WoodSmellParticle/ansible-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat!: disable facts injection for security purpose

Browse source
This commit is contained in:
NaeiKinDus 2023-12-10 00:00:00 +00:00
parent b33a29d0d9
commit 0829d7807f
Signed by: WoodSmellParticle
GPG key ID: 8E52ADFF7CA8AE56
9 changed files with 36 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
collections/ansible_collections/nullified/infrastructure/extensions/ansible.cfg
View file

@ -3,6 +3,7 @@
home = ../../../../.. home = ../../../../..
remote_tmp = /tmp remote_tmp = /tmp
local_tmp = /tmp local_tmp = /tmp
inject_facts_as_vars = False
[privilege_escalation] [privilege_escalation]
become_method = su become_method = su

8
collections/ansible_collections/nullified/infrastructure/roles/common/tasks/home_setup.yml
View file

@ -5,13 +5,13 @@
key: "{{ common.user_account }}" key: "{{ common.user_account }}"
split: ":" split: ":"
changed_when: false changed_when: false
when: getent_passwd is undefined or common.user_account not in getent_passwd when: ansible_facts['getent_passwd'] is undefined or common.user_account not in ansible_facts['getent_passwd']
- name: '[home] create common directories' - name: '[home] create common directories'
become: true become: true
become_user: "{{ common.user_account }}" become_user: "{{ common.user_account }}"
ansible.builtin.file: ansible.builtin.file:
path: "{{ getent_passwd[common.user_account][4] }}/{{ item }}" path: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/{{ item }}"
state: directory state: directory
mode: '0750' mode: '0750'
loop: loop:
@ -27,14 +27,14 @@
- name: '[home] git configuration' - name: '[home] git configuration'
ansible.builtin.template: ansible.builtin.template:
src: ../templates/home/.gitconfig.j2 src: ../templates/home/.gitconfig.j2
dest: "{{ getent_passwd[common.user_account][4] }}/.gitconfig" dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.gitconfig"
mode: '0640' mode: '0640'
when: common.git.enable is truthy when: common.git.enable is truthy
- name: '[home] basic files' - name: '[home] basic files'
ansible.builtin.copy: ansible.builtin.copy:
src: "../templates/home/{{ item.name }}" src: "../templates/home/{{ item.name }}"
dest: "{{ getent_passwd[common.user_account][4] }}/{{ item.name }}" dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/{{ item.name }}"
mode: "{{ item.mode | default('0640') }}" mode: "{{ item.mode | default('0640') }}"
loop: loop:
- { name: ".lessfilter", mode: '0750' } - { name: ".lessfilter", mode: '0750' }

10
collections/ansible_collections/nullified/infrastructure/roles/common/tasks/shell_customization.yml
View file

@ -5,7 +5,7 @@
key: "{{ common.user_account }}" key: "{{ common.user_account }}"
split: ":" split: ":"
changed_when: false changed_when: false
when: getent_passwd is undefined or common.user_account not in getent_passwd when: ansible_facts['getent_passwd'] is undefined or common.user_account not in ansible_facts['getent_passwd']
- name: '[shell] install ZSH and dependencies' - name: '[shell] install ZSH and dependencies'
become: true become: true
@ -34,7 +34,7 @@
- name: '[fonts] adding fonts' - name: '[fonts] adding fonts'
ansible.builtin.copy: ansible.builtin.copy:
src: ../assets/fonts/ src: ../assets/fonts/
dest: "{{ getent_passwd[common.user_account][4] }}/.local/share/fonts" dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.local/share/fonts"
mode: '0640' mode: '0640'
- name: '[fonts] refresh fonts cache' - name: '[fonts] refresh fonts cache'
@ -56,14 +56,14 @@
- name: '[omz] install OMZ' - name: '[omz] install OMZ'
ansible.builtin.command: ansible.builtin.command:
cmd: sh /tmp/zsh-install.sh --unattended cmd: sh /tmp/zsh-install.sh --unattended
creates: "{{ getent_passwd[common.user_account][4] }}/.oh-my-zsh" creates: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.oh-my-zsh"
- name: '[shell] install powerlevel10k customization for OMZ' - name: '[shell] install powerlevel10k customization for OMZ'
become: true become: true
become_user: "{{ common.user_account }}" become_user: "{{ common.user_account }}"
ansible.builtin.git: ansible.builtin.git:
repo: https://github.com/romkatv/powerlevel10k.git repo: https://github.com/romkatv/powerlevel10k.git
dest: "{{ getent_passwd[common.user_account][4] }}/.oh-my-zsh/custom/themes/powerlevel10k" dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/.oh-my-zsh/custom/themes/powerlevel10k"
depth: 1 depth: 1
- name: '[home] copy zsh files' - name: '[home] copy zsh files'
@ -71,7 +71,7 @@
become_user: "{{ common.user_account }}" become_user: "{{ common.user_account }}"
ansible.builtin.copy: ansible.builtin.copy:
src: "../templates/home/{{ item }}" src: "../templates/home/{{ item }}"
dest: "{{ getent_passwd[common.user_account][4] }}/{{ item }}" dest: "{{ ansible_facts['getent_passwd'][common.user_account][4] }}/{{ item }}"
mode: '0640' mode: '0640'
loop: loop:
- .p10k.zsh - .p10k.zsh

