Initial working version.

a02626ce · e0d · 276cd811 · a02626ce · a02626ce · a02626ce
Commit a02626ce authored Oct 05, 2013 by e0d
5 changed files
--- a/playbooks/roles/automated/defaults/main.yml
+++ b/playbooks/roles/automated/defaults/main.yml
+---
+#
+# edX Configuration
+#
+# github:     https://github.com/edx/configuration
+# wiki:       https://github.com/edx/configuration/wiki
+# code style: https://github.com/edx/configuration/wiki/Ansible-Coding-Conventions
+# license:    https://github.com/edx/configuration/blob/master/LICENSE.TXT
+#
+##
+# Vars for role automated
+# 
+#
+# vars are namespace with the module name.
+#
+automated_role_name: automated
+automated_user: "automator"
+automated_home: "/home/automator"
+automated_rbash_links: !!null
+#
+# OS packages
+#
+automated_debian_pkgs: []
+automated_redhat_pkgs: []
--- a/playbooks/roles/automated/files/home/automator/.bashrc
+++ b/playbooks/roles/automated/files/home/automator/.bashrc
+PATH=${HOME}/bin
--- a/playbooks/roles/automated/files/home/automator/.profile
+++ b/playbooks/roles/automated/files/home/automator/.profile
+. .bashrc
--- a/playbooks/roles/automated/files/home/automator/.ssh/authorized_keys
+++ b/playbooks/roles/automated/files/home/automator/.ssh/authorized_keys
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6noLNy7YVFNK6OSOFgPbnGGovgZqLsvJxjhs82jT7tZIsYOjVVCAMk0kkSnBt0etDjGSJlJ664r1aBhubZrujzxns0oOzA7J+tWQ3CiaOBLtOSffeh8a3dTWWNPCAGg9KflPaufXdd31Bf96g9ACGZR7uLYgWUP/J0jOPMCPE1RBfRNFeZ7cHlh3t/pI+JzTcyZTka4AAEsCejBKHngYxVoOk+gfxe+Qo703st0MFuoxVAMymeBGi/1lCwKsV6r9BijzuvIFyQCl2vThjoF32yHmmP8by//hmgpo5UNqG7jbmSrCJhkdh+My3SgEebn5c2QLJepOrUfrZFwz1BQ1l task@edx.org
\ No newline at end of file
--- a/playbooks/roles/automated/tasks/main.yml
+++ b/playbooks/roles/automated/tasks/main.yml
+---
+#
+# edX Configuration
+#
+# github:     https://github.com/edx/configuration
+# wiki:       https://github.com/edx/configuration/wiki
+# code style: https://github.com/edx/configuration/wiki/Ansible-Coding-Conventions
+# license:    https://github.com/edx/configuration/blob/master/LICENSE.TXT
+#
+# Tasks for role automated
+# 
+# Overview:
+#
+# This role is included as a dependency by other roles which provide
+# automated jobs.  Automation occurs over ssh.  The automator user
+# is assigned to a managed rbash shell and is, potentially, allowed to run
+# explicitly listed commands via sudo.  Both the commands that are
+# allowed via rbash and the sudoers file are provided by the
+# including role.
+#
+# Dependencies:
+#
+# This role depends upon variables provided by the including roles
+# via the role/meta/main.yml.  Includes take the following form.
+#
+#  dependencies:
+#  - {
+#  role: automated,
+#  automated_rbash_links: $as_automated_rbash_links,
+#  automated_sudoers_file: 'roles/analytics-server/files/etc/sudoers.d/99-automator-analytics-server'
+#  }
+#
+# The sudoers file is optional.  Note that for sudo to work it must be
+# included in the rbash links list.
+#
+# That list should be provided via role defaults
+#
+# role_automated_rbash_links:
+#   - /usr/bin/sudo
+#   - /usr/bin/scp
+#
+- fail: automated_rbash_links required for role
+  when: automated_rbash_links is not defined
+- name: automated | create task user
+  user: 
+    name={{ automated_user }} state=present shell=/bin/rbash 
+    home={{ automated_home }} createhome=yes
+  tags:
+  - automated
+  - install
+  - update
+- name: automated | create sudoers file
+  copy:
+    dest=/etc/sudoers.d/{{ automated_sudoers_file.split('/').pop() }}
+    src={{ automated_sudoers_file }} owner=root
+    group=root mode=0440
+  when: automated_sudoers_file is defined
+  tags:
+  - automated
+  - install
+  - update
+- name: automated | update shell file mode
+  shell: chmod 640 .bash* .profile
+  tags:
+  - automated
+  - install
+  - update
+- name: automated | update shell file ownership
+  shell: chown root.{{ automated_user }} {{ automated_home }}/.bash* {{ automated_home }}/.profile
+  tags:
+  - automated
+  - install
+  - update
+- name: automated | change ~automated ownership
+  file: 
+    path={{ automated_home }} mode=0750 state=directory 
+    owner="root" group={{ automated_user }}
+  tags:
+  - automated
+  - install
+  - update
+  #
+  # This ensures that the links are updated with each run
+  # and that links that were remove from the role are
+  # removed.
+  #
+- name: automated | remove ~automated/bin directory
+  file: 
+    path={{ automated_home }}/bin state=absent
+  ignore_errors: yes
+  tags:
+  - automated
+  - install
+  - update
+- name: automated | create ~automated/bin directory
+  file: 
+    path={{ automated_home }}/bin state=directory mode=0750 
+    owner="root" group={{ automated_user }}
+  tags:
+  - automated
+  - install
+  - update
+- name: automated | re-write .profile
+  copy:
+    src=home/automator/.profile 
+    dest={{ automated_home }}/.profile 
+    owner="root" 
+    group={{ automated_user }}
+    mode="0744"
+  tags:
+  - automated
+  - install
+  - update
+- name: automated | re-write .bashrc
+  copy:
+    src=home/automator/.bashrc
+    dest={{ automated_home }}/.bashrc 
+    owner="root" 
+    group={{ automated_user }}
+    mode="0744"
+  tags:
+  - automated
+  - install
+  - update
+- name: automated | create .ssh directory
+  file: 
+    path={{ automated_home }}/.ssh state=directory mode=0700 
+    owner={{ automated_user }} group={{ automated_user }}
+  tags:
+  - automated
+  - install
+  - update
+- name: automated | copy key to .ssh/authorized_keys
+  copy: 
+    src=home/automator/.ssh/authorized_keys
+    dest={{ automated_home }}/.ssh/authorized_keys mode=0600 
+    owner={{ automated_user }} group={{ automated_user }}
+  tags:
+  - automated
+  - install
+  - update
+- name: automated | create allowed command links
+  file:
+    src={{ item }} dest={{ automated_home }}/bin/{{ item.split('/').pop() }}
+    state=link
+  with_items: automated_rbash_links
+  tags:
+  - automated
+  - install
+  - update  
\ No newline at end of file