Feature #79 sudo users

CHANGELOG.md

@@ -9,6 +9,7 @@ This project makes use of the [Sementic Versioning](http://semver.org/)
 - Backup compression using GZip
 - Added ruby 2.1.3 to the ruby binary list
 - test-kitchen to automatically test the cookbooks and resulting server setup
+- Sysadmins recipe which allows you to provide sysadmin users in the node configuration.
 
 ### Deprecated
 - Nothing
@@ -21,6 +22,8 @@ This project makes use of the [Sementic Versioning](http://semver.org/)
 
 ### Misc
 - Upgraded the chef-repo ruby version to 2.1.2
+- Sudo recipe configuration changed to match Ubuntu's default sudo
+  behaviour more closely.
 
 ## 2.1.0 - 2014-08-18
 

Cheffile

@@ -17,3 +17,4 @@ cookbook "packages", path: "vendor/cookbooks/packages"
 cookbook "rails", path: "vendor/cookbooks/rails"
 cookbook "ssh_deploy_keys", path: "vendor/cookbooks/ssh_deploy_keys"
 cookbook "backups", path: "vendor/cookbooks/backups"
+cookbook "sysadmins", path: "vendor/cookbooks/sysadmins"

Cheffile.lock

@@ -91,6 +91,11 @@ PATH
   specs:
     ssh_deploy_keys (0.1.0)
 
+PATH
+  remote: vendor/cookbooks/sysadmins
+  specs:
+    sysadmins (0.1.0)
+
 DEPENDENCIES
   apt (~> 2.5.2)
   backups (>= 0)
@@ -104,4 +109,5 @@ DEPENDENCIES
   ruby_build (~> 0.8.0)
   ssh_deploy_keys (>= 0)
   sudo (~> 2.7.0)
+  sysadmins (>= 0)
 

Vagrantfile

@@ -76,6 +76,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   json_payload = {
     "authorization" => {
       "sudo" => {
+        "passwordless" => true,
         "users" => ["vagrant"]
       }
     },

nodes/sample_host.json

@@ -6,6 +6,15 @@
     "server_repl_password": "<enter a random password>"
   },
   "packages": ["<option list of system wide packages>"],
+  "sysadmins": {
+    "<username>":
+      "password": "<hashed password: openssl passwd -1 'plaintextpassword'>",
+      "ssh_keys": [
+        "ssh-rsa AAA123...xyz== foo",
+        "ssh-rsa AAA456...uvw== bar"
+      ]
+    }
+  }
   "ssh_deploy_keys": [
     "<enter the contents of an id_rsa.pub here>"
   ],

roles/sysadmins.rb

@@ -0,0 +1,23 @@
+name "sysadmins"
+description "This role configures sysadmins, users with sudo-rights on your server"
+run_list(
+  "role[base]",
+  "recipe[packages]",
+  "recipe[sysadmins]",
+  "recipe[sudo]"
+)
+# Configure the sudo recipe so it mirrors Ubuntu's default behaviour
+default_attributes(
+  "authorization" => {
+    "sudo" => {
+      "groups" => ["admin"],
+      "passwordless" => false,
+      "include_sudoers_d" => true,
+      "sudoers_default" => [
+        "env_reset",
+        "mail_badpass",
+        "secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
+      ],
+    }
+  }
+)

vendor/cookbooks/sysadmins/CHANGELOG.md

@@ -0,0 +1,8 @@
+sysadmins CHANGELOG
+===================
+
+This file is used to list changes made in each version of the sysadmins cookbook.
+
+0.1.0
+-----
+- [Bèr Kessels] - Initial release of sysadmins

vendor/cookbooks/sysadmins/README.md

@@ -0,0 +1,46 @@
+sysadmins Cookbook
+==================
+
+Creates sysadmin accounts: accounts that can access the server over SSH.
+
+Attributes
+----------
+
+#### sysadmins::default
+<table>
+  <tr>
+    <th>Key</th>
+    <th>Type</th>
+    <th>Description</th>
+    <th>Default</th>
+  </tr>
+  <tr>
+    <td><tt>['sysadmins']</tt></td>
+    <td>Hash</td>
+    <td>key: username</td>
+    <td><tt>empty, won't create sysadmins</tt></td>
+  </tr>
+</table>
+
+Usage
+-----
+
+Add sysadmins to your node configuration:
+
+```@json
+{
+"sysadmins": {
+  "bofh": {
+    "password": "$1$d...HgH0",
+    "ssh_keys": [
+      "ssh-rsa AAA123...xyz== foo",
+      "ssh-rsa AAA456...uvw== bar"
+    ]
+  }
+}
+```
+
+* Create a hashed password with `openssl passwd -1 'plaintextpassword'`.
+  This password is needed for running `sudo`.
+* SSH-keys should be the **public** key. You can leave them out, in
+  which case you have to log in with the password.

vendor/cookbooks/sysadmins/attributes/default.rb

@@ -0,0 +1 @@
+default["sysadmins"] = []

vendor/cookbooks/sysadmins/metadata.rb

@@ -0,0 +1,7 @@
+name "sysadmins"
+maintainer "Bèr `berkes` Kessels"
+maintainer_email "ber@berk.es"
+license "MIT"
+description "Creates sysadmin user accounts"
+long_description IO.read(File.join(File.dirname(__FILE__), "README.md"))
+version "0.1.2"

vendor/cookbooks/sysadmins/recipes/default.rb

@@ -0,0 +1,55 @@
+#
+# Cookbook Name:: sysadmins
+# Recipe:: default
+#
+# Copyright 2014, Bèr `berkes` Kessels
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+node[:sysadmins].each do |username, user|
+  home_dir = "/home/#{username}"
+  # Create a user
+  user username do
+    home home_dir
+    password user["password"] if user["password"]
+
+    shell "/bin/bash"
+    manage_home true
+    action :create
+  end
+
+  # Add ssh-keys to authorized_keys
+  # Always create the file and dir, even if user did not provide
+  # ssh-keys
+  directory "#{home_dir}/.ssh" do
+    owner username
+    group username
+    mode "0700"
+  end
+  if user["ssh_keys"]
+    template "#{home_dir}/.ssh/authorized_keys" do
+      source "authorized_keys.erb"
+      owner username
+      group username
+      mode "0600"
+      variables ssh_keys: user["ssh_keys"]
+    end
+  end
+
+end
+
+# Add users to the sysadmin group. This is the group used by
+# the sudo cookbook to grant users sudo-access.
+group "admin" do
+  members node[:sysadmins].keys
+end

vendor/cookbooks/sysadmins/templates/default/authorized_keys.erb

@@ -0,0 +1,6 @@
+# Generated by Chef for <%= node["fqdn"] %>
+# Local modifications will be overwritten.
+# Created by sysadmins cookbook
+<% Array(@ssh_keys).each do |key| %>
+<%= key %>
+<% end -%>