Add support for Ubuntu containers and WSL verification
- Implemented tasks for managing Ubuntu containers using Podman, including inspection, creation, starting, and SSH setup. - Added verification tasks for WSL and Podman installation, machine existence, and NSSM service status. - Created PowerShell scripts for Podman auto-start on Windows boot. - Introduced Prometheus role with default configurations and installation tasks. - Updated Windows SSH role to improve authorized_keys management and permissions handling. - Modified inventory to include Windows containers host. - Updated Grafana datasource configurations with direct IP addresses for Prometheus instances.
This commit is contained in:
@@ -8,4 +8,4 @@ galaxy_info:
|
||||
license: MIT
|
||||
min_ansible_version: "2.1"
|
||||
platforms:
|
||||
- name: windows
|
||||
- name: Windows
|
||||
|
||||
@@ -69,12 +69,14 @@
|
||||
changed_when: false
|
||||
|
||||
- name: Install OpenSSH Server capability when not installed
|
||||
become: true
|
||||
become_method: ansible.builtin.runas
|
||||
become_user: "NT AUTHORITY\\SYSTEM"
|
||||
ansible.windows.win_shell: |
|
||||
$cap = Get-WindowsCapability -Online | Where-Object { $_.Name -like 'OpenSSH.Server*' } | Select-Object -First 1
|
||||
if (-not $cap) {
|
||||
throw 'OpenSSH.Server capability not found on this host.'
|
||||
}
|
||||
|
||||
Add-WindowsCapability -Online -Name $cap.Name
|
||||
args:
|
||||
executable: powershell.exe
|
||||
@@ -149,8 +151,10 @@
|
||||
if ($keys -and $keys.Count -gt 0) {
|
||||
foreach ($k in $keys) {
|
||||
$before = (Get-Acl -Path $k.FullName).Sddl
|
||||
icacls.exe $k.FullName /inheritance:r
|
||||
icacls.exe $k.FullName /grant:r "S-1-5-18:(F)"
|
||||
icacls.exe $k.FullName /inheritance:r | Out-Null
|
||||
if ($LASTEXITCODE -ne 0) { throw "icacls failed to disable inheritance on $($k.FullName)" }
|
||||
icacls.exe $k.FullName /grant:r "*S-1-5-18:(F)" | Out-Null
|
||||
if ($LASTEXITCODE -ne 0) { throw "icacls failed to grant SYSTEM on $($k.FullName)" }
|
||||
if ($removePrincipal -and $removePrincipal -notmatch '^(?i:NT AUTHORITY\\SYSTEM|SYSTEM)$') {
|
||||
icacls.exe $k.FullName /remove "$removePrincipal" 2>$null
|
||||
}
|
||||
@@ -181,8 +185,10 @@
|
||||
if (Test-Path $p) {
|
||||
$before = (Get-Acl -Path $p).Sddl
|
||||
icacls.exe $p /inheritance:r | Out-Null
|
||||
icacls.exe $p /grant:r "S-1-5-18:(OI)(CI)(F)" "S-1-5-32-544:(OI)(CI)(F)" | Out-Null
|
||||
icacls.exe $p /remove "S-1-5-32-545" 2>$null
|
||||
if ($LASTEXITCODE -ne 0) { throw "icacls failed to disable inheritance on $p" }
|
||||
icacls.exe $p /grant:r "*S-1-5-18:(OI)(CI)(F)" "*S-1-5-32-544:(OI)(CI)(F)" | Out-Null
|
||||
if ($LASTEXITCODE -ne 0) { throw "icacls failed to grant SYSTEM/Administrators on $p" }
|
||||
icacls.exe $p /remove "*S-1-5-32-545" 2>$null
|
||||
$after = (Get-Acl -Path $p).Sddl
|
||||
if ($before -ne $after) {
|
||||
Write-Output 'ssh-dir-acl-changed'
|
||||
@@ -289,10 +295,34 @@
|
||||
become_user: "NT AUTHORITY\\SYSTEM"
|
||||
|
||||
- name: Deploy authorized_keys for each user
|
||||
ansible.windows.win_copy:
|
||||
dest: "C:\\Users\\{{ item.name }}\\.ssh\\authorized_keys"
|
||||
content: "{{ (item['keys'] | default([])) | join('\r\n') }}\r\n"
|
||||
force: true
|
||||
ansible.windows.win_shell: |
|
||||
$path = "C:\Users\{{ item.name }}\.ssh\authorized_keys"
|
||||
$json = @'
|
||||
{{ (item['keys'] | default([])) | to_json }}
|
||||
'@
