From 32b9c057d6e2c5bfe737e049baadde3075f7167d Mon Sep 17 00:00:00 2001
From: Vladimir Smagin <21h@blindage.org>
Date: Fri, 2 Nov 2018 01:36:31 +0700
Subject: [PATCH] new features: control OS users, create ssh tunnels

---
 group_vars/hetzner-nodes.yml                  | 17 +++++++-----
 group_vars/hetzner.yml                        |  4 ++-
 host_vars/monitor.yml                         | 18 +++++++++++++
 roles/python2/tasks/main.yml                  |  3 +++
 roles/ssh_access/tasks/main.yml               | 21 +++++++++++++++
 roles/ssh_tunnel/tasks/main.yml               | 22 ++++++++++++++++
 .../templates/ssh_tunnel.service.j2           | 26 +++++++++++++++++++
 7 files changed, 104 insertions(+), 7 deletions(-)
 create mode 100644 roles/ssh_tunnel/tasks/main.yml
 create mode 100644 roles/ssh_tunnel/templates/ssh_tunnel.service.j2

diff --git a/group_vars/hetzner-nodes.yml b/group_vars/hetzner-nodes.yml
index 2605482..8dd46bb 100644
--- a/group_vars/hetzner-nodes.yml
+++ b/group_vars/hetzner-nodes.yml
@@ -3,15 +3,20 @@
 
 access_list:
   git: { keypath: "../keys/project-git.pub", username: "root" }
-  dev1: { keypath: "../keys/developer1.pub", username: "root" }
-  dev2: { keypath: "../keys/developer2.pub", username: "root" }
+  dev1: { keypath: "../keys/developer1.pub", username: "developer" }
+  dev2: { keypath: "../keys/developer2.pub", username: "developer" }
+  # disable fired employer
+  dev3: { keypath: "../keys/developer3.pub", username: "developer", key_state: "absent" }
+  # remove user from OS, no managers on servers! fuck them all!
+  dumb_manager: { keypath: "../keys/manager.pub", username: "manager", state: "absent" }
 
-
-# use non-standart sshd config
+# Set path to sshd config
+# Default: /etc/ssh/sshd_config
 sshd_config_path: "/var/local/etc/ssh/sshd_config"
 
-
-# allow password auth instead of defaults
+# Here you can change sshd parameters
 # change defaults here roles/ssh_config/defaults/main.yml
 sshd_options:
+
+  # allow password auth instead of defaults
   PasswordAuthentication: "yes"
diff --git a/group_vars/hetzner.yml b/group_vars/hetzner.yml
index 34420c6..6eb96b3 100644
--- a/group_vars/hetzner.yml
+++ b/group_vars/hetzner.yml
@@ -1,6 +1,8 @@
 access_list:
   admin: { keypath: "../keys/admin.pub", username: "root" }
-  techguy: { keypath: "../keys/techguy.pub", username: "root" }
+  # set username comment and shell
+  techguy: { keypath: "../keys/techguy.pub", username: "root", comment: "noodle", shell: "/bin/zsh" }
   interserver: { keypath: "../keys/interserver.pub", username: "root" }
+
 secret_list:
   interserver: { keypath: "../keys/interserver.pem", username: "root" }
diff --git a/host_vars/monitor.yml b/host_vars/monitor.yml
index c6d1eb6..9d90564 100644
--- a/host_vars/monitor.yml
+++ b/host_vars/monitor.yml
@@ -1,3 +1,21 @@
 access_list:
   admin: { keypath: "../keys/admin.pub", username: "root" }
   techguy: { keypath: "../keys/techguy.pub", username: "root" }
+
+# key requied by ssh tunnel
+secret_list:
+  interserver: { keypath: "../keys/interserver.pem", username: "tunneluser" }
+
+# You can get fingerprint by simple command:
+# ssh-keyscan blindage.org
+
+ssh_tunnels:
+  CLICKHOUSE8123:
+    SSH_TUNNEL_LOCAL_HOST: "127.0.0.1"
+    SSH_TUNNEL_LOCAL_PORT: 8123
+    SSH_TUNNEL_REMOTE_USER: "tunneluser"
+    SSH_TUNNEL_REMOTE_HOST: "database.myserver.ru"
+    SSH_TUNNEL_REMOTE_HOST_FINGERPRINT: "|1|yt/vdfskjgklfjlLKJLKJKJLlkjldksjfjuxzngXn5B3cxKltgMGrN2U= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyfgdfkjlkjLKJLKJLKJLKJLKJJKTUOIWPEORIOPopopiuopiuxdfyG/h9FpdfLZudbGkPdhDdXRZGKKuGl4koqki/XdT1LbQ="
+    SSH_TUNNEL_REMOTE_PORT: 8123
+    SSH_TUNNEL_KEY: "/home/tunneluser/.ssh/interserver.pem"
+
diff --git a/roles/python2/tasks/main.yml b/roles/python2/tasks/main.yml
index 1a206f4..9324173 100644
--- a/roles/python2/tasks/main.yml
+++ b/roles/python2/tasks/main.yml
@@ -5,3 +5,6 @@
 - name: Install python pip
   apt: name=python-pip state=present
 
