libretic/linuxinstaller
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refonte du fichier de conf

Browse source
This commit is contained in:
Navas 2024-10-06 23:44:04 +02:00
parent d01ec42c62
commit 51e3e2d2ce
19 changed files with 264 additions and 197 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
.vscode/launch.json vendored Normal file
View file

@ -0,0 +1,18 @@
{
// Utilisez IntelliSense pour en savoir plus sur les attributs possibles.
// Pointez pour afficher la description des attributs existants.
// Pour plus d'informations, visitez : https://go.microsoft.com/fwlink/?linkid=830387
"version": "0.2.0",
"configurations": [
{
"name": "Python Debugger: Current File with Arguments",
"type": "debugpy",
"request": "launch",
"program": "${file}",
"console": "integratedTerminal",
"args": [
"--compliance"
]
}
]
}

3
.vscode/settings.json vendored Normal file
View file

@ -0,0 +1,3 @@
{
"ansible.python.interpreterPath": "/root/.cache/pypoetry/virtualenvs/libreticmenu-YL2xKxPy-py3.12/bin/python"
}

14
ansible/ajoute-sudoer.yml Normal file
View file

@ -0,0 +1,14 @@
- name: Ajoute sudoer
hosts: localhost
vars_prompt:
- name: username
prompt: "Identifiant de l'utilisateur concerné"
private: false
tasks:
- name: Configure sudo pour {{ username }}
ansible.builtin.user:
name: "{{ username }}"
groups: sudo
append: true

34
ansible/ajoute-utilisateur.yml Normal file
View file

@ -0,0 +1,34 @@
- name: Ajoute utilisateur
hosts: localhost
vars:
default_groups:
- cdrom
- dip
- plugdev
- users
- lpadmin
- sambashare
vars_prompt:
- name: username
prompt: "Identifiant de l'utilisateur concerné"
private: false
- name: prenom_nom
prompt: "Prénom et nom de l'utilisateur"
private: false
tasks:
- name: Configure un compte pour {{ username }}
ansible.builtin.user:
name: "{{ username }}"
comment: "{{ prenom_nom }}"
groups: "{{ default_groups }}"
append: true
password: "{{ 'achanger' | password_hash('sha512') }}"
update_password: on_create
create_home: true
shell: /bin/bash
register: _user
- name: Expire le mot de passe de {{ username }}
ansible.builtin.command: passwd -e {{ username }}
when: _user.changed

21
ansible/configure-local-admin.yml
View file

@ -1,21 +0,0 @@
#
# Configure un sudoer
#
- name: Préparation de l'installation
hosts: localhost
tasks:
- name: Configure sudo pour {{ user }}
ansible.builtin.copy:
content: |
# Autorise {{ user }} à faire sudo
{{ user }} ALL = ALL
dest: /etc/sudoers.d/libreticmenu_allow_sudo_{{ user }}
when: state == "present"
- name: Supprime sudo pour {{ user }}
ansible.builtin.file:
path: /etc/sudoers.d/libreticmenu_allow_sudo_{{ user }}
state: absent
when: state == "absent"

0
ansible/mint-compliance.yml → ansible/conformite.yml
View file

0
ansible/cubic-setup.yml → ansible/cubic.yml
View file

37
ansible/roles/firefox-policy/templates/policies.json
View file

@ -1,38 +1,3 @@
{ {
"policies": { "policies": {{ firefox_policies | to_json(indent=4, sort_keys=True) }}
"BlockAboutConfig": true,
"Extensions": {
"Install": ["https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/addon-4328681-latest.xpi",
"https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/addon-4321653-latest.xpi",
"https://addons.mozilla.org/firefox/downloads/latest/duckduckgo-for-firefox/addon-4325805-latest.xpi"],
"Uninstall": [],
"Locked": []
},
"Homepage": {
"URL": "https://libretic.fr/",
"Locked": false,
"StartPage": "homepage"
},
"FirefoxHome": {
"Search": true,
"SponsoredTopSites": false,
"Highlights": false,
"Pocket": false,
"SponsoredPocket": false,
"Snippets": false,
"Locked": false
},
"FirefoxSuggest": {
"WebSuggestions": false,
"SponsoredSuggestions": false,
"ImproveSuggest": false,
"Locked": false
},
"EnableTrackingProtection": {
"Value": true,
"Locked": false,
"Cryptomining": true,
"Fingerprinting": true
}
}
} }

