wip

27de59bf · e0d · d8d74e56 · 27de59bf · 27de59bf · 27de59bf
Commit 27de59bf authored Jan 29, 2014 by e0d
Showing with 24 additions and 54 deletions

playbooks/roles/automated/tasks/main.yml
+8 -54

playbooks/roles/edxapp/defaults/main.yml
+7 -0

playbooks/roles/edxapp/meta/main.yml
+4 -0

playbooks/roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2
+5 -0

No files found.
--- a/playbooks/roles/automated/tasks/main.yml
+++ b/playbooks/roles/automated/tasks/main.yml
@@ -61,10 +61,6 @@
  user: 
    name={{ automated_user }} state=present shell=/bin/rbash 
    home={{ automated_home }} createhome=yes
-  tags:
-  - automated
-  - install
-  - update

 - name: create sudoers file from file
  copy:
@@ -72,10 +68,6 @@
    src={{ automated_sudoers_file }} owner="root"
    group="root" mode=0440 validate='visudo -cf %s'
  when: automated_sudoers_file
-  tags:
-  - automated
-  - install
-  - update

 - name: create sudoers file from template
  template:
@@ -83,10 +75,6 @@
    src={{ automated_sudoers_template }} owner="root"
    group="root" mode=0440 validate='visudo -cf %s'
  when: automated_sudoers_template
-  tags:
-  - automated
-  - install
-  - update

  #
  # Prevent user from updating their PATH and
@@ -96,10 +84,6 @@
  file:
    path={{ automated_home }}/{{ item }} mode=0640
    state=file owner="root" group={{ automated_user }}
-  tags:
-  - automated
-  - install
-  - update
  with_items:
    - .bashrc
    - .profile
@@ -109,10 +93,6 @@
  file: 
    path={{ automated_home }} mode=0750 state=directory 
    owner="root" group={{ automated_user }}
-  tags:
-  - automated
-  - install
-  - update

  #
  # This ensures that the links are updated with each run
@@ -123,19 +103,11 @@
  file: 
    path={{ automated_home }}/bin state=absent
  ignore_errors: yes
-  tags:
-  - automated
-  - install
-  - update
  
 - name: create ~automated/bin directory
  file: 
    path={{ automated_home }}/bin state=directory mode=0750 
    owner="root" group={{ automated_user }}
-  tags:
-  - automated
-  - install
-  - update
  
 - name: re-write .profile
  copy:
@@ -144,10 +116,6 @@
    owner="root" 
    group={{ automated_user }}
    mode="0744"
-  tags:
-  - automated
-  - install
-  - update
  
 - name: re-write .bashrc
  copy:
@@ -156,36 +124,21 @@
    owner="root" 
    group={{ automated_user }}
    mode="0744"
-  tags:
-  - automated
-  - install
-  - update
  
 - name: create .ssh directory
  file: 
    path={{ automated_home }}/.ssh state=directory mode=0700 
    owner={{ automated_user }} group={{ automated_user }}
-  tags:
-  - automated
-  - install
-  - update
-  
- name: copy key to .ssh/authorized_keys
-  copy: 
-    src=home/automator/.ssh/authorized_keys
+
+- name: add authorized_keys
+  lineinfile:
+    line="{{ item }}" state=present
    dest={{ automated_home }}/.ssh/authorized_keys mode=0600 
    owner={{ automated_user }} group={{ automated_user }}
-  tags:
-  - automated
-  - install
-  - update
-
+  with_items: EDXAPP_AUTOMATOR_AUTHORIZED_KEYS
+    
 - name: create allowed command links
  file:
    src={{ item }} dest={{ automated_home }}/bin/{{ item.split('/').pop() }}
    state=link
-  with_items: automated_rbash_links
-  tags:
-  - automated
-  - install
-  - update  
+  with_items: automated_rbash_links
\ No newline at end of file
--- a/playbooks/roles/edxapp/defaults/main.yml
+++ b/playbooks/roles/edxapp/defaults/main.yml
@@ -123,6 +123,10 @@ EDXAPP_PYTHON_SANDBOX: false
 # it puts the sandbox in 'complain' mode, for reporting but not enforcement
 EDXAPP_SANDBOX_ENFORCE: true

+# Supply authorized keys used for remote management via the automated
+# role, see meta/main.yml.  Ensure you know what this does before
+# enabling.
+EDXAPP_AUTOMATOR_AUTHORIZED_KEYS: []

 #-------- Everything below this line is internal to the role ------------

@@ -497,3 +501,5 @@ edxapp_cms_variant: cms
 # Worker Settings
 worker_django_settings_module: 'aws'

+edxapp_automated_rbash_links:
+  - /usr/bin/sudo
\ No newline at end of file
--- a/playbooks/roles/edxapp/meta/main.yml
+++ b/playbooks/roles/edxapp/meta/main.yml
@@ -6,3 +6,7 @@ dependencies:
    rbenv_dir: "{{ edxapp_app_dir }}"
    rbenv_ruby_version: "{{ edxapp_ruby_version }}"
  - devpi
+  - role: automated
+    automated_rbash_links: "{{ edxapp_automated_rbash_links }}"
+    automated_sudoers_dest: '99-automator-edxapp'
+    automated_sudoers_template: 'roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp.j2'
--- a/playbooks/roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2
+++ b/playbooks/roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2
+automator	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	migrate *
+automator	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	seed_permissions_roles *
+automator	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	set_staff *
+automator	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	transfer_students *
\ No newline at end of file