|
||||
$keys = $json | ConvertFrom-Json
|
||||
if ($null -eq $keys) {
|
||||
$keys = @()
|
||||
} elseif ($keys -isnot [System.Array]) {
|
||||
$keys = @($keys)
|
||||
}
|
||||
|
||||
$newContent = [string]::Join([Environment]::NewLine, $keys)
|
||||
if ($keys.Count -gt 0) {
|
||||
$newContent += [Environment]::NewLine
|
||||
}
|
||||
|
||||
$oldContent = if (Test-Path $path) { [System.IO.File]::ReadAllText($path) } else { '' }
|
||||
if ($oldContent -ne $newContent) {
|
||||
[System.IO.File]::WriteAllText($path, $newContent, [System.Text.Encoding]::UTF8)
|
||||
Write-Output 'authorized-keys-updated'
|
||||
} else {
|
||||
Write-Output 'authorized-keys-unchanged'
|
||||
}
|
||||
args:
|
||||
executable: powershell.exe
|
||||
register: user_authorized_keys_result
|
||||
changed_when: "'authorized-keys-updated' in user_authorized_keys_result.stdout"
|
||||
loop: "{{ __ssh_users__ | default([]) }}"
|
||||
loop_control:
|
||||
label: "{{ item.name }}"
|
||||
@@ -333,12 +363,34 @@
|
||||
become_user: "NT AUTHORITY\\SYSTEM"
|
||||
|
||||
- name: Create administrators_authorized_keys from admin users' keys (if any)
|
||||
ansible.windows.win_copy:
|
||||
dest: 'C:\ProgramData\ssh\administrators_authorized_keys'
|
||||
content: >-
|
||||
{{ (__ssh_users__ | default([]) | selectattr('admin', 'equalto', true)
|
||||
| map(attribute='keys') | list | flatten | default([])) | join('\r\n') }}\r\n
|
||||
force: true
|
||||
ansible.windows.win_shell: |
|
||||
$path = 'C:\ProgramData\ssh\administrators_authorized_keys'
|
||||
$json = @'
|
||||
{{ (__ssh_users__ | default([]) | selectattr('admin', 'equalto', true) | map(attribute='keys') | list | flatten | default([])) | to_json }}
|
||||
'@
|
||||
$keys = $json | ConvertFrom-Json
|
||||
if ($null -eq $keys) {
|
||||
$keys = @()
|
||||
} elseif ($keys -isnot [System.Array]) {
|
||||
$keys = @($keys)
|
||||
}
|
||||
|
||||
$newContent = [string]::Join([Environment]::NewLine, $keys)
|
||||
if ($keys.Count -gt 0) {
|
||||
$newContent += [Environment]::NewLine
|
||||
}
|
||||
|
||||
$oldContent = if (Test-Path $path) { [System.IO.File]::ReadAllText($path) } else { '' }
|
||||
if ($oldContent -ne $newContent) {
|
||||
[System.IO.File]::WriteAllText($path, $newContent, [System.Text.Encoding]::UTF8)
|
||||
Write-Output 'admin-authorized-keys-updated'
|
||||
} else {
|
||||
Write-Output 'admin-authorized-keys-unchanged'
|
||||
}
|
||||
args:
|
||||
executable: powershell.exe
|
||||
register: admin_authorized_keys_result
|
||||
changed_when: "'admin-authorized-keys-updated' in admin_authorized_keys_result.stdout"
|
||||
when: (__ssh_users__ | default([]) | selectattr('admin','equalto',true) | list) | length > 0
|
||||
become: true
|
||||
become_method: ansible.builtin.runas
|
||||
@@ -350,7 +402,9 @@
|
||||
if (Test-Path $path) {
|
||||
$before = (Get-Acl -Path $path).Sddl
|
||||
icacls.exe $path /inheritance:r | Out-Null
|
||||
icacls.exe $path /grant:r "S-1-5-18:(F)" "S-1-5-32-544:(F)" | Out-Null
|
||||
if ($LASTEXITCODE -ne 0) { throw "icacls failed to disable inheritance on $path" }
|
||||
icacls.exe $path /grant:r "*S-1-5-18:(F)" "*S-1-5-32-544:(F)" | Out-Null
|
||||
if ($LASTEXITCODE -ne 0) { throw "icacls failed to grant SYSTEM/Administrators on $path" }
|
||||
$after = (Get-Acl -Path $path).Sddl
|
||||
if ($before -ne $after) {
|
||||
Write-Output 'admin-auth-keys-acl-changed'
|
||||
|
||||
Reference in New Issue
Block a user