Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ENH: prepare PLC for pmpsdb_client #19

Merged
merged 1 commit into from
Mar 26, 2024
Merged

ENH: prepare PLC for pmpsdb_client #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions group_vars/tcbsd_plcs/vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@ use_psntp: true
dynamic_ams: true
# tc_ams_net_id: 0.0.0.0.1.1

# Extra user for non-admin activities
create_user: true
create_username: ecs-user

# set static IP on x000 (mac id 2)
x000_set_static_ip: true
x000_static_ip: 192.168.1.10
Expand Down
4 changes: 4 additions & 0 deletions group_vars/tcbsd_vms/vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@ use_psntp: false
# Static AMS net id = set AMS net id to the value of tc_ams_net_id
dynamic_ams: false

# Extra user for non-admin activities
create_user: false
# create_username:

# set static IP on x000 (mac id 2)
x000_set_static_ip: false
x000_static_ip: 192.168.1.10
Expand Down
4 changes: 4 additions & 0 deletions host_vars/plc-tmo-tmp-vac/vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ ansible_host: plc-tmo-tmp-vac
#dynamic_ams: true
## tc_ams_net_id: 0.0.0.0.1.1
#
## Extra user for non-admin activities
#create_user: true
#create_username: ecs-user
#
## set static IP on x000 (mac id 2)
#x000_set_static_ip: true
#x000_static_ip: 192.168.1.10
Expand Down
4 changes: 4 additions & 0 deletions host_vars/plc-tst-bsd1/vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ ansible_host: plc-tst-bsd1
#dynamic_ams: true
## tc_ams_net_id: 0.0.0.0.1.1
#
## Extra user for non-admin activities
#create_user: true
#create_username: ecs-user
#
## set static IP on x000 (mac id 2)
#x000_set_static_ip: true
#x000_static_ip: 192.168.1.10
Expand Down
4 changes: 4 additions & 0 deletions host_vars/plc-tst-bsd2/vars.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ ansible_host: plc-tst-bsd2
#dynamic_ams: true
## tc_ams_net_id: 0.0.0.0.1.1
#
## Extra user for non-admin activities
#create_user: true
#create_username: ecs-user
#
## set static IP on x000 (mac id 2)
#x000_set_static_ip: true
#x000_static_ip: 192.168.1.10
Expand Down
29 changes: 29 additions & 0 deletions tcbsd-provision-playbook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -340,3 +340,32 @@
when: static_ip_x001_set.changed or dhcp_x001_set.changed
ansible.builtin.wait_for_connection:
delay: 2

# Useful for apps that need PLC access but not Admin-level config change access
# We need to manually set the password ourselves later via "doas passwd username"
- name: Create or Remove non-admin User
ansible.builtin.user:
name: "{{ create_username }}"
state: "{{ create_user | ternary('present', 'absent') }}"
shell: /usr/local/bin/bash'

# By default, only pubkey and keyboard interactive are enabled
# Password access is useful for apps like pmpsdb_client
- name: Configure sshd for password access
register: sshd_configure
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
line: "PasswordAuthentication yes"
insertafter: "^#PasswordAuthentication"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the carrot here in on purpose? @ZLLentz

Copy link
Member Author

@ZLLentz ZLLentz Mar 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This field is actually a regex, and the ^ indicates the start of a line.
So, ansible reads this as "find a line that starts with #PasswordAuthentication, then put PasswordAuthentication yes on the next line if it isn't already there."

The context is that the sshd config file looks like this, with all default values included as comments, and I wanted to put this new config line in a reasonable/known place instead of just at the end of the file.

<snip>
# Change to yes to enable built-in password authentication.
# Note that passwords may also be accepted via KbdInteractiveAuthentication.
#PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#KbdInteractiveAuthentication yes
<snip>

And then, after ansible runs here:

<snip>
# Change to yes to enable built-in password authentication.
# Note that passwords may also be accepted via KbdInteractiveAuthentication.
#PasswordAuthentication no
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#KbdInteractiveAuthentication yes
<snip>

When doing this interactively you'd usually uncomment the line and and change "no" to "yes" but doing it like I've done here is simpler for the script and is easier to revert.


- name: Reload sshd
when: sshd_configure.changed
ansible.builtin.service:
name: sshd
enabled: yes
state: reloaded

- name: Verify ssh still works
when: sshd_configure.changed
ansible.builtin.wait_for_connection:
delay: 2