Bastion Playbook (redhat-cop#30)

* New bastion roles and playbook

* Updated bastion roles to allow for VNC

* Updated bastion roles to allow for VNC

* Updated bastion playbook README

* Updated bastion playbook README

* Updates/changes per comments + a few new features

* Updates/changes per comments + a few new features

* Updated README with missing inventory variable

* Updated README with missing inventory variable

* Updated VNC role to better handle standalone hosts

* Updated VNC role to better handle standalone hosts

* Updated bastion README

* Quotes around values

playbooks/bastion/README.md

@@ -0,0 +1,43 @@
+# Bastion Host / Control Host playbook
+
+This playbook uses a variety of roles in this repo to setup a bastion host, also some times called a control host. The inventory can be used (per instructions below) to control which software and services get installed on the bastion host. 
+
+
+## Prerequisites
+A running instance (VM or cloud image) such as Fedora, CentOS or Red Hat Enterprise Linux. The instance needs to be subscribed (if applicable) and configured with access to the necessary repos (in most cases, the exsisting repos / configuration is sufficient).
+
+If the IdM / IPA integration is to be used, it is a prerequisites that the environment is set up with automatic client server discovery vis DNS SRV records (consult your sys admin if this is an unfamiliar area).
+
+## Gotcha's 
+1. If running in a cloud environment, for example OpenStack, make sure to have the correct ports open in the security groups (e.g.: 5901 for VNC, 22 for SSH, etc.)
+2. When enabling VNC, and you already have a shared home directory, make sure the proper changes are made to the VNC configuration (typically in `~/.vnc` ) to allow for the service to run correctly.
+
+## Example run
+How to run the playbook may depend on the options selected. However, below is an example execution whereas the password for IPA/IdM integration (with `ipa_client_install` set to "yes" in the inventory) is passed in rather than statically set in the inventory. Modify the inventory to your liking in `playbooks/bastion/inventory`, then at the top level of the repository, execute the following command:
+
+```
+> ansible-playbook -i playbooks/bastion/inventory playbooks/bastion/install.yml -e 'ipa_password=<ipa/IdM password>'
+```
+
+**Note:** If your password contains any special characters, e.g.: a '!', it's important to use the single quotes for the passed in value as it otherwise may be interpereted by the shell. 
+
+## Inventory Options
+
+**Note:** If you are intending to use the IdM/IPA integration, and are unfamiliar with the IdM/IPA variables below, please consult the IdM/IPA documentation or your sys admin for details.
+
+| variable | info |
+|:--------:|:----:|
+|main_user|The username this bastion is primerly being enabled for| 
+|ipa_client_install|Set to "yes" if you'd like to integrate with a backend IPA/IdM service|
+|ipa_domain|If `ipa_client_install` is set to "yes", set this to the existing IdM / IPA domain your environment uses (obtain from sys admin if not known)|
+|ipa_automount_location|If `ipa_client_install` is set to "yes", set the required automount location for home directories (obtain from sys admin if not known)|
+|ipa_username|If `ipa_client_install` is set to "yes", this is the username of an account that has the permission to join this host to the above IPA/IdM domain (obtain from sys admin if not known)|
+|ipa_password|If `ipa_client_install` is set to "yes", this is the password of an account that has the permission to join this host to the above IPA/IdM domain (obtain from sys admin if not known)
+|docker_install|Set to "yes" if you'd like to enable docker on this host|
+|docker_username|Set to the desirable user (your username) to be added to the docker group (to allow for docker admin)|
+|xfce_install|Set to "yes" if you'd like XFCE enabled on this host for a graphical UI (note XFCE often works better than gnome for VNC)|
+|gnome_install|Set to "yes" if you'd like gnome enabled on this host for a graphical UI|
+|vnc_server_install|Set to "yes" if you'd like to enable a VNC server on this host for graphical access to the host|
+|additional_tools_packages|List of additional packages (RPMs) to be installed at the end of the bastion host preparation, e.g.: `['git', 'vim']`|
+
+

playbooks/bastion/install.yml

@@ -0,0 +1,20 @@
+---
+
+- name: "Prep the bastion host for Ansible runs"
+  hosts: bastion
+  gather_facts: no
+  roles:
+  - role: prep-for-ansible
+
+# NOTE: it's important that the docker role is done after the ipa-client role
+- name: 'Install and Configure the bastion host'
+  hosts: bastion
+  roles:
+  - role: update-host
+  - role: config-ipa-client
+  - role: config-docker
+  - role: config-gnome
+  - role: config-xfce
+  - role: config-vnc-server
+  - role: config-tools
+

playbooks/bastion/inventory-centos

@@ -0,0 +1,15 @@
+[all:vars]
+main_user=testuser
+
+ipa_client_install=yes
+ipa_domain=example.com
+ipa_automount_location=userhome
+ipa_username=testuser
+
+docker_install=yes
+docker_username=testuser
+
+[bastion]
+192.168.1.11 ansible_user=centos ansible_become=True
+
+

playbooks/bastion/inventory-fedora

@@ -0,0 +1,21 @@
+[all:vars]
+main_user=fedora
+
+ipa_client_install=yes
+ipa_domain=example.com
+ipa_automount_location=userhome
+ipa_username=testuser
+ipa_password=my-super-secret-password
+
+docker_install=yes
+docker_username=testuser
+
+xfce_install=yes
+vnc_server_install=yes
+
+additional_tools_packages=['git']
+
+[bastion]
+192.168.1.10 ansible_user=fedora ansible_become=True
+
+

playbooks/bastion/roles

@@ -0,0 +1 @@
+../../roles

roles/config-docker/tasks/docker.yml

@@ -0,0 +1,27 @@
+---
+- name: "Install additional packages for Docker"
+  package:
+    name: "{{ item }}"
+    state: latest
+  with_items:
+  - docker
+  notify: 
+  - restart docker
+
+- name: "Enable docker"
+  service:
+    name: docker
+    enabled: yes
+    state: started
+
+- name: "Add docker group"
+  group:
+    name: docker
+    state: present
+  notify: restart docker
+
+- name: "Add username to the docker group" 
+  user:
+    name: "{{ docker_username }}"
+    groups: docker
+    append: yes

roles/config-docker/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: "Install, configure and enable Docker"
+  include: docker.yml
+  when: 
+  - docker_install|default('no') == "yes"
+

roles/config-gnome/tasks/gnome-Fedora.yml

@@ -0,0 +1,8 @@
+---
+- name: "Install additional packages for Gnome"
+  dnf:
+    name: "{{ item }}"
+    state: present
+  with_items:
+  - '@gnome'
+

roles/config-gnome/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: "Install, configure and enable Gnome"
+  include: "{{ distro_file }}"
+  with_first_found:
+  - files:
+    - gnome-{{ ansible_distribution }}.yml
+    skip: true
+  loop_control:
+    loop_var: distro_file
+  when:
+  - gnome_install|default('no') == "yes"
+

