From: Matt Birkholz Date: Tue, 22 Oct 2024 16:40:08 +0000 (-0700) Subject: Manually authorize agentdvr to install packages. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=36be2458e82b4633f9f996d2bdbe83a9a5635c36;p=Network Manually authorize agentdvr to install packages. Running Ansible should not re-authorize. (Punt conditioning task.) --- diff --git a/README.org b/README.org index 886b9ea..1288ffa 100644 --- a/README.org +++ b/README.org @@ -1821,7 +1821,12 @@ entities which were organized into an "Abbey" dashboard. * The Abbey DVR Role The abbey uses AgentDVR to record video from PoE IP HD security -cameras. The "download" button on iSpy's Download page +cameras. It is installed and configured as described here. + +** AgentDVR Installation + +AgentDVR is installed at the abbey according to the iSpy web site's +latest(?) instructions. The "download" button on iSpy's Download page ([[https://www.ispyconnect.com/download]]), when "Agent DVR - Linux/ macOS/ RPi" is chosen, suggests the following command lines (the second of which is broken across three lines). @@ -1833,20 +1838,63 @@ ispysoftware/agent-install-scripts/main/v2/\ install.sh") #+END_SRC -Ansible assists by creating the system user ~agentdvr~ and granting it -enough ~sudo~ latitude to run the installer as instructed above. -Though a system user, the account gets a home directory, -=/home/agentdvr/= in which to do the installation. The rest of the -DVR role, "phase two", waits until AgentDVR is installed. +/Before/ executing these commands, Ansible is enlisted to make certain +preparations. + +*** AgentDVR Installation Preparation + +AgentDVR runs in the abbey as a system user, ~agentdvr~, which +installs and runs the service. Though a system user, the account gets +a home directory, =/home/agentdvr/= in which to install AgentDVR, and +a login shell, =/bin/bash=. This much Ansible can do in preparation. + +: ./abbey config dvrs + +After the ~agentdvr~ account is created, it is temporarily authorized +to run a handful of system commands (as ~root~!). This small set is +sufficient /if/ the offer to create the system service is declined. +The following commands create this authorization in =~/01agentdvr=, +validate and install it in =/etc/sudoers.d/01agentdvr=. Such caution +is taken because a syntax error anywhere in =/etc/sudoers.d/= can make +the ~sudo~ command inoperative, cutting off access to all elevated +privileges until a "rescue" (involving a reboot) is performed. + +#+BEGIN_SRC sh +echo "ALL ALL=(agentdvr) NOPASSWD: /bin/systemctl,/bin/apt-get,\ + /sbin/adduser,/sbin/usermod" >~/01agentdvr +sudo chown root:root ~/01agentdvr +sudo chmod 440 ~/01agentdvr +visudo --check --owner --perms ~/01agentdvr +sudo mv ~/01agentdvr /etc/sudoers.d/ +#+END_SRC + +*** AgentDVR Installation Execution + +With the above preparations, the system administrator can get a shell +session under the ~agentdvr~ account to run iSpy's installation script +in the empty =/home/agentdvr/= directory. + +#+BEGIN_SRC sh +sudo apt-get install curl +sudo -u agentdvr <(curl -s "https:.../install.sh") +#+END_SRC + +The script creates the =/home/agentdvr/AgentDVR/= directory, and +offers to install a system service. The offer is declined. Instead, +Ansible is run again. + +*** AgentDVR Installation Completion + +When Ansible is run a second time, after the installation script, it +sees the new =/home/agentdvr/AgentDVR/= directory and creates (and +starts) the new system service. -AgentDVR is installed, after Ansible has set things up, by running the -command lines prescribed by iSpy while logged in as ~agentdvr~ with -the current default directory =/home/agentdvr/=. The installer should -create the =/home/agentdvr/AgentDVR/= directory. Its offer to install -a system service is declined. +: ./abbey config dvrs -After AgentDVR is installed, when the =/home/agentdvr/AgentDVR/= -directory exists, Ansible is run again to install the system service. +Also after the installation, the system administrator revokes the +~agentdvr~ account's authorizations to modify packages and accounts. + +: sudo rm /etc/sudoers.d/01agentdvr ** Create User ~agentdvr~ @@ -1882,24 +1930,6 @@ AgentDVR runs as the system user ~agentdvr~, which is created here. mode: u=rwx,g=rwxs,o=rx #+END_SRC -** Authorize User ~agentdvr~ - -The AgentDVR installer is also run by ~agentdvr~, which is authorized -to run a handful of system commands. This small set is sufficient -/if/ the offer to create the system service is declined. In that -case, the installer will run the program in the terminal. - -#+CAPTION: [[file:roles_t/abbey-dvr/tasks/main.yml][=roles_t/abbey-dvr/tasks/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/abbey-dvr/tasks/main.yml - -- name: Authorize agentdvr. - copy: - content: | - ALL ALL=(agentdvr) NOPASSWD: /bin/systemctl,/bin/apt-get,\ - /sbin/adduser,/sbin/usermod - dest: /etc/sudoers.d/agentdvr -#+END_SRC - ** Test For =AgentDVR/= The following task probes for the =/home/agentdvr/AgentDVR/= diff --git a/roles_t/abbey-dvr/tasks/main.yml b/roles_t/abbey-dvr/tasks/main.yml index e57d335..66dd54e 100644 --- a/roles_t/abbey-dvr/tasks/main.yml +++ b/roles_t/abbey-dvr/tasks/main.yml @@ -25,13 +25,6 @@ group: agentdvr mode: u=rwx,g=rwxs,o=rx -- name: Authorize agentdvr. - copy: - content: | - ALL ALL=(agentdvr) NOPASSWD: /bin/systemctl,/bin/apt-get,\ - /sbin/adduser,/sbin/usermod - dest: /etc/sudoers.d/agentdvr - - name: Test for AgentDVR directory. stat: path: /home/agentdvr/AgentDVR