+- name: Install python python-setuptools
+  apt: name=python-setuptools state=present
+
diff --git a/roles/ssh_access/tasks/main.yml b/roles/ssh_access/tasks/main.yml
index a3a63bb..0f2e429 100644
--- a/roles/ssh_access/tasks/main.yml
+++ b/roles/ssh_access/tasks/main.yml
@@ -1,4 +1,25 @@
 ---
+
+- name: Keys you want to set
+  debug:
+    msg: "{{item}}"
+  with_dict: "{{ access_list }}"
+  when: access_list != None and access_list is defined 
+
+- name: Set user parameters
+  become: true
+  user:
+    name: "{{ item.value.username }}"
+    comment: "{{ item.value.text | default(omit) }}"
+    shell: "{{ item.value.shell | default(omit) }}"
+    home: "{{ item.value.home | default(omit) }}"
+    state: "{{ item.value.state | default('present') }}"
+  register: user_result
+  with_dict: "{{ access_list }}"
+  when: access_list != None and access_list is defined 
+
+- debug: msg="{{user_result}}" 
+
 - name: Set authorized keys
   become: true
   become_user: "{{ item.value.username }}"
diff --git a/roles/ssh_tunnel/tasks/main.yml b/roles/ssh_tunnel/tasks/main.yml
new file mode 100644
index 0000000..6f0f9c5
--- /dev/null
+++ b/roles/ssh_tunnel/tasks/main.yml
@@ -0,0 +1,22 @@
+---
+- name: Copy ssh tunnel files
+  template:
+    src: ssh_tunnel.service.j2
+    dest: /etc/systemd/system/ssh_tunnel_{{item.key}}.service
+  with_dict: "{{ssh_tunnels}}"
+
+- name: Add remote host to known_hosts file
+  known_hosts:
+    path: /root/.ssh/known_hosts
+    key: "{{item.value.SSH_TUNNEL_REMOTE_HOST_FINGERPRINT}}"
+    name: "{{item.value.SSH_TUNNEL_REMOTE_HOST}}"
+  with_dict: "{{ssh_tunnels}}"
+
+- name: Try to start ssh tunnel
+  systemd:
+    name: "ssh_tunnel_{{item.key}}"
+    state: restarted
+    daemon_reload: yes
+    enabled: yes
+  with_dict: "{{ssh_tunnels}}"
+
diff --git a/roles/ssh_tunnel/templates/ssh_tunnel.service.j2 b/roles/ssh_tunnel/templates/ssh_tunnel.service.j2
new file mode 100644
index 0000000..8b47a34
--- /dev/null
+++ b/roles/ssh_tunnel/templates/ssh_tunnel.service.j2
@@ -0,0 +1,26 @@
+[Unit]
+Description=SSH tunnel to {{item.key}}
+Documentation=man:ssh(1)
+Wants=ssh-agent.service
+After=network.target ssh.service
+
+[Service]
+Type=simple
+
+Environment="LOCAL_ADDR={{item.value.SSH_TUNNEL_LOCAL_HOST}}"
+Environment="LOCAL_PORT={{item.value.SSH_TUNNEL_LOCAL_PORT}}"
+Environment="REMOTE_USER={{item.value.SSH_TUNNEL_REMOTE_USER}}"
+Environment="REMOTE_HOST={{item.value.SSH_TUNNEL_REMOTE_HOST}}"
+Environment="REMOTE_PORT={{item.value.SSH_TUNNEL_REMOTE_PORT}}"
+
+ExecStart=/usr/bin/ssh -t -NT -i {{item.value.SSH_TUNNEL_KEY}} \
+  -o ExitOnForwardFailure=yes -o ServerAliveInterval=60 \
+  -L ${LOCAL_PORT}:${LOCAL_ADDR}:${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST}
+
+RestartSec=10
+Restart=on-success
+RestartForceExitStatus=255
+
+[Install]
+WantedBy=multi-user.target
+