roles/config-ipa-client/tasks/ipa-install.yml

@@ -0,0 +1,143 @@
+---
+
+- name: "Set default values"
+  set_fact:
+    move_user: False
+
+- name: "Install additional packages for SELinux"
+  package:
+    name: "{{ item }}"
+    state: latest
+  with_items:
+  - libselinux-python
+
+- name: "Ensure new local home dir exists" 
+  file: 
+    path: "/lclhome"
+    state: directory
+
+- name: "Obtain the current home dir for the ansible user"
+  shell: "grep '^{{ ansible_user }}' /etc/passwd | cut -d':' -f6"
+  register: current_home
+
+- name: "Set change flag" 
+  set_fact:
+    move_user: True
+  when: 
+  - current_home.stdout == '/home/' ~ ansible_user
+
+- name: "Create temporary account used to move the main account home dir"
+  user:
+    name: "lcluser"
+    groups: wheel
+  when:
+  - move_user|bool == True
+
+- name: "Ensure new local home dir exists" 
+  file: 
+    path: "/home/lcluser/.ssh"
+    state: directory
+    mode: 0700
+    owner: lcluser
+    group: lcluser
+  when:
+  - move_user|bool == True
+
+- name: "Copy over SSH key from the ansible_user"
+  copy:
+    src: "/home/{{ ansible_user }}/.ssh/authorized_keys"
+    dest: "/home/lcluser/.ssh/authorized_keys"
+    mode: 0600
+    owner: lcluser
+    group: lcluser
+    remote_src: True
+  when:
+  - move_user|bool == True
+
+- name: "Ensure SUDO access for temporary user"
+  lineinfile: 
+    path: /etc/sudoers.d/10-local-user
+    regexp: "^lcluser" 
+    line: "lcluser ALL=(ALL) NOPASSWD:ALL"
+    create: yes
+  when:
+  - move_user|bool == True
+
+- name: "Override the ansible_user now that a temporary user is enabled"
+  set_fact:
+    old_ansible_user: "{{ ansible_user }}"
+    ansible_user: "lcluser"
+  when: 
+  - ansible_user is defined
+  - ansible_user != ''
+  - move_user|bool == True
+
+- name: "Install additional packages for IPA/IdM"
+  package:
+    name: "{{ item }}"
+    state: latest
+  with_items:
+  - ipa-client
+
+- name: "Wait for the previous user to finish up"
+  shell: "ps -ef | cut -d' ' -f1 | grep '{{ old_ansible_user }}'"
+  register: cmdoutput
+  until: cmdoutput.rc == 1
+  retries: 60
+  delay: 2
+  failed_when: False
+  changed_when: False
+  when:
+  - move_user|bool == True
+
+- name: "Move local sudo user home dir"
+  user:
+    name: "{{ old_ansible_user }}"
+    move_home: yes
+    home: "/lclhome/{{ old_ansible_user }}"
+  when: 
+  - ansible_user is defined
+  - ansible_user != ''
+  - move_user|bool == True
+
+- name: "Move back to the main sudo user"
+  set_fact:
+    ansible_user: "{{ old_ansible_user }}"
+  when: 
+  - old_ansible_user is defined
+  - old_ansible_user != ''
+
+- name: "Wait for the previous user to finish up"
+  shell: "ps -ef | cut -d' ' -f1 | grep 'lcluser'"
+  register: cmdoutput
+  until: cmdoutput.rc == 1
+  retries: 60
+  delay: 2
+  failed_when: false
+  changed_when: false
+  when:
+  - move_user|bool == True
+
+- name: "Remove the temporary user"
+  user:
+    name: "lcluser" 
+    state: absent
+  when:
+  - move_user|bool == True
+
+- name: "Remove the sudo access for the temporary user"
+  file:
+    path: /etc/sudoers.d/10-local-user
+    state: absent
+
+- name: "Ensure SUDO access for main user"
+  lineinfile: 
+    path: /etc/sudoers.d/10-idm-user
+    regexp: "^{{ main_user }}" 
+    line: "{{ main_user }} ALL=(ALL) NOPASSWD:ALL"
+    create: yes
+
+- name: "Set up the IPA/IdM client integration"
+  command: ipa-client-install -U --automount-location={{ ipa_automount_location }} -p "{{ ipa_username }}" -w "{{ ipa_password }}" --domain="{{ ipa_domain }}" --force-join
+
+

roles/config-ipa-client/tasks/ipa.yml

@@ -0,0 +1,12 @@
+---
+
+- name: "Check if service has already been started - if so skip"
+  command: "systemctl status sssd" 
+  register: sssd_status
+  failed_when: False
+  changed_when: False
+
+
+- name: "Configure IPA/IdM Integration if not already enabled"
+  include: ipa-install.yml
+  when: sssd_status.rc != 0

roles/config-ipa-client/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: "Install, configure and enable IPA/IdM integration"
+  include: ipa.yml
+  when: 
+  - ipa_client_install|default('no') == "yes"

roles/config-tools/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+
+
+default_tools_packages: 
+- vim
+- git

roles/config-tools/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+
+- name: 'Install additional Software packages/tools'
+  package:
+    name: '{{ item }}'
+    state: installed
+  with_items:
+  - "{{ additional_tools_packages | default(default_tools_packages) }}"
+

roles/config-vnc-server/files/SELinuxVNC.te

@@ -0,0 +1,20 @@
+
+module SELinuxVNC 1.0;
+
+require {
+	type user_home_t;
+	type geoclue_t;
+	type init_t;
+	type nfs_t;
+	type unconfined_service_t;
+	class dir search;
+	class file { getattr open read unlink };
+}
+
+#============= geoclue_t ==============
+allow geoclue_t unconfined_service_t:dir search;
+allow geoclue_t unconfined_service_t:file { getattr open read };
+
+#============= init_t ==============
+allow init_t nfs_t:file { open read };
+allow init_t user_home_t:file { open read unlink };

roles/config-vnc-server/files/xstartup-gnome

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+unset SESSION_MANAGER
+unset DBUS_SESSION_BUS_ADDRESS
+exec /etc/X11/xinit/xinitrc
+