Granting infrastructure access to employees¶
This page describes howto grant new employees access to your company infrastructure. It also describes how to remove cancelled employees access from the servers.
Employees names are abbreviated like so:
First name: Marianne Eva
Last name: Musterfrau
This results in the abbreviated name: m.musterfrau
OpenVPN for employees¶
The first thing a additional employee needs is OpenVPN access. To add this, edit the file
and add the new "client" to the variable
openvpn_clients. To generate the OpenVPN client configuration run:
user@workstation:~/code/git/git.example.com/ansible/playbook-infrastructure-TEMPLATE_VAR_CUSTOMER_LOWER$ ./make utils prod openvpn
This will create a new
.zip file on
exa-utils-prod-gateway-1.exa.io:/etc/openvpn/vpnexa/clients/archives/m.musterfrau.zip. Download this file using
scp and priovide it to the additional employee.
The employee will have to unpack the
.zip file and copy it to
/etc/openvpn/ or similar, depending on the operating system, on her workstation or mobile device.
The OpenVPN server will try to push a route to access all tinc IPs of the servers through it. This may not work on some devices / operating systems, in which case the pushed resolvers have to be manually set up on the employees device.
Passwords for employees¶
In most all cases (where technically possible) Ansible will provision access to the utility services using a specific password for each employee, which is defined in the password-store:
user@workstation:~/code/git/git.example.com/ansible/playbook-infrastructure-TEMPLATE_VAR_CUSTOMER_LOWER$ pass | grep human
Please note that the passwords filenames here do not contain dots, as the password-store dynamic inventory will create variables from them.
Using this password, the employee can access the WebUI of the respective utility service.
When adding new passwords, the new employee commonly has to be put into the respective Ansile play file of the utility service, which then has to be executed, to gain access.
SSH access for employees¶
Employees, called "humans" in this repository, can be granted SSH access to specific groups of servers.
A list of employees is kept in the file
inventory/group_vars/all.yml under in the variable
humans. This variable is made use of in several plays, like the SSH play in
Each employee which is granted access will have its own Linux user account on the respective groups of servers. Each employee always gets the same UID and GID on all servers, as specified in
plays/baseline/ssh.yml. The ssh play makes use of the variable
ssh_users, which can be defined in
inventory/host_vars/, depending on which servers are to be targeted for a specific group of employees.
Once SSH access is set up for a specific employee she can login to the group of servers using her abbreviated username:
(Optional) port knocking with fwknop¶
Depending on the configuration, access to the admin IP as well as the public IP of the utilty gateway servers, which serve the OpenVPN service, can be restricted using port knocking. This has the advantage of a much lower amount of lines of code being directly exposed to the internet (only fwknop instead of OpenVPN and SSH).
Fwknop can be installed on all common devices (Linux, Mac OSX, android, iphones and others). Access can be granted to the own IP address or to other IP addresses which can be specified on the device.
If fwknop is configured on the servers, SSH and OpenVPN can only be used when a fwknop client has allowed the public IP address of the router the workstation or mobile device is using to access the internet.
To add a new employee to the list of allowed fwknop users, simply install fwknop and generate a new configuration. Send the generated secret string to the admin so it can be setup in