42
ansible/roles/firefox-policy/vars/main.yml Normal file
View file

@ -0,0 +1,42 @@
# Les adresses "latest" des extensions sont de la forme :
#
# https://addons.mozilla.org/firefox/downloads/latest/<nom_extension>/addon-<numero_extension>-latest.xpi
#
# Exemple pour trouver avec l'extension duckduckgo.
# La page de l'extension est : https://addons.mozilla.org/fr/firefox/addon/duckduckgo-for-firefox/
# - nom_extension se trouve dans l'url de la page : duckduckgo-for-firefox
# - numero_extension se trouve dans l'url lorsqu'on survole le bouton "Installer" ou "Retirer" dans cette même page
#
firefox_policies:
BlockAboutConfig: true
Extensions:
Install:
- https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/addon-4328681-latest.xpi
- https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/addon-4321653-latest.xpi
- https://addons.mozilla.org/firefox/downloads/latest/duckduckgo-for-firefox/addon-4325805-latest.xpi
- https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/addon-4355865-latest.xpi
Uninstall: []
Locked: []
Homepage:
URL: 'https://libretic.fr/'
Locked: false
StartPage: homepage
FirefoxHome:
Search: true
SponsoredTopSites: false
Highlights: false
Pocket: false
SponsoredPocket: false
Snippets: false
Locked: false
FirefoxSuggest:
WebSuggestions: false
SponsoredSuggestions: false
ImproveSuggest: false
Locked: false
EnableTrackingProtection:
Value: true
Locked: false
Cryptomining: true
Fingerprinting: true

10
ansible/roles/theme-libretic/tasks/main.yml
View file

@ -7,13 +7,13 @@
mode: u=rwx,g=rx,o=rx mode: u=rwx,g=rx,o=rx
notify: update-initramfs notify: update-initramfs
- name: Copie le thème plymouth - name: Installe le thème plymouth
ansible.builtin.copy: ansible.posix.synchronize:
src: spin-libretic src: spin-libretic
dest: /usr/share/plymouth/themes/ dest: /usr/share/plymouth/themes/
owner: root owner: false
group: root group: false
mode: u=rw,g=r,o=r delete: true
notify: update-initramfs notify: update-initramfs
- name: Active le thème plymouth - name: Active le thème plymouth

10
ansible/supprime-sudoer.yml Normal file
View file

@ -0,0 +1,10 @@
- name: Supprime sudoer
hosts: localhost
vars_prompt:
- name: username
prompt: "Identifiant de l'utilisateur concerné"
private: false
tasks:
- name: Retire sudo pour {{ username }}
ansible.builtin.command: "usermod -r -G sudo {{ username }}"

20
ansible/update.yml Normal file
View file

@ -0,0 +1,20 @@
- name: Mise à jour des paquets
hosts: localhost
tasks:
- name: Mise à jour du cache
ansible.builtin.apt:
update_cache: true
- name: Mise à jour des paquets
ansible.builtin.apt:
name: "*"
state: latest
- name: Supprime les paquets devenus inutiles
ansible.builtin.apt:
autoremove: true
purge: true
- name: Nettoyage apt
ansible.builtin.apt:
clean: true

