no"

- name: Restart SSH
ansible.builtin.service:
name: sshd
state: restarted

- name: Modify Molecule inventory
ansible.builtin.lineinfile:
path: "{{ molecule_ephemeral_directory }}/inventory/molecule_inventory.yml"
regexp: 'ansible_user:'
line: "ansible_user: {{ item.user }}, ansible_become_password: {{ item.password }}, ansible_become: true}"
delegate_to: localhost

- name: Force refresh inventory
ansible.builtin.meta: refresh_inventory
32 changes: 24 additions & 8 deletions molecule/user_provided/prepare.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,14 @@
- name: Prepare
hosts: molecule
gather_facts: true
become: yes
vars:
users:
- user: testingUser
password: password123
vars_files:
- vars/vars.yml
tasks:

- name: Configure Dex OIDC instance
ansible.builtin.include_tasks: ../dex-config.yaml

Expand All @@ -17,19 +21,27 @@
- mariadb-server
state: latest

- name: Set Redis password
shell: |
echo "CONFIG SET requirepass "password"" | redis-cli
- name: Allow external connections for Redis
ansible.builtin.lineinfile:
path: /etc/redis/redis.conf
regexp: 'bind 127.0.0.1 -::1'
line: "#bind 127.0.0.1 -::1"

- name: Enable and start Redis
ansible.builtin.service:
name: redis
enabled: yes
state: started

- name: Set Redis password
shell: |
echo "CONFIG SET requirepass "password"" | redis-cli
- name: Allow external connections for Redis
shell: |
sed -i 's/#bind_address=0.0.0.0/bind_address=0.0.0.0/g' /etc/my.cnf.d/mariadb-server.cnf
- name: Allow external connections for MariaDB
ansible.builtin.lineinfile:
path: /etc/my.cnf.d/mariadb-server.cnf
regexp: '#bind_address=0.0.0.0'
line: "bind_address=0.0.0.0"

- name: Enable and start MariaDB
ansible.builtin.service:
Expand Down Expand Up @@ -63,3 +75,7 @@
GRANT ALL ON trillian.* to 'mysql'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EOF
- name: Set up a non-root sudoer to replicate a user environment
ansible.builtin.include_tasks: ../testing_user_setup.yaml
with_items: "{{ users }}"

0 comments on commit 618561f

Please sign in to comment.