From 51e3e2d2ce2045ee8c792ca8db4b9581263d4612 Mon Sep 17 00:00:00 2001 From: Olivier Date: Sun, 6 Oct 2024 23:44:04 +0200 Subject: [PATCH] Refonte du fichier de conf --- .vscode/launch.json | 18 +++ .vscode/settings.json | 3 + ansible/ajoute-sudoer.yml | 14 ++ ansible/ajoute-utilisateur.yml | 34 +++++ ansible/configure-local-admin.yml | 21 --- .../{mint-compliance.yml => conformite.yml} | 0 ansible/{cubic-setup.yml => cubic.yml} | 0 .../firefox-policy/templates/policies.json | 37 +---- ansible/roles/firefox-policy/vars/main.yml | 42 ++++++ ansible/roles/theme-libretic/tasks/main.yml | 10 +- ansible/supprime-sudoer.yml | 10 ++ ansible/update.yml | 20 +++ config.yml | 34 ++++- libreticmenu-firstboot.sh | 4 +- .../{PosteLinuxMint.py => AnsibleActions.py} | 26 +--- libreticmenu/GitActions.py | 20 +++ libreticmenu/PythonActions.py | 13 ++ libreticmenu/libreticmenu.py | 141 ++++++------------ libreticmenu/libreticmenuBranch.py | 14 -- 19 files changed, 264 insertions(+), 197 deletions(-) create mode 100644 .vscode/launch.json create mode 100644 .vscode/settings.json create mode 100644 ansible/ajoute-sudoer.yml create mode 100644 ansible/ajoute-utilisateur.yml delete mode 100644 ansible/configure-local-admin.yml rename ansible/{mint-compliance.yml => conformite.yml} (100%) rename ansible/{cubic-setup.yml => cubic.yml} (100%) create mode 100644 ansible/roles/firefox-policy/vars/main.yml create mode 100644 ansible/supprime-sudoer.yml create mode 100644 ansible/update.yml rename libreticmenu/{PosteLinuxMint.py => AnsibleActions.py} (50%) create mode 100644 libreticmenu/GitActions.py create mode 100644 libreticmenu/PythonActions.py delete mode 100644 libreticmenu/libreticmenuBranch.py diff --git a/.vscode/launch.json b/.vscode/launch.json new file mode 100644 index 0000000..a1b9cc5 --- /dev/null +++ b/.vscode/launch.json @@ -0,0 +1,18 @@ +{ + // Utilisez IntelliSense pour en savoir plus sur les attributs possibles. + // Pointez pour afficher la description des attributs existants. + // Pour plus d'informations, visitez : https://go.microsoft.com/fwlink/?linkid=830387 + "version": "0.2.0", + "configurations": [ + { + "name": "Python Debugger: Current File with Arguments", + "type": "debugpy", + "request": "launch", + "program": "${file}", + "console": "integratedTerminal", + "args": [ + "--compliance" + ] + } + ] +} \ No newline at end of file diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..7f6525d --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "ansible.python.interpreterPath": "/root/.cache/pypoetry/virtualenvs/libreticmenu-YL2xKxPy-py3.12/bin/python" +} \ No newline at end of file diff --git a/ansible/ajoute-sudoer.yml b/ansible/ajoute-sudoer.yml new file mode 100644 index 0000000..3b244f9 --- /dev/null +++ b/ansible/ajoute-sudoer.yml @@ -0,0 +1,14 @@ +- name: Ajoute sudoer + hosts: localhost + vars_prompt: + - name: username + prompt: "Identifiant de l'utilisateur concerné" + private: false + + tasks: + - name: Configure sudo pour {{ username }} + ansible.builtin.user: + name: "{{ username }}" + groups: sudo + append: true + diff --git a/ansible/ajoute-utilisateur.yml b/ansible/ajoute-utilisateur.yml new file mode 100644 index 0000000..6c219c7 --- /dev/null +++ b/ansible/ajoute-utilisateur.yml @@ -0,0 +1,34 @@ +- name: Ajoute utilisateur + hosts: localhost + vars: + default_groups: + - cdrom + - dip + - plugdev + - users + - lpadmin + - sambashare + vars_prompt: + - name: username + prompt: "Identifiant de l'utilisateur concerné" + private: false + - name: prenom_nom + prompt: "Prénom et nom de l'utilisateur" + private: false + + tasks: + - name: Configure un compte pour {{ username }} + ansible.builtin.user: + name: "{{ username }}" + comment: "{{ prenom_nom }}" + groups: "{{ default_groups }}" + append: true + password: "{{ 'achanger' | password_hash('sha512') }}" + update_password: on_create + create_home: true + shell: /bin/bash + register: _user + + - name: Expire le mot de passe de {{ username }} + ansible.builtin.command: passwd -e {{ username }} + when: _user.changed diff --git a/ansible/configure-local-admin.yml b/ansible/configure-local-admin.yml deleted file mode 100644 index 27bbe8a..0000000 --- a/ansible/configure-local-admin.yml +++ /dev/null @@ -1,21 +0,0 @@ -# -# Configure un sudoer -# - -- name: Préparation de l'installation - hosts: localhost - tasks: - - name: Configure sudo pour {{ user }} - ansible.builtin.copy: - content: | - # Autorise {{ user }} à faire sudo - {{ user }} ALL = ALL - dest: /etc/sudoers.d/libreticmenu_allow_sudo_{{ user }} - when: state == "present" - - - name: Supprime sudo pour {{ user }} - ansible.builtin.file: - path: /etc/sudoers.d/libreticmenu_allow_sudo_{{ user }} - state: absent - when: state == "absent" - diff --git a/ansible/mint-compliance.yml b/ansible/conformite.yml similarity index 100% rename from ansible/mint-compliance.yml rename to ansible/conformite.yml diff --git a/ansible/cubic-setup.yml b/ansible/cubic.yml similarity index 100% rename from ansible/cubic-setup.yml rename to ansible/cubic.yml diff --git a/ansible/roles/firefox-policy/templates/policies.json b/ansible/roles/firefox-policy/templates/policies.json index 511255d..279a454 100644 --- a/ansible/roles/firefox-policy/templates/policies.json +++ b/ansible/roles/firefox-policy/templates/policies.json @@ -1,38 +1,3 @@ { - "policies": { - "BlockAboutConfig": true, - "Extensions": { - "Install": ["https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/addon-4328681-latest.xpi", - "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/addon-4321653-latest.xpi", - "https://addons.mozilla.org/firefox/downloads/latest/duckduckgo-for-firefox/addon-4325805-latest.xpi"], - "Uninstall": [], - "Locked": [] - }, - "Homepage": { - "URL": "https://libretic.fr/", - "Locked": false, - "StartPage": "homepage" - }, - "FirefoxHome": { - "Search": true, - "SponsoredTopSites": false, - "Highlights": false, - "Pocket": false, - "SponsoredPocket": false, - "Snippets": false, - "Locked": false - }, - "FirefoxSuggest": { - "WebSuggestions": false, - "SponsoredSuggestions": false, - "ImproveSuggest": false, - "Locked": false - }, - "EnableTrackingProtection": { - "Value": true, - "Locked": false, - "Cryptomining": true, - "Fingerprinting": true - } - } + "policies": {{ firefox_policies | to_json(indent=4, sort_keys=True) }} } diff --git a/ansible/roles/firefox-policy/vars/main.yml b/ansible/roles/firefox-policy/vars/main.yml new file mode 100644 index 0000000..03107ed --- /dev/null +++ b/ansible/roles/firefox-policy/vars/main.yml @@ -0,0 +1,42 @@ +# Les adresses "latest" des extensions sont de la forme : +# +# https://addons.mozilla.org/firefox/downloads/latest//addon--latest.xpi +# +# Exemple pour trouver avec l'extension duckduckgo. +# La page de l'extension est : https://addons.mozilla.org/fr/firefox/addon/duckduckgo-for-firefox/ +# - nom_extension se trouve dans l'url de la page : duckduckgo-for-firefox +# - numero_extension se trouve dans l'url lorsqu'on survole le bouton "Installer" ou "Retirer" dans cette même page +# + +firefox_policies: + BlockAboutConfig: true + Extensions: + Install: + - https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/addon-4328681-latest.xpi + - https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/addon-4321653-latest.xpi + - https://addons.mozilla.org/firefox/downloads/latest/duckduckgo-for-firefox/addon-4325805-latest.xpi + - https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/addon-4355865-latest.xpi + Uninstall: [] + Locked: [] + Homepage: + URL: 'https://libretic.fr/' + Locked: false + StartPage: homepage + FirefoxHome: + Search: true + SponsoredTopSites: false + Highlights: false + Pocket: false + SponsoredPocket: false + Snippets: false + Locked: false + FirefoxSuggest: + WebSuggestions: false + SponsoredSuggestions: false + ImproveSuggest: false + Locked: false + EnableTrackingProtection: + Value: true + Locked: false + Cryptomining: true + Fingerprinting: true diff --git a/ansible/roles/theme-libretic/tasks/main.yml b/ansible/roles/theme-libretic/tasks/main.yml index 7725996..6f07811 100644 --- a/ansible/roles/theme-libretic/tasks/main.yml +++ b/ansible/roles/theme-libretic/tasks/main.yml @@ -7,13 +7,13 @@ mode: u=rwx,g=rx,o=rx notify: update-initramfs -- name: Copie le thème plymouth - ansible.builtin.copy: +- name: Installe le thème plymouth + ansible.posix.synchronize: src: spin-libretic dest: /usr/share/plymouth/themes/ - owner: root - group: root - mode: u=rw,g=r,o=r + owner: false + group: false + delete: true notify: update-initramfs - name: Active le thème plymouth diff --git a/ansible/supprime-sudoer.yml b/ansible/supprime-sudoer.yml new file mode 100644 index 0000000..b9014e6 --- /dev/null +++ b/ansible/supprime-sudoer.yml @@ -0,0 +1,10 @@ +- name: Supprime sudoer + hosts: localhost + vars_prompt: + - name: username + prompt: "Identifiant de l'utilisateur concerné" + private: false + + tasks: + - name: Retire sudo pour {{ username }} + ansible.builtin.command: "usermod -r -G sudo {{ username }}" diff --git a/ansible/update.yml b/ansible/update.yml new file mode 100644 index 0000000..a4b85cc --- /dev/null +++ b/ansible/update.yml @@ -0,0 +1,20 @@ +- name: Mise à jour des paquets + hosts: localhost + tasks: + - name: Mise à jour du cache + ansible.builtin.apt: + update_cache: true + + - name: Mise à jour des paquets + ansible.builtin.apt: + name: "*" + state: latest + + - name: Supprime les paquets devenus inutiles + ansible.builtin.apt: + autoremove: true + purge: true + + - name: Nettoyage apt + ansible.builtin.apt: + clean: true \ No newline at end of file diff --git a/config.yml b/config.yml index f0e0b6b..62bb48b 100644 --- a/config.yml +++ b/config.yml @@ -1,4 +1,32 @@ base_path: ansible -playbook: - cubic: cubic-setup.yml - compliance: mint-compliance.yml +ansiblemenu: + cubic: + menu_title: Exécuter la configuration dans cubic + argument_help: Ne présente pas le menu et prépare une image cubic + playbook: cubic.yml + menu_hidden: true + + update: + menu_title: Exécuter la mise à jour des paquets + argument_help: Ne présente pas le menu et exécute mise à jour des paquets + playbook: update.yml + + conformite: + menu_title: Exécuter la configuration du poste + argument_help: Ne présente pas le menu et exécute la conformité + playbook: conformite.yml + + ajoute-utilisateur: + menu_title: Ajoute un utilisateur + argument_help: Ne présente pas le menu et ajoute un utilisateur + playbook: ajoute-utilisateur.yml + + ajoute-sudoer: + menu_title: Ajoute un administrateur + argument_help: Ne présente pas le menu et ajoute un administrateur + playbook: ajoute-sudoer.yml + + supprime-sudoer: + menu_title: Supprime un administrateur + argument_help: Ne présente pas le menu et supprime un administrateur + playbook: supprime-sudoer.yml diff --git a/libreticmenu-firstboot.sh b/libreticmenu-firstboot.sh index d22fe28..1b4bcd0 100755 --- a/libreticmenu-firstboot.sh +++ b/libreticmenu-firstboot.sh @@ -1,6 +1,6 @@ #!