34
config.yml
View file

@ -1,4 +1,32 @@
base_path: ansible base_path: ansible
playbook: ansiblemenu:
cubic: cubic-setup.yml cubic:
compliance: mint-compliance.yml menu_title: Exécuter la configuration dans cubic
argument_help: Ne présente pas le menu et prépare une image cubic
playbook: cubic.yml
menu_hidden: true
update:
menu_title: Exécuter la mise à jour des paquets
argument_help: Ne présente pas le menu et exécute mise à jour des paquets
playbook: update.yml
conformite:
menu_title: Exécuter la configuration du poste
argument_help: Ne présente pas le menu et exécute la conformité
playbook: conformite.yml
ajoute-utilisateur:
menu_title: Ajoute un utilisateur
argument_help: Ne présente pas le menu et ajoute un utilisateur
playbook: ajoute-utilisateur.yml
ajoute-sudoer:
menu_title: Ajoute un administrateur
argument_help: Ne présente pas le menu et ajoute un administrateur
playbook: ajoute-sudoer.yml
supprime-sudoer:
menu_title: Supprime un administrateur
argument_help: Ne présente pas le menu et supprime un administrateur
playbook: supprime-sudoer.yml

4
libreticmenu-firstboot.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
set -eo pipefail set -eo pipefail
logger -t libreticmenu "Exécution de libreticmenu.sh --runCompliance" logger -t libreticmenu "Exécution de libreticmenu.sh --update --runCompliance"
until host git.libretic.fr; do sleep 5; done until host git.libretic.fr; do sleep 5; done
/opt/libreticmenu/libreticmenu.sh --runCompliance \ /opt/libreticmenu/libreticmenu.sh --update --conformite \
&& systemctl disable libreticmenu-firstboot.service && systemctl disable libreticmenu-firstboot.service

26
libreticmenu/PosteLinuxMint.py → libreticmenu/AnsibleActions.py
View file

@ -1,31 +1,9 @@
import socket
import subprocess import subprocess
import os import os
import glob import glob
def runAnsiblePlaybook(config, playbook, branch): def runAnsiblePlaybook(config, key, branch):
subprocess.run(['ansible-playbook', config['playbook'][playbook]], check=True, cwd=config['base_path']) subprocess.run(['ansible-playbook', config['ansiblemenu'][key]['playbook']], check=True, cwd=config['base_path'])
def getHostName():
return socket.gethostname()
def getDomain():
domainname = subprocess.check_output(['domainname', '-d'], text=True).rstrip()
return domainname
def isCompliant():
return False
def setFQDN(fqdn):
result = subprocess.run(['hostnamectl', 'hostname', fqdn], check=True)
return result.returncode == 0
def runCompliance(config, branch):
runAnsiblePlaybook(config, 'compliance', branch)
def runCubic(config, branch):
runAnsiblePlaybook(config, 'cubic', branch)
def addLocalAdmin(config, user): def addLocalAdmin(config, user):
result = subprocess.run( result = subprocess.run(

20
libreticmenu/GitActions.py Normal file
View file

@ -0,0 +1,20 @@
from git import Repo
import os
def getBranch():
repo = Repo(os.getcwd())
branch = repo.active_branch
return branch.name
def setBranch(branch):
repo = Repo(os.getcwd())
git = repo.git
git.switch(branch)
def getBranchList():
repo = Repo(os.getcwd())
remote_refs = repo.remote().refs
refs = list(ref.remote_head for ref in remote_refs if ref.remote_head != 'HEAD')
return refs

13
libreticmenu/PythonActions.py Normal file
View file

@ -0,0 +1,13 @@
import socket
import subprocess
def getHostName():
return socket.gethostname()
def getDomain():
domainname = subprocess.check_output(['domainname', '-d'], text=True).rstrip()
return domainname
def setFQDN(fqdn):
result = subprocess.run(['hostnamectl', 'hostname', fqdn], check=True)
return result.returncode == 0

