add limited user 'cd' able only to run 'rundeploy' (#1)

Reviewed-on: #1
2022-10-22 11:35:48 +00:00 · 2022-10-22 11:35:48 +00:00 · d23fa03719
parent e195228bdc
commit d23fa03719
2 changed files with 14 additions and 0 deletions
--- a/ansible/inventory/group_vars/debops_all_hosts/sshd.yml
+++ b/ansible/inventory/group_vars/debops_all_hosts/sshd.yml
@ -0,0 +1,6 @@
+---
+sshd__match_list:
+  - match: 'User cd'
+    options: |
+      ForceCommand rundeploy
+
--- a/ansible/inventory/group_vars/debops_all_hosts/system_users.yml
+++ b/ansible/inventory/group_vars/debops_all_hosts/system_users.yml
@ -8,6 +8,13 @@ system_users__accounts:
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHg8MUtkmTJ/klyDK3hqCHm8TTSOMqvtxuXaS/+EQRcTb9BaAajcpMDdpsPx9YHt04x4jsQiOdwV/gi0RRxdEf3lD9jjrGeTeb1gFjLeyttDu6zD0LrTa73Ly//ccN+TnFSnwSgJ+0eSzYJAQu3qIqTyKyBaWGMq1iNwlBQ42PnKSYvnz70qU25zCgVfgUohdeSawNYxYPdvKj4jA4NlVLcZScwk7cOTHZ0bBq2D2ksUsmNmPDKLI55xxKbgBT/7q4T2IKBZixKVA8B1meYDSZ/lUzDy+BlQU+EWjSiue62g/W4KnUBeea+0L91E3YLw0m8LPV/I8EvDnQWj24EyZtCneFxz3EuNyPudr61j0Ec95qFY//nH+HtTqxxa1GO02dtFstGWIvKHaMrU4vEYNpfkSDYHEhinAvT+2yJnj02TT4zEe/2S1u3ESh8y8Q+s2w0uiy0lYcslYrLtTLJhdp+7FTefd0P8v1xXlKTGRmxhsrWMg+VqZ78W3T2ncnNlKvvpOsTHaUNYu4nLCgPVdsc9ZcA7SnNXwfJf/M+h/9mi6/SuKQftwUdUbdTScCnftYrsF93/0bMcCVCZes1O/uCTDNJQEN1acNwie6kdXtAelwHip3d4xdgQgHOpxwvibZsQP5EqLJZOolD2rFzBkDoeo4vEjlFwYdZu4QtNAmaQ=='
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Z5/y24+GbZITmmjfrqLujsJnS+B1YgQB4GYj+aut/WvoCt51kZ0nmNDv9c23OOQvTm7XPt+tCJm1GA+Fa1X/UurImMn0aZwB7pGg8qRvJFtYYqQOoxkUtMs4IXrhiGwTKWKgXr4q+MZxqv5otf3uHszVGqT+VNeGpmJfwZV7CdT/vWXKKuO3CIgHypg0StgUZ4O8kEFDDGu/M+bBDMeStm8AeA2LpOBCP9IP75zvGgNrI0mTPJa/Wlx/GO1Nf4DWxZSZh5Wk+77QF0YSl4jT49A3g/D3187/EJafFukaeHMziMG+gz5ZRZOCs4HnA7a5A0CpfGindrJQmQyp+GugTlxA6NVmrqFOlr9KXfB6ZFPWqTmQKYR4F0IyP3OoLM1e8n/2yuXFeOPuvHXOSbDKkerjcjyRxDN1gdG8X8XNTy1/V51+OkVgMFNoDVc9Q9kZXdWL98IC1BavDArnQUyE3Zc+Ip2j66bM1c+zLNdyTpATlp1zhkkYw1K79i1ZNYqw9EoW4O6bciC/DFxZeKDEw73fCR7S1zAxT4IBbiCQ2dj1Wx44EjxbF0baiw679SlfxEkkZBplcRHeBeIrmQ5gaIceNu6RdR14wSqYhcPAQtz6hSpoGowEKvtHHrEqw4F+tNQ3nOMDkCw8my/9c4jl/loM69knuGBmk11ffNZFKQ=='

+  # a user with the minimum rights needed to deploy
+  - name: 'deploy'
+    admin: False
+    shell: '/bin/rbash'
+    sshkeys:
+      - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAklUXMRpOED6XlZg97a66P7HqYANkjvWfIL3/+w7AiV'
+
  - name: 'arjan'
    admin: True
    sshkeys:
@ -36,3 +43,4 @@ system_users__accounts:
 system_users__default_shell: '/bin/bash'

 system_users__self_name: 'ansible-admin'
+