/bin/bash set -eo pipefail -logger -t libreticmenu "Exécution de libreticmenu.sh --runCompliance" +logger -t libreticmenu "Exécution de libreticmenu.sh --update --runCompliance" until host git.libretic.fr; do sleep 5; done -/opt/libreticmenu/libreticmenu.sh --runCompliance \ +/opt/libreticmenu/libreticmenu.sh --update --conformite \ && systemctl disable libreticmenu-firstboot.service diff --git a/libreticmenu/PosteLinuxMint.py b/libreticmenu/AnsibleActions.py similarity index 50% rename from libreticmenu/PosteLinuxMint.py rename to libreticmenu/AnsibleActions.py index 06687e8..372b6c7 100644 --- a/libreticmenu/PosteLinuxMint.py +++ b/libreticmenu/AnsibleActions.py @@ -1,31 +1,9 @@ -import socket import subprocess import os import glob -def runAnsiblePlaybook(config, playbook, branch): - subprocess.run(['ansible-playbook', config['playbook'][playbook]], check=True, cwd=config['base_path']) - -def getHostName(): - return socket.gethostname() - -def getDomain(): - domainname = subprocess.check_output(['domainname', '-d'], text=True).rstrip() - return domainname - -def isCompliant(): - return False - -def setFQDN(fqdn): - result = subprocess.run(['hostnamectl', 'hostname', fqdn], check=True) - return result.returncode == 0 - - -def runCompliance(config, branch): - runAnsiblePlaybook(config, 'compliance', branch) - -def runCubic(config, branch): - runAnsiblePlaybook(config, 'cubic', branch) +def runAnsiblePlaybook(config, key, branch): + subprocess.run(['ansible-playbook', config['ansiblemenu'][key]['playbook']], check=True, cwd=config['base_path']) def addLocalAdmin(config, user): result = subprocess.run( diff --git a/libreticmenu/GitActions.py b/libreticmenu/GitActions.py new file mode 100644 index 0000000..85eab31 --- /dev/null +++ b/libreticmenu/GitActions.py @@ -0,0 +1,20 @@ +from git import Repo +import os + + +def getBranch(): + repo = Repo(os.getcwd()) + branch = repo.active_branch + return branch.name + + +def setBranch(branch): + repo = Repo(os.getcwd()) + git = repo.git + git.switch(branch) + +def getBranchList(): + repo = Repo(os.getcwd()) + remote_refs = repo.remote().refs + refs = list(ref.remote_head for ref in remote_refs if ref.remote_head != 'HEAD') + return refs diff --git a/libreticmenu/PythonActions.py b/libreticmenu/PythonActions.py new file mode 100644 index 0000000..65e5838 --- /dev/null +++ b/libreticmenu/PythonActions.py @@ -0,0 +1,13 @@ +import socket +import subprocess + +def getHostName(): + return socket.gethostname() + +def getDomain(): + domainname = subprocess.check_output(['domainname', '-d'], text=True).rstrip() + return domainname + +def setFQDN(fqdn): + result = subprocess.run(['hostnamectl', 'hostname', fqdn], check=True) + return result.returncode == 0 diff --git a/libreticmenu/libreticmenu.py b/libreticmenu/libreticmenu.py index 90814b6..883cd29 100644 --- a/libreticmenu/libreticmenu.py +++ b/libreticmenu/libreticmenu.py @@ -2,8 +2,9 @@ from InquirerPy import inquirer from InquirerPy import prompt from rich.console import Console from rich.table import Table -import PosteLinuxMint -import libreticmenuBranch +import AnsibleActions +import PythonActions +import GitActions import argparse import yaml import syslog @@ -14,15 +15,14 @@ import os def print_status(): # Récupération des infos - hostname = PosteLinuxMint.getHostName() - domain = PosteLinuxMint.getDomain() - isCompliant = PosteLinuxMint.isCompliant() - currentBranch = libreticmenuBranch.getlibreticmenuBranch() + hostname = PythonActions.getHostName() + domain = PythonActions.getDomain() + currentBranch = GitActions.getBranch() # Affichage du statut console = Console() console.print() - console.print("=== Menu de configuration - poste Linux Mint ===", style="bold red") + console.print("=== Menu de configuration Libretic ===", style="bold red") console.print() table = Table(show_header=True, header_style="bold dim") table.add_column("Paramètre", style="bold magenta") @@ -30,60 +30,10 @@ def print_status(): table.add_column("Statut", justify="center") table.add_row("Environnement du poste", currentBranch, "[green]OK" if currentBranch == "main" else "[yellow]Attention") table.add_row("Hostname", hostname, "[green]OK" if hostname != "unassigned-hostname" else "[red]KO") - table.add_row("Poste configuré", str(isCompliant), "[green]OK" if isCompliant else "[red]KO") console.print(table) console.print() -### Menu du choix hostname -def hostnameChoice(config, branch): - questions = [ - { - "type": "input", - "message": "Renseigner le nom de la machine : ", - }, - ] - result = prompt(questions) - fqdn = result[0] + "." + result[1] - - proceed = inquirer.confirm( - message ="Définir {} comme nom de machine ?".format(fqdn), - confirm_letter = "o", - default=False).execute() - if proceed: - PosteLinuxMint.setFQDN(fqdn) - else: - print("Annulation") - -def complianceChoice(config, branch): - PosteLinuxMint.runCompliance(config, branch) - -def libreticmenuBranchChoice(config, branch): - questions = [ - { - "type": "list", - "message": "Choisir le type d'environnement de ce poste :", - "choices": ["main", "preprod"], - "default": "main", - }, - ] - result = prompt(questions) - - proceed = inquirer.confirm( - message ="Définir {} comme environnement pour ce poste ?".format(result[0]), - confirm_letter = "o", - default=False).execute() - if proceed: - libreticmenuBranch.setlibreticmenuBranch(result[0]) - console = Console() - console.print() - console.print("=== Relancer libreticmenu.sh pour bénéficier du changement d'environnement ===", style="bold red") - console.print() - exit() - else: - print("Annulation") - - # Chargement du fichier de configuration def readConfig(configFile): try: @@ -97,81 +47,88 @@ def readConfig(configFile): raise -def addLocalAdminChoice(config, branch): +### Menu du choix hostname +def hostnameChoice(): questions = [ { "type": "input", - "message": "Utilisateur devant être administrateur local : ", + "message": "Renseigner le nom de la machine : ", }, ] result = prompt(questions) + fqdn = result[0] + "." + result[1] proceed = inquirer.confirm( - message ="Définir {} comme administrateur de ce poste ?".format(result[0]), + message ="Définir {} comme nom de machine ?".format(fqdn), confirm_letter = "o", default=False).execute() if proceed: - PosteLinuxMint.addLocalAdmin(config, result[0]) + PythonActions.setFQDN(fqdn) else: print("Annulation") -def removeLocalAdminChoice(config, branch): - userlist = PosteLinuxMint.getLocalAdmins(config) - - if len(userlist) == 0: - console = Console() - console.print("=== Aucun administrateur local à supprimer ===", style="bold red") - return - +def branchChoice(): questions = [ { "type": "list", - "message": "Utilisateur ne devant plus être administrateur local : ", - "choices": userlist, + "message": "Choisir le type d'environnement de ce poste :", + "choices": GitActions.getBranchList(), + "default": "main", }, ] result = prompt(questions) proceed = inquirer.confirm( - message ="Retirer {} des administrateurs de ce poste ?".format(result[0]), + message ="Définir {} comme environnement pour ce poste ?".format(result[0]), confirm_letter = "o", default=False).execute() if proceed: - PosteLinuxMint.removeLocalAdmin(config, result[0]) + GitActions.setBranch(result[0]) + console = Console() + console.print() + console.print("=== Relancer libreticmenu.sh pour bénéficier du changement d'environnement ===", style="bold red") + console.print() + exit() else: print("Annulation") # Menu principal def main(): - parser = argparse.ArgumentParser(prog="libreticmenu.py", description="Menu de configuration poste Linux Mint") - parser.add_argument("-c", "--config", help="Fichier de configuration (config.yml par défaut)", default="config.yml") - parser.add_argument("--cubic", help="Ne présente pas le menu et exécute le setup pour cubic", action=argparse.BooleanOptionalAction) - parser.add_argument("--runCompliance", help="Ne présente pas le menu et exécute la conformité", action=argparse.BooleanOptionalAction) + config = readConfig("config.yml") + currentBranch = GitActions.getBranch() + + parser = argparse.ArgumentParser(prog="libreticmenu.py", description="Menu de configuration Libretic") + for entry in config['ansiblemenu']: + parser.add_argument("--" + entry, help=config['ansiblemenu'][entry]['argument_help'], action='store_true') args = parser.parse_args() - config = readConfig(args.config) + menu_main = { "Définir le hostname": hostnameChoice, - "Exécuter la configuration du poste": complianceChoice, - "Changer le type d'environnement": libreticmenuBranchChoice, - "Ajouter sudoer": addLocalAdminChoice, - "Supprimer sudoer": removeLocalAdminChoice, + } + + for entry in config['ansiblemenu']: + if not config['ansiblemenu'][entry].get('menu_hidden', False): + menu_main = menu_main | { + config['ansiblemenu'][entry]['menu_title']: lambda e=entry: AnsibleActions.runAnsiblePlaybook(config, e, currentBranch) + } + + menu_main = menu_main | { + "Changer de branche": branchChoice, "Quitter": None } - currentBranch = libreticmenuBranch.getlibreticmenuBranch() + # Exécute les options passées sur la ligne de commande + cmdlineOptionPassed = False + for entry in config['ansiblemenu']: + if entry in list(arg for arg in vars(args) if getattr(args, arg)): + AnsibleActions.runAnsiblePlaybook(config, entry, currentBranch) + cmdlineOptionPassed = True - if args.cubic: - PosteLinuxMint.runCubic(config, currentBranch) - exit() - if args.runCompliance: - PosteLinuxMint.runCompliance(config, currentBranch) - exit() - - while True: + while not cmdlineOptionPassed: print_status() console = Console() console.print("Choisir une des options suivantes", style="bold blue") @@ -181,7 +138,7 @@ def main(): default = None).execute() if menu_main[action] != None: - menu_main[action](config, currentBranch) + menu_main[action]() else: break diff --git a/libreticmenu/libreticmenuBranch.py b/libreticmenu/libreticmenuBranch.py deleted file mode 100644 index d8b8605..0000000 --- a/libreticmenu/libreticmenuBranch.py +++ /dev/null @@ -1,14 +0,0 @@ -from git import Repo -import os - - -def getlibreticmenuBranch(): - repo = Repo(os.getcwd()) - branch = repo.active_branch - return branch.name - - -def setlibreticmenuBranch(branch): - repo = Repo(os.getcwd()) - git = repo.git - git.switch(branch)