141
libreticmenu/libreticmenu.py
View file

@ -2,8 +2,9 @@ from InquirerPy import inquirer
from InquirerPy import prompt from InquirerPy import prompt
from rich.console import Console from rich.console import Console
from rich.table import Table from rich.table import Table
import PosteLinuxMint import AnsibleActions
import libreticmenuBranch import PythonActions
import GitActions
import argparse import argparse
import yaml import yaml
import syslog import syslog
@ -14,15 +15,14 @@ import os
def print_status(): def print_status():
# Récupération des infos # Récupération des infos
hostname = PosteLinuxMint.getHostName() hostname = PythonActions.getHostName()
domain = PosteLinuxMint.getDomain() domain = PythonActions.getDomain()
isCompliant = PosteLinuxMint.isCompliant() currentBranch = GitActions.getBranch()
currentBranch = libreticmenuBranch.getlibreticmenuBranch()
# Affichage du statut # Affichage du statut
console = Console() console = Console()
console.print() console.print()
console.print("=== Menu de configuration - poste Linux Mint ===", style="bold red") console.print("=== Menu de configuration Libretic ===", style="bold red")
console.print() console.print()
table = Table(show_header=True, header_style="bold dim") table = Table(show_header=True, header_style="bold dim")
table.add_column("Paramètre", style="bold magenta") table.add_column("Paramètre", style="bold magenta")
@ -30,60 +30,10 @@ def print_status():
table.add_column("Statut", justify="center") table.add_column("Statut", justify="center")
table.add_row("Environnement du poste", currentBranch, "[green]OK" if currentBranch == "main" else "[yellow]Attention") table.add_row("Environnement du poste", currentBranch, "[green]OK" if currentBranch == "main" else "[yellow]Attention")
table.add_row("Hostname", hostname, "[green]OK" if hostname != "unassigned-hostname" else "[red]KO") table.add_row("Hostname", hostname, "[green]OK" if hostname != "unassigned-hostname" else "[red]KO")
table.add_row("Poste configuré", str(isCompliant), "[green]OK" if isCompliant else "[red]KO")
console.print(table) console.print(table)
console.print() console.print()
### Menu du choix hostname
def hostnameChoice(config, branch):
questions = [
{
"type": "input",
"message": "Renseigner le nom de la machine : ",
},
]
result = prompt(questions)
fqdn = result[0] + "." + result[1]
proceed = inquirer.confirm(
message ="Définir {} comme nom de machine ?".format(fqdn),
confirm_letter = "o",
default=False).execute()
if proceed:
PosteLinuxMint.setFQDN(fqdn)
else:
print("Annulation")
def complianceChoice(config, branch):
PosteLinuxMint.runCompliance(config, branch)
def libreticmenuBranchChoice(config, branch):
questions = [
{
"type": "list",
"message": "Choisir le type d'environnement de ce poste :",
"choices": ["main", "preprod"],
"default": "main",
},
]
result = prompt(questions)
proceed = inquirer.confirm(
message ="Définir {} comme environnement pour ce poste ?".format(result[0]),
confirm_letter = "o",
default=False).execute()
if proceed:
libreticmenuBranch.setlibreticmenuBranch(result[0])
console = Console()
console.print()
console.print("=== Relancer libreticmenu.sh pour bénéficier du changement d'environnement ===", style="bold red")
console.print()
exit()
else:
print("Annulation")
# Chargement du fichier de configuration # Chargement du fichier de configuration
def readConfig(configFile): def readConfig(configFile):
try: try:
@ -97,81 +47,88 @@ def readConfig(configFile):
raise raise
def addLocalAdminChoice(config, branch): ### Menu du choix hostname
def hostnameChoice():
questions = [ questions = [
{ {
"type": "input", "type": "input",
"message": "Utilisateur devant être administrateur local : ", "message": "Renseigner le nom de la machine : ",
}, },
] ]
result = prompt(questions) result = prompt(questions)
fqdn = result[0] + "." + result[1]
proceed = inquirer.confirm( proceed = inquirer.confirm(
message ="Définir {} comme administrateur de ce poste ?".format(result[0]), message ="Définir {} comme nom de machine ?".format(fqdn),
confirm_letter = "o", confirm_letter = "o",
default=False).execute() default=False).execute()
if proceed: if proceed:
