From fa1f9e2bf5ea3887751619cac4a6c26a1151d4c3 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sat, 27 Mar 2021 01:02:02 +0100 Subject: [PATCH 01/17] Use python3 to install Ansible --- tasks/ansible-debian.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/ansible-debian.yml b/tasks/ansible-debian.yml index 4182ce1..0be6fde 100644 --- a/tasks/ansible-debian.yml +++ b/tasks/ansible-debian.yml @@ -1,4 +1,4 @@ --- - name: Install Ansible - raw: which ansible || pip3 install ansible + raw: which ansible || python3 -m pip install ansible changed_when: false From ffa58f35e3ed964908fe46f9edce53e7bb5354ee Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sat, 27 Mar 2021 13:53:24 +0100 Subject: [PATCH 02/17] Allows toggling sudo: with password and group sudo, passwordless with group wheel The default behaviour is to activate both password-based sudo through the group sudo and passwordless sudo through group wheel (to not break compatibility with previous behaviour). --- defaults/main.yml | 4 ++- tasks/users.yml | 83 ++++++++++++++++++++++++++++++----------------- 2 files changed, 57 insertions(+), 30 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 108c3d8..3b7f2fd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,4 +11,6 @@ users: - vagrant sudoers: - vagrant -ensure_ansible_version: 2.10.3 \ No newline at end of file +ensure_ansible_version: 2.10.3 +enable_sudo: yes +enable_passwordless_sudo: yes \ No newline at end of file diff --git a/tasks/users.yml b/tasks/users.yml index 5c38204..3789a05 100644 --- a/tasks/users.yml +++ b/tasks/users.yml @@ -5,31 +5,40 @@ - sudo when: ansible_facts['os_family'] == 'FreeBSD' -- name: 'Allow wheel group to do passwordless sudo' - lineinfile: - dest: /usr/local/etc/sudoers - state: present - regexp: '^%wheel' - line: '%wheel ALL=(ALL) NOPASSWD:ALL' - validate: visudo -cf %s - when: ansible_facts['os_family'] == 'FreeBSD' - -- name: 'Allow wheel group to do passwordless sudo' - lineinfile: - dest: /etc/sudoers - state: present - regexp: '^%wheel' - line: '%wheel ALL=(ALL) NOPASSWD:ALL' - validate: visudo -cf %s - when: - - ansible_facts['os_family'] in ['Debian', 'Archlinux'] - - name: 'Create users with corresponding groups' user: name: "{{ item }}" groups: users with_items: "{{ users }}" +- block: + - name: 'Ensure that sudo group is existing' + group: + name: sudo + state: present + + - name: 'Allow sudo group to do sudo' + lineinfile: + dest: "{{ lookup('first_found', files, errors='ignore') }}" + state: present + regexp: '^#?\s*%sudo' + line: '%sudo ALL=(ALL) ALL' + validate: visudo -cf %s + vars: + files: + - /etc/sudoers + - /usr/local/etc/sudoers # e.g. FreeBSD + + - name: 'Add sudoers user to sudo group' + user: + name: "{{ item }}" + groups: sudo + append: yes + with_items: "{{ sudoers }}" + when: + - enable_sudo + - not enable_passwordless_sudo + - name: 'Add corresponding authorized_keys to each user' authorized_key: user: "{{ item }}" @@ -38,17 +47,33 @@ with_items: "{{ users }}" ignore_errors: yes -- name: 'Ensure that wheel group is existing' - group: - name: wheel - state: present +- block: + - name: 'Ensure that wheel group is existing' + group: + name: wheel + state: present -- name: 'Add sudoers user to wheel group' - user: - name: "{{ item }}" - groups: wheel - append: yes - with_items: "{{ sudoers }}" + - name: 'Add sudoers user to wheel group' + user: + name: "{{ item }}" + groups: wheel + append: yes + with_items: "{{ sudoers }}" + + - name: 'Allow wheel group to do passwordless sudo' + lineinfile: + dest: "{{ lookup('first_found', files, errors='ignore') }}" + state: present + regexp: '^%wheel' + line: '%wheel ALL=(ALL) NOPASSWD:ALL' + validate: visudo -cf %s + vars: + files: + - /etc/sudoers + - /usr/local/etc/sudoers # e.g. FreeBSD + when: + - enable_sudo + - enable_passwordless_sudo - name: Copy tmux config copy: From 5397ef058a0e41d87ba04c07abb3da7f7f983181 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sat, 27 Mar 2021 14:01:47 +0100 Subject: [PATCH 03/17] Updated README --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 6e74940..3ca7ab7 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,12 @@ users: - vagrant sudoers: - vagrant +# Will install a specific Ansible version on the target host +ensure_ansible_version: 2.10.3 +# Allow sudo with a password (applied to group sudo) +enable_sudo: yes +# Allow passwordless sudo (applied to group wheel) +enable_passwordless_sudo: yes ``` Dependencies From 2a27db4ba802f2faf10422de32aa5939a1b6a1f4 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sat, 27 Mar 2021 14:27:02 +0100 Subject: [PATCH 04/17] Makes installation of Ansible optional (default: no) and installs additional python libraries --- README.md | 4 +++- defaults/main.yml | 8 ++++++-- tasks/main.yml | 8 +++++++- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3ca7ab7..b6a821a 100644 --- a/README.md +++ b/README.md @@ -12,16 +12,18 @@ Role Variables Defaults: ``` -hostname: {{ inventory_hostname }} +hostname: "{{ inventory_hostname }}" update_hostname: no locales_gen: - en_US.UTF-8 - de_DE.UTF-8 locales_default: de_DE.UTF-8 +x11_keymap: de users: - vagrant sudoers: - vagrant +enable_ansible: no # Will install a specific Ansible version on the target host ensure_ansible_version: 2.10.3 # Allow sudo with a password (applied to group sudo) diff --git a/defaults/main.yml b/defaults/main.yml index 3b7f2fd..a6f331e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,7 @@ --- # defaults file for common -hostname: '{{ inventory_hostname }}' -update_hostname: yes +hostname: "{{ inventory_hostname }}" +update_hostname: no locales_gen: - en_US.UTF-8 - de_DE.UTF-8 @@ -11,6 +11,10 @@ users: - vagrant sudoers: - vagrant +enable_ansible: no +# Will install a specific Ansible version on the target host ensure_ansible_version: 2.10.3 +# Allow sudo with a password (applied to group sudo) enable_sudo: yes +# Allow passwordless sudo (applied to group wheel) enable_passwordless_sudo: yes \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index cd239a5..14d5ca8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -32,6 +32,8 @@ vars: packages: - python-pip + - python-setuptools + - python-virtualenv - htop - tmux become: yes @@ -44,6 +46,9 @@ #update_cache: yes vars: packages: + - python-pip + - python-setuptools + - python-virtualenv - apt-transport-https - htop - tmux @@ -52,4 +57,5 @@ - name: Install Ansible pip: - name: ansible=={{ ensure_ansible_version }} \ No newline at end of file + name: ansible=={{ ensure_ansible_version }} + when: enable_ansible \ No newline at end of file From 044870389798ad1f65d5f7745c978e04faf7a485 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sat, 27 Mar 2021 14:29:36 +0100 Subject: [PATCH 05/17] Fixed accidental change of default update_hostname behaviour --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b6a821a..e1d11fe 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Defaults: ``` hostname: "{{ inventory_hostname }}" -update_hostname: no +update_hostname: yes locales_gen: - en_US.UTF-8 - de_DE.UTF-8 diff --git a/defaults/main.yml b/defaults/main.yml index a6f331e..fb6f250 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,7 @@ --- # defaults file for common hostname: "{{ inventory_hostname }}" -update_hostname: no +update_hostname: yes locales_gen: - en_US.UTF-8 - de_DE.UTF-8 From 6335b7735afa67474e21529f8b0109b574e8bca8 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sat, 27 Mar 2021 13:31:24 +0000 Subject: [PATCH 06/17] Makes installation of Ansible optional (default: no) and installs additional python libraries (#2) Fixed accidental change of default update_hostname behaviour Makes installation of Ansible optional (default: no) and installs additional python libraries Co-authored-by: Jan Beilicke --- README.md | 6 ++++-- defaults/main.yml | 6 +++++- tasks/main.yml | 8 +++++++- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3ca7ab7..e1d11fe 100644 --- a/README.md +++ b/README.md @@ -12,16 +12,18 @@ Role Variables Defaults: ``` -hostname: {{ inventory_hostname }} -update_hostname: no +hostname: "{{ inventory_hostname }}" +update_hostname: yes locales_gen: - en_US.UTF-8 - de_DE.UTF-8 locales_default: de_DE.UTF-8 +x11_keymap: de users: - vagrant sudoers: - vagrant +enable_ansible: no # Will install a specific Ansible version on the target host ensure_ansible_version: 2.10.3 # Allow sudo with a password (applied to group sudo) diff --git a/defaults/main.yml b/defaults/main.yml index 3b7f2fd..fb6f250 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- # defaults file for common -hostname: '{{ inventory_hostname }}' +hostname: "{{ inventory_hostname }}" update_hostname: yes locales_gen: - en_US.UTF-8 @@ -11,6 +11,10 @@ users: - vagrant sudoers: - vagrant +enable_ansible: no +# Will install a specific Ansible version on the target host ensure_ansible_version: 2.10.3 +# Allow sudo with a password (applied to group sudo) enable_sudo: yes +# Allow passwordless sudo (applied to group wheel) enable_passwordless_sudo: yes \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index cd239a5..14d5ca8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -32,6 +32,8 @@ vars: packages: - python-pip + - python-setuptools + - python-virtualenv - htop - tmux become: yes @@ -44,6 +46,9 @@ #update_cache: yes vars: packages: + - python-pip + - python-setuptools + - python-virtualenv - apt-transport-https - htop - tmux @@ -52,4 +57,5 @@ - name: Install Ansible pip: - name: ansible=={{ ensure_ansible_version }} \ No newline at end of file + name: ansible=={{ ensure_ansible_version }} + when: enable_ansible \ No newline at end of file From 8194cd67999dccb3084519485af460ffc625c71b Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sun, 23 May 2021 14:14:55 +0200 Subject: [PATCH 07/17] Pacman should update the cache before installing packages --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 14d5ca8..8aa61d3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -28,7 +28,7 @@ pacman: name: "{{ packages }}" state: present - #update_cache: yes + update_cache: yes vars: packages: - python-pip From 1105acdcc1ad46c4c632ccf98ef41e8f012baf3d Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sun, 23 May 2021 14:34:54 +0200 Subject: [PATCH 08/17] Install tmuxp --- tasks/main.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 8aa61d3..23bf377 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -58,4 +58,10 @@ - name: Install Ansible pip: name: ansible=={{ ensure_ansible_version }} - when: enable_ansible \ No newline at end of file + when: enable_ansible + +- name: Install tmuxp + pip: + name: + - tmuxp + state: present \ No newline at end of file From 01d8b7e3dcb77c68dbcd7d93cef06e6058f3860d Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Mon, 28 Mar 2022 21:20:13 +0200 Subject: [PATCH 09/17] Python3 for Debian --- tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 7958429..5fda08b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -46,9 +46,9 @@ #update_cache: yes vars: packages: - - python-pip - - python-setuptools - - python-virtualenv + - python3-pip + - python3-setuptools + - python3-virtualenv - apt-transport-https - htop - tmux From 2f9c04c49f099b74d491d0650d7d159fb50a14ab Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Mon, 28 Mar 2022 21:43:19 +0200 Subject: [PATCH 10/17] Adds some meta information --- README.md | 3 ++- meta/main.yml | 10 ++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index e1d11fe..b96285e 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,8 @@ Example Playbook License ------- -MIT +- BSD-3-Clause +- MIT Author Information ------------------ diff --git a/meta/main.yml b/meta/main.yml index 3a212a9..9b1bb07 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ galaxy_info: - author: your name - description: your description - company: your company (optional) + author: jotbe + description: Common packages and configuration + company: "" # If the issue tracker for your role is not on github, uncomment the # next line and provide a value @@ -14,7 +14,9 @@ galaxy_info: # - GPL-3.0-only # - Apache-2.0 # - CC-BY-4.0 - license: license (GPL-2.0-or-later, MIT, etc) + license: + - BSD-3-Clause + - MIT min_ansible_version: 2.4 From 1cbbba0dea4492e7623f63e0b75bb426ea50f4f5 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Mon, 4 Apr 2022 21:31:45 +0200 Subject: [PATCH 11/17] Allows to skip provisioning of the firewall --- README.md | 2 ++ defaults/main.yml | 4 +++- tasks/main.yml | 1 + 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b96285e..34a797a 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,8 @@ ensure_ansible_version: 2.10.3 enable_sudo: yes # Allow passwordless sudo (applied to group wheel) enable_passwordless_sudo: yes +# Skip provisioning of the firewall +skip_firewall: no ``` Dependencies diff --git a/defaults/main.yml b/defaults/main.yml index fb6f250..f2478f4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,4 +17,6 @@ ensure_ansible_version: 2.10.3 # Allow sudo with a password (applied to group sudo) enable_sudo: yes # Allow passwordless sudo (applied to group wheel) -enable_passwordless_sudo: yes \ No newline at end of file +enable_passwordless_sudo: yes +# Skip provisioning of the firewall +skip_firewall: no \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 5fda08b..4cd7e7a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -12,6 +12,7 @@ import_role: name: geerlingguy.firewall tags: firewall + when: not skip_firewall - include: locales-debian.yml become: true From 0eb60eb1874783d4f3e1066e795755a8fb03c0f3 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Mon, 4 Apr 2022 22:05:35 +0200 Subject: [PATCH 12/17] Do not set locales if in chroot environment (localectl not supported in chroot) --- tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 4cd7e7a..8935201 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -16,7 +16,9 @@ - include: locales-debian.yml become: true - when: ansible_facts['os_family'] == 'Debian' + when: + - ansible_facts['os_family'] == 'Debian' + - not ansible_is_chroot - include: users.yml become: true From 0a5f0b7714e50971863388f87f38b7e19075b302 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sun, 10 Dec 2023 15:24:17 +0100 Subject: [PATCH 13/17] Adds option to make authorized_keys exclusive (default: false) --- defaults/main.yml | 3 ++- tasks/main.yml | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 108c3d8..395c009 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,4 +11,5 @@ users: - vagrant sudoers: - vagrant -ensure_ansible_version: 2.10.3 \ No newline at end of file +ensure_ansible_version: 2.10.3 +authorized_keys_are_exclusive: false # Be careful, this will delete non-Ansible-managed authorized keys from the target! \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index cd239a5..13908de 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -50,6 +50,6 @@ become: yes when: ansible_facts['os_family'] == 'Debian' -- name: Install Ansible - pip: - name: ansible=={{ ensure_ansible_version }} \ No newline at end of file +# - name: Install Ansible +# pip: +# name: ansible=={{ ensure_ansible_version }} \ No newline at end of file From 55fcc318cc06a99b4dde27e9897336776528f99a Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sun, 10 Dec 2023 15:25:53 +0100 Subject: [PATCH 14/17] Adds option to make authorized_keys exclusive (default: false) --- tasks/users.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/users.yml b/tasks/users.yml index 5c38204..f3a88b9 100644 --- a/tasks/users.yml +++ b/tasks/users.yml @@ -35,8 +35,9 @@ user: "{{ item }}" state: present key: "{{ lookup('file', 'public_keys/id_{{ item }}.pub') }}" + exclusive: "{{ authorized_keys_are_exclusive | bool }}" with_items: "{{ users }}" - ignore_errors: yes + ignore_errors: true - name: 'Ensure that wheel group is existing' group: From 7c6810a9459ab59196779a0e10a6a3178eb7c526 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sun, 10 Dec 2023 15:26:25 +0100 Subject: [PATCH 15/17] Adds option to make authorized_keys exclusive (default: false) --- tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 13908de..cd239a5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -50,6 +50,6 @@ become: yes when: ansible_facts['os_family'] == 'Debian' -# - name: Install Ansible -# pip: -# name: ansible=={{ ensure_ansible_version }} \ No newline at end of file +- name: Install Ansible + pip: + name: ansible=={{ ensure_ansible_version }} \ No newline at end of file From 0a845c7097da023a9296fec098d4f10778cba5d5 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sun, 10 Dec 2023 15:30:14 +0100 Subject: [PATCH 16/17] Fixes merge conflicts --- defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index f2478f4..d8197fa 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -19,4 +19,5 @@ enable_sudo: yes # Allow passwordless sudo (applied to group wheel) enable_passwordless_sudo: yes # Skip provisioning of the firewall -skip_firewall: no \ No newline at end of file +skip_firewall: no +authorized_keys_are_exclusive: false # Be careful, this will delete non-Ansible-managed authorized keys from the target! From ef9cfb8ced51987b316204d1e3909ae69c05cd03 Mon Sep 17 00:00:00 2001 From: Jan Beilicke Date: Sun, 10 Dec 2023 15:25:53 +0100 Subject: [PATCH 17/17] Adds option to make authorized_keys exclusive (default: false) --- tasks/users.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/users.yml b/tasks/users.yml index 3789a05..8dfd11a 100644 --- a/tasks/users.yml +++ b/tasks/users.yml @@ -44,8 +44,9 @@ user: "{{ item }}" state: present key: "{{ lookup('file', 'public_keys/id_{{ item }}.pub') }}" + exclusive: "{{ authorized_keys_are_exclusive | bool }}" with_items: "{{ users }}" - ignore_errors: yes + ignore_errors: true - block: - name: 'Ensure that wheel group is existing'