User and groups management¶

The main feature of playlabs is your inventory, it’s meant to make it easy for you to manage users and users to manage themselves on your infra & external services. For example, playlabs could provision ssh and ldap on an ldap server, but so far we haven’t provisioned ldap servers with playlabs because we have playlabs … wait wut ?

Anyway, when you’re onboarding a hacker you can point them to your inventory repository url and also this documentation with the mission to add themselve.

Pre-requisite¶

Clone the inventory repository that you have been given if any. If it doesn’t work, make sure that the git server knows your ssh public key if authenticating with SSH.

If you haven’t been given an inventory repository to clone, create one with the scaffolt command (note that you can have as many inventories as you want):

playlabs scaffold your-inventory

Adding a new user¶

The users list and roles are defined in a YAML document that would be located in your repository at path group_vars/all/users.yml. Ansible offers a wide range of possibilities so it might also be elsewhere, but that’s the convention used in the default playlabs inventory that you can generate with the playlabs scaffold command.

SSH Public key¶

Playlabs will use the SSH key it finds in the keys/ inventory of the inventory repository. You can set it up as such:

# generate a key if you don't have any
ssh-keygen -t ed25519 -a 100

# create a branch for adding your user
git checkout -b $USER

# copy the public key to the keys subdirectory of the inventory repo
# if you have generated your key with the above it will be
cp ~/.ssh/id_ed25519.pub keys/$USER

# add to the inventory repository
git add keys/$USER

Then, read on the adding your user to the user list.

YAML user list¶

In the users.yml file, add a list item to the users variable. You should really use your local username if you want to have a nicer playlabs experience.

users:
  # ...
  - name: yourusername
    email: your@email.com
    roles:
      ssh: sudo

Add your modification with git and push it in a branch, then you can create a merge request on gitlab or whatever you use, ie:

git add -p group_vars/all/users.yml
git commit -m "Add $USER"
git push origin $USER

Kubernetes provisioning¶

Add k8s: clusten-admin or cluster-admin: k8s to the user roles ie.:

- name: jcarmack
  roles:
    ssh: sudo
    k8s: cluster-admin

Then, playlabs install ssh,k8s @hostname for example will add that user to ssh with sudo and make it a cluster-admin. It will create a signed certificate in the home directory of the user that they will be able to scp back and use to authenticate as cluster-admin with kubectl.

Password and secret variables¶

Secret content is handled with the ansible-vault command. You need to store your vault password in a file that will not be added to the inventory repository. The convention in playlabs is to name the file .vault. Then, ansible will recognize it with the --vault-id .vault command line argument.

Create a password for yourself:

ansible-vault create passwords/$USER
# or, automated:
echo -n your password | ansible-vault encrypt --vault-id .vault > passwords/$USER

SSH will not accept password authentication with playlabs by default, however your password will be useable with the rest of services installed with playlabs, even custom projects if their plugin support it, which is the case of the Django plugin, thanks to djcli.

Removing users¶

To remove a user, remove it from the users variables and then add its username to the users_remove list of group_vars/all/users.yml ie.:

users_remove:
- usernametodelete

Applying users¶

To apply users, you can run the playlabs install ssh @host command that will execute the SSH role, setting up the SSH users.

If you already have a host inventory.yml then you don’t need to specify the hosts on the command line: all hosts that are in the ssh group will benefit from a playlabs install ssh call.

The convention accross playlabs is to have a tag named users so that we can also run roles partially in order to only update users with little efforts.

Reference¶

The users YAML document in the default repository serves as reference:

---
# This YAML document defines a list of users for playlabs ansible playbooks.
# You can have an automated job that will update users for example with
# `playlabs install ssh` and then users will get their credentials deployed on
# git push.
#
# You need the ansible vault password in cleartext a file that will not be
# tracked in git to edit secret variables such as passwords. You should create
# this file with the ``.vault`` name at the root of your inventory repository
# clone then you can use ansible-vault commands with the ``--vault-id .vault``
# argument ie.::
#
#     echo -n your password | ansible-vault encrypt --vault-id .vault > passwords/hacker
#     ansible-vault view --vault-id .vault passwords/hacker
#     ansible-vault rekey --vault-id .vault passwords/hacker

users:
- name: hacker
  email: hacker1337@example.pcom
  roles:
    netdata: [sysadmin, domainadmin, dba, webmaster, proxyadmin]
    ssh: [sudo]
    # superuser on all project instances
    project: [superuser]
    # setting role on group works both ways: don't have groups and roles with
    # the same name
    superuser:
    - ci
    - project-staging
    - sentry

# The example inventory provides one deploy user, than has no sudo
# access, except for the backup scripts that it cannot write.
# He has an ssh account because playlabs found a key in keys/deploy.pub.
# For deploy user, we have a key without password, that is supposed to be
# crypted with ansible-vault before commit:
#
#     $ ssh-keygen -t ed25519 -a 100 -f keys/deploy
#     $ echo -n your vault password > .vault
#     $ ansible-vault encrypt --vault-id .vault keys/deploy
- name: deploy
  sudo:
  - /home/*/backup.sh
  - /home/*/docker-run.sh

# The productowner user does not have ssh access because it does not have a
# public key in keys/productowner.pub.
#
# However, productowner have a password to pass through htaccess security, for
# roles and projects that have it enabled.
#
# To generate your own crypted password run this command:
#
#     $ echo -n your vault password > .vault
#     $ echo -n password | ansible-vault encrypt --vault-id .vault > passwords/yourproductowner
- name: productowner
  superuser:
  - project-staging

# Playlabs will remove users in this list
users_remove:
- name: olduser

# Name of the user that will be able to write /home/service/docker-image
deploy_user: deploy