PosteLinuxMint.addLocalAdmin(config, result[0]) PythonActions.setFQDN(fqdn)
else: else:
print("Annulation") print("Annulation")
def removeLocalAdminChoice(config, branch): def branchChoice():
userlist = PosteLinuxMint.getLocalAdmins(config)
if len(userlist) == 0:
console = Console()
console.print("=== Aucun administrateur local à supprimer ===", style="bold red")
return
questions = [ questions = [
{ {
"type": "list", "type": "list",
"message": "Utilisateur ne devant plus être administrateur local : ", "message": "Choisir le type d'environnement de ce poste :",
"choices": userlist, "choices": GitActions.getBranchList(),
"default": "main",
}, },
] ]
result = prompt(questions) result = prompt(questions)
proceed = inquirer.confirm( proceed = inquirer.confirm(
message ="Retirer {} des administrateurs de ce poste ?".format(result[0]), message ="Définir {} comme environnement pour ce poste ?".format(result[0]),
confirm_letter = "o", confirm_letter = "o",
default=False).execute() default=False).execute()
if proceed: if proceed:
PosteLinuxMint.removeLocalAdmin(config, result[0]) GitActions.setBranch(result[0])
console = Console()
console.print()
console.print("=== Relancer libreticmenu.sh pour bénéficier du changement d'environnement ===", style="bold red")
console.print()
exit()
else: else:
print("Annulation") print("Annulation")
# Menu principal # Menu principal
def main(): def main():
parser = argparse.ArgumentParser(prog="libreticmenu.py", description="Menu de configuration poste Linux Mint") config = readConfig("config.yml")
parser.add_argument("-c", "--config", help="Fichier de configuration (config.yml par défaut)", default="config.yml") currentBranch = GitActions.getBranch()
parser.add_argument("--cubic", help="Ne présente pas le menu et exécute le setup pour cubic", action=argparse.BooleanOptionalAction)
parser.add_argument("--runCompliance", help="Ne présente pas le menu et exécute la conformité", action=argparse.BooleanOptionalAction) parser = argparse.ArgumentParser(prog="libreticmenu.py", description="Menu de configuration Libretic")
for entry in config['ansiblemenu']:
parser.add_argument("--" + entry, help=config['ansiblemenu'][entry]['argument_help'], action='store_true')
args = parser.parse_args() args = parser.parse_args()
config = readConfig(args.config)
menu_main = { menu_main = {
"Définir le hostname": hostnameChoice, "Définir le hostname": hostnameChoice,
"Exécuter la configuration du poste": complianceChoice, }
"Changer le type d'environnement": libreticmenuBranchChoice,
"Ajouter sudoer": addLocalAdminChoice, for entry in config['ansiblemenu']:
"Supprimer sudoer": removeLocalAdminChoice, if not config['ansiblemenu'][entry].get('menu_hidden', False):
menu_main = menu_main | {
config['ansiblemenu'][entry]['menu_title']: lambda e=entry: AnsibleActions.runAnsiblePlaybook(config, e, currentBranch)
}
menu_main = menu_main | {
"Changer de branche": branchChoice,
"Quitter": None "Quitter": None
} }
currentBranch = libreticmenuBranch.getlibreticmenuBranch() # Exécute les options passées sur la ligne de commande
cmdlineOptionPassed = False
for entry in config['ansiblemenu']:
if entry in list(arg for arg in vars(args) if getattr(args, arg)):
AnsibleActions.runAnsiblePlaybook(config, entry, currentBranch)
cmdlineOptionPassed = True
if args.cubic:
PosteLinuxMint.runCubic(config, currentBranch)
exit()
if args.runCompliance: while not cmdlineOptionPassed:
PosteLinuxMint.runCompliance(config, currentBranch)
exit()
while True:
print_status() print_status()
console = Console() console = Console()
console.print("Choisir une des options suivantes", style="bold blue") console.print("Choisir une des options suivantes", style="bold blue")
@ -181,7 +138,7 @@ def main():
default = None).execute() default = None).execute()
if menu_main[action] != None: if menu_main[action] != None:
menu_main[action](config, currentBranch) menu_main[action]()
else: else:
break break

14
libreticmenu/libreticmenuBranch.py
View file

@ -1,14 +0,0 @@
from git import Repo
import os
def getlibreticmenuBranch():
repo = Repo(os.getcwd())
branch = repo.active_branch
return branch.name
def setlibreticmenuBranch(branch):
repo = Repo(os.getcwd())
git = repo.git
git.switch(branch)