2
collections/ansible_collections/nullified/infrastructure/roles/development/handlers/main.yml
View file

@ -5,4 +5,4 @@
name: docker name: docker
enabled: true enabled: true
state: restarted state: restarted
when: ansible_virtualization_type is not match("docker") when: ansible_facts['virtualization_type'] is not match("docker")

14
collections/ansible_collections/nullified/infrastructure/roles/development/tasks/main.yml
View file

@ -17,7 +17,7 @@
key: "{{ development.user_account }}" key: "{{ development.user_account }}"
split: ":" split: ":"
changed_when: false changed_when: false
when: getent_passwd is undefined or development.user_account not in getent_passwd when: ansible_facts['getent_passwd'] is undefined or development.user_account not in ansible_facts['getent_passwd']
- name: '[apt] install dependencies and tools' - name: '[apt] install dependencies and tools'
become: true become: true
@ -219,13 +219,13 @@
block: block:
- name: '[apt key] add docker key' - name: '[apt key] add docker key'
ansible.builtin.get_url: ansible.builtin.get_url:
url: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg" url: "https://download.docker.com/linux/{{ ansible_facts['distribution'] | lower }}/gpg"
dest: /etc/apt/trusted.gpg.d/docker.asc dest: /etc/apt/trusted.gpg.d/docker.asc
mode: '0644' mode: '0644'
- name: '[apt key] add source' - name: '[apt key] add source'
ansible.builtin.apt_repository: ansible.builtin.apt_repository:
repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/{{ ansible_facts['distribution'] | lower }} {{ ansible_facts['distribution_release'] }} stable"
state: present state: present
filename: docker filename: docker
update_cache: true update_cache: true
@ -264,7 +264,7 @@
become_user: "{{ development.user_account }}" become_user: "{{ development.user_account }}"
ansible.builtin.command: ansible.builtin.command:
cmd: "pipx install {{ item.cmd }}" cmd: "pipx install {{ item.cmd }}"
creates: "{{ getent_passwd[development.user_account][4] }}/.local/bin/{{ item.creates }}" creates: "{{ ansible_facts['getent_passwd'][development.user_account][4] }}/.local/bin/{{ item.creates }}"
loop: loop:
- { "cmd": "black", "creates": "black" } - { "cmd": "black", "creates": "black" }
- { "cmd": "flake8", "creates": "flake8" } - { "cmd": "flake8", "creates": "flake8" }
@ -275,7 +275,7 @@
ansible.builtin.command: ansible.builtin.command:
cmd: "pipx inject {{ item.venv }} {{ item.extension }}" cmd: "pipx inject {{ item.venv }} {{ item.extension }}"
creates: creates:
"{{ getent_passwd[development.user_account][4] }}/.local/pipx/venvs/{{ item.venv }}/lib/python3.11/site-packages/{{ item.creates }}" "{{ ansible_facts['getent_passwd'][development.user_account][4] }}/.local/pipx/venvs/{{ item.venv }}/lib/python3.11/site-packages/{{ item.creates }}"
loop: loop:
- venv: "flake8" - venv: "flake8"
extension: "flake8-annotations-complexity" extension: "flake8-annotations-complexity"
@ -337,7 +337,7 @@
- name: '[rust] check if rust is already installed' - name: '[rust] check if rust is already installed'
ansible.builtin.file: ansible.builtin.file:
path: "{{ getent_passwd[development.user_account][4] }}/.cargo/bin/rustc" path: "{{ ansible_facts['getent_passwd'][development.user_account][4] }}/.cargo/bin/rustc"
register: rustc_stat register: rustc_stat
changed_when: false changed_when: false
failed_when: false failed_when: false
@ -359,4 +359,4 @@
become_user: "{{ development.user_account }}" become_user: "{{ development.user_account }}"
script: script:
cmd: /tmp/rustup.sh -qy cmd: /tmp/rustup.sh -qy
creates: "{{ getent_passwd[development.user_account][4] }}/.cargo/bin/rustc" creates: "{{ ansible_facts['getent_passwd'][development.user_account][4] }}/.cargo/bin/rustc"

4
collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml
View file

@ -168,11 +168,11 @@
block: block:
- name: '[system] login.defs' - name: '[system] login.defs'
ansible.builtin.template: ansible.builtin.template:
src: '../templates/system/{{ ansible_distribution | lower }}/login.defs.j2' src: '../templates/system/{{ ansible_facts["distribution"] | lower }}/login.defs.j2'
dest: /etc/login.defs dest: /etc/login.defs
mode: '0644' mode: '0644'
- name: '[system] limits.conf' - name: '[system] limits.conf'
ansible.builtin.template: ansible.builtin.template:
src: '../templates/system/{{ ansible_distribution | lower }}/limits.conf.j2' src: '../templates/system/{{ ansible_facts["distribution"] | lower }}/limits.conf.j2'
dest: /etc/security/limits.conf dest: /etc/security/limits.conf
mode: '0644' mode: '0644'

16
collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml
View file

@ -10,12 +10,12 @@
key: "{{ workstation.user_account }}" key: "{{ workstation.user_account }}"
split: ":" split: ":"
changed_when: false changed_when: false
when: getent_passwd is undefined or workstation.user_account not in getent_passwd when: ansible_facts['getent_passwd'] is undefined or workstation.user_account not in ansible_facts['getent_passwd']
- name: '[setup] ensure expected home directories exist' - name: '[setup] ensure expected home directories exist'
become: true become: true
ansible.builtin.file: ansible.builtin.file:
path: "{{ getent_passwd[workstation.user_account][4] }}/{{ item }}" path: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/{{ item }}"
state: directory state: directory
owner: "{{ workstation.user_account }}" owner: "{{ workstation.user_account }}"
group: "{{ workstation.user_account }}" group: "{{ workstation.user_account }}"
@ -147,7 +147,7 @@
become_user: "{{ workstation.user_account }}" become_user: "{{ workstation.user_account }}"
ansible.builtin.git: ansible.builtin.git:
repo: "https://gitlab.0x2a.ninja/naeikindus/emacsd.git" repo: "https://gitlab.0x2a.ninja/naeikindus/emacsd.git"
dest: "{{ getent_passwd[workstation.user_account][4] }}/.emacs.d" dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.emacs.d"
force: false force: false
- name: '[config] set tools configuration' - name: '[config] set tools configuration'
@ -158,8 +158,8 @@
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
mode: "{{ item.mode | default('0640') }}" mode: "{{ item.mode | default('0640') }}"
loop: loop:
- { src: "../templates/.config/terminator", dest: "{{ getent_passwd[workstation.user_account][4] }}/.config" } - { src: "../templates/.config/terminator", dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config" }
- { src: "../templates/.config/vlc", dest: "{{ getent_passwd[workstation.user_account][4] }}/.config" } - { src: "../templates/.config/vlc", dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config" }
- name: '[authenticator] find if binary is already installed' - name: '[authenticator] find if binary is already installed'
ansible.builtin.file: ansible.builtin.file:
@ -213,7 +213,7 @@
- name: '[yubico] create shell wrapper' - name: '[yubico] create shell wrapper'
ansible.builtin.template: ansible.builtin.template:
src: ../templates/bin_wrapper.sh.j2 src: ../templates/bin_wrapper.sh.j2
dest: "{{ getent_passwd[workstation.user_account][4] }}/.local/bin/authenticator" dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.local/bin/authenticator"
mode: '0750' mode: '0750'
owner: "{{ workstation.user_account }}" owner: "{{ workstation.user_account }}"
group: "{{ workstation.user_account }}" group: "{{ workstation.user_account }}"
@ -223,14 +223,14 @@
- name: '[yubico] create desktop entry' - name: '[yubico] create desktop entry'
ansible.builtin.template: ansible.builtin.template:
src: ../templates/desktop_app.j2 src: ../templates/desktop_app.j2
dest: "{{ getent_passwd[workstation.user_account][4] }}/.local/share/applications/authenticator.desktop" dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.local/share/applications/authenticator.desktop"
mode: '0600' mode: '0600'
owner: "{{ workstation.user_account }}" owner: "{{ workstation.user_account }}"
group: "{{ workstation.user_account }}" group: "{{ workstation.user_account }}"
vars: vars:
application: application:
nodisplay: false nodisplay: false
exec_cmd: "{{ getent_passwd[workstation.user_account][4] }}/.local/bin/authenticator" exec_cmd: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.local/bin/authenticator"
name: "Authenticator" name: "Authenticator"
- include_tasks: window_manager.yml - include_tasks: window_manager.yml

