Allows toggling sudo: with password and group sudo, passwordless with group wheel

The default behaviour is to activate both password-based sudo through the group sudo and passwordless sudo through group wheel (to not break compatibility with previous behaviour).
2021-03-27 13:53:24 +01:00 · 2021-03-27 13:53:24 +01:00 · ffa58f35e3
commit ffa58f35e3
parent fa1f9e2bf5
2 changed files with 57 additions and 30 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -11,4 +11,6 @@ users:
  - vagrant
 sudoers:
  - vagrant
-ensure_ansible_version: 2.10.3
+ensure_ansible_version: 2.10.3
+enable_sudo: yes
+enable_passwordless_sudo: yes
--- a/tasks/users.yml
+++ b/tasks/users.yml
@ -5,31 +5,40 @@
    - sudo
  when: ansible_facts['os_family'] == 'FreeBSD'

- name: 'Allow wheel group to do passwordless sudo'
-  lineinfile:
-    dest: /usr/local/etc/sudoers
-    state: present
-    regexp: '^%wheel'
-    line: '%wheel ALL=(ALL) NOPASSWD:ALL'
-    validate: visudo -cf %s
-  when: ansible_facts['os_family'] == 'FreeBSD'
-
- name: 'Allow wheel group to do passwordless sudo'
-  lineinfile:
-    dest: /etc/sudoers
-    state: present
-    regexp: '^%wheel'
-    line: '%wheel ALL=(ALL) NOPASSWD:ALL'
-    validate: visudo -cf %s
-  when:
-    - ansible_facts['os_family'] in ['Debian', 'Archlinux']
-
 - name: 'Create users with corresponding groups'
  user:
    name: "{{ item }}"
    groups: users
  with_items: "{{ users }}"

+- block:
+    - name: 'Ensure that sudo group is existing'
+      group:
+        name: sudo
+        state: present
+
+    - name: 'Allow sudo group to do sudo'
+      lineinfile:
+        dest: "{{ lookup('first_found', files, errors='ignore') }}"
+        state: present
+        regexp: '^#?\s*%sudo'
+        line: '%sudo   ALL=(ALL) ALL'
+        validate: visudo -cf %s
+      vars:
+        files:
+          - /etc/sudoers
+          - /usr/local/etc/sudoers # e.g. FreeBSD
+
+    - name: 'Add sudoers user to sudo group'
+      user:
+        name: "{{ item }}"
+        groups: sudo
+        append: yes
+      with_items: "{{ sudoers }}"
+  when:
+    - enable_sudo
+    - not enable_passwordless_sudo
+
 - name: 'Add corresponding authorized_keys to each user'
  authorized_key:
    user: "{{ item }}"
@ -38,17 +47,33 @@
  with_items: "{{ users }}"
  ignore_errors: yes

- name: 'Ensure that wheel group is existing'
-  group:
-    name: wheel
-    state: present
+- block:
+    - name: 'Ensure that wheel group is existing'
+      group:
+        name: wheel
+        state: present

- name: 'Add sudoers user to wheel group'
-  user:
-    name: "{{ item }}"
-    groups: wheel
-    append: yes
-  with_items: "{{ sudoers }}"
+    - name: 'Add sudoers user to wheel group'
+      user:
+        name: "{{ item }}"
+        groups: wheel
+        append: yes
+      with_items: "{{ sudoers }}"
+
+    - name: 'Allow wheel group to do passwordless sudo'
+      lineinfile:
+        dest: "{{ lookup('first_found', files, errors='ignore') }}"
+        state: present
+        regexp: '^%wheel'
+        line: '%wheel ALL=(ALL) NOPASSWD:ALL'
+        validate: visudo -cf %s
+      vars:
+        files:
+          - /etc/sudoers
+          - /usr/local/etc/sudoers # e.g. FreeBSD
+  when:
+    - enable_sudo
+    - enable_passwordless_sudo

 - name: Copy tmux config
  copy: