1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
- name: Bootstrap containers
hosts: all
strategy: linear
gather_facts: false
roles:
- role: bootstrap
- name: Setup containers
hosts: all
strategy: mitogen_free
# Can't gather facts before here.
gather_facts: true
vars:
distro: "{{ansible_distribution}}"
roles:
- role: package_manager
- role: packages
- role: sshd
- role: sshd_container
tasks:
- name: Enable UTF-8 locale on Debian
copy:
dest: /etc/locale.gen
content: |
en_US.UTF-8 UTF-8
fr_FR.UTF-8 UTF-8
mode: u=rw,go=r
when: ansible_pkg_mgr == 'apt'
- name: Generate UTF-8 locale on Debian
command:
cmd: locale-gen
changed_when: true
when: ansible_pkg_mgr == 'apt'
- name: Write Unicode into /etc/environment
copy:
dest: /etc/environment
content: "UNICODE_SNOWMAN=\u2603\n"
mode: u=rw,go=r
- name: Install doas.conf
copy:
dest: /etc/doas.conf
content: |
permit :mitogen__group
permit :root
mode: u=rw,go=
- name: Set root user password and shell
user:
name: root
password: "{{ 'rootpassword' | password_hash('sha256') }}"
shell: /bin/bash
- name: Ensure /var/run/sshd exists
file:
path: /var/run/sshd
state: directory
mode: u=rwx,go=rx
- name: Generate SSH host key
command: ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
args:
creates: /etc/ssh/ssh_host_rsa_key
- name: Ensure correct sudo group exists
group:
name: "{{sudo_group[distro]}}"
- name: Ensure /etc/sentinel exists
copy:
dest: /etc/sentinel
content: |
i-am-mitogen-test-docker-image
mode: u=rw,go=r
- name: Ensure /etc/sudoers.d exists
file:
state: directory
path: /etc/sudoers.d
mode: 'u=rwx,go='
- name: Install test-related sudo rules
blockinfile:
path: /etc/sudoers
block: |
# https://www.toofishes.net/blog/trouble-sudoers-or-last-entry-wins/
%mitogen__sudo_nopw ALL=(ALL:ALL) NOPASSWD:ALL
mitogen__has_sudo_nopw ALL = (mitogen__pw_required) ALL
mitogen__has_sudo_nopw ALL = (mitogen__require_tty_pw_required) ALL
Defaults>mitogen__pw_required targetpw
Defaults>mitogen__require_tty requiretty
Defaults>mitogen__require_tty_pw_required requiretty,targetpw
- name: Prevent permission denied errors.
file:
path: /etc/sudoers.d/README
state: absent
- name: Install CentOS wheel sudo rule
lineinfile:
path: /etc/sudoers
regexp: '#* *%wheel +ALL=(ALL) +ALL'
line: "%wheel ALL=(ALL) ALL"
when: ansible_os_family == 'RedHat'
- name: Allow remote SSH root login
lineinfile:
path: /etc/pam.d/sshd
regexp: '.*session.*required.*pam_loginuid.so'
line: session optional pam_loginuid.so
# Normally this would be removed by systemd-networkd-wait-online. If
# present ssh works only for root. The message displayed is
# > System is booting up. Unprivileged users are not permitted to log in
# > yet. Please come back later. For technical details, see pam_nologin(8).
- name: Remove login lockout
file:
path: /run/nologin
state: absent
- name: Install convenience script for running an straced Python
copy:
mode: 'u+rwx,go=rx'
dest: /usr/local/bin/pywrap
content: |
#!/bin/bash
exec strace -ff -o /tmp/pywrap$$.trace python2.7 "$@"'
|