8
collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/window_manager.yml
View file

@ -5,7 +5,7 @@
key: "{{ workstation.user_account }}" key: "{{ workstation.user_account }}"
split: ":" split: ":"
changed_when: false changed_when: false
when: getent_passwd is undefined or workstation.user_account not in getent_passwd when: ansible_facts['getent_passwd'] is undefined or workstation.user_account not in ansible_facts['getent_passwd']
- name: '[awesomewm] install dependencies' - name: '[awesomewm] install dependencies'
become: true become: true
@ -130,14 +130,14 @@
- name: '[awesomewm] fetch copycats base' - name: '[awesomewm] fetch copycats base'
ansible.builtin.git: ansible.builtin.git:
repo: https://github.com/lcpz/awesome-copycats.git repo: https://github.com/lcpz/awesome-copycats.git
dest: "{{ getent_passwd[workstation.user_account][4] }}/.config/awesome" dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config/awesome"
depth: 1 depth: 1
recursive: true recursive: true
force: false force: false
- name: '[awesomewm] copy customization' - name: '[awesomewm] copy customization'
ansible.builtin.copy: ansible.builtin.copy:
src: ../templates/.config/awesome/ src: ../templates/.config/awesome/
dest: "{{ getent_passwd[workstation.user_account][4] }}/.config/awesome" dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.config/awesome"
mode: '0640' mode: '0640'
- name: '[home] copy X related configuration' - name: '[home] copy X related configuration'
@ -151,4 +151,4 @@
- name: '[x11] user .xsession' - name: '[x11] user .xsession'
ansible.builtin.copy: ansible.builtin.copy:
src: ../templates/.xsession src: ../templates/.xsession
dest: "{{ getent_passwd[workstation.user_account][4] }}/.xsession" dest: "{{ ansible_facts['getent_passwd'][workstation.user_account][4] }}/.xsession"

1
scripts/generate_ansible_config.sh
View file

@ -94,6 +94,7 @@ nocolor = 0
nocows = 0 nocows = 0
playbook_dir = ${TMPL_PLAYBOOK_DIR} playbook_dir = ${TMPL_PLAYBOOK_DIR}
remote_tmp = /tmp remote_tmp = /tmp
inject_facts_as_vars = False
[inventory] [inventory]
enable_plugins = yaml enable_plugins = yaml