Adds option to make authorized_keys exclusive (default: false)

Fixed accidental change of default update_hostname behaviour

Makes installation of Ansible optional (default: no) and installs additional python libraries

Co-authored-by: Jan Beilicke <dev@jotbe.io>

README.md

@@ -12,16 +12,26 @@ Role Variables
 Defaults:
 
 ```
-hostname: {{ inventory_hostname }}
+hostname: "{{ inventory_hostname }}"
-update_hostname: no
+update_hostname: yes
 locales_gen:
   - en_US.UTF-8
   - de_DE.UTF-8
 locales_default: de_DE.UTF-8
+x11_keymap: de
 users:
   - vagrant
 sudoers:
   - vagrant
+enable_ansible: no
+# Will install a specific Ansible version on the target host
+ensure_ansible_version: 2.10.3
+# Allow sudo with a password (applied to group sudo)
+enable_sudo: yes
+# Allow passwordless sudo (applied to group wheel)
+enable_passwordless_sudo: yes
+# Skip provisioning of the firewall
+skip_firewall: no
 ```
 
 Dependencies
@@ -33,7 +43,8 @@ Example Playbook
 License
 -------
 
-MIT
+- BSD-3-Clause
+- MIT
 
 Author Information
 ------------------

defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 # defaults file for common
-hostname: '{{ inventory_hostname }}'
+hostname: "{{ inventory_hostname }}"
 update_hostname: yes
 locales_gen:
   - en_US.UTF-8
@@ -11,4 +11,13 @@ users:
   - vagrant
 sudoers:
   - vagrant
+enable_ansible: no
+# Will install a specific Ansible version on the target host
 ensure_ansible_version: 2.10.3
+# Allow sudo with a password (applied to group sudo)
+enable_sudo: yes
+# Allow passwordless sudo (applied to group wheel)
+enable_passwordless_sudo: yes
+# Skip provisioning of the firewall
+skip_firewall: no
+authorized_keys_are_exclusive: false # Be careful, this will delete non-Ansible-managed authorized keys from the target!

meta/main.yml

@@ -1,7 +1,7 @@
 galaxy_info:
-  author: your name
+  author: jotbe
-  description: your description
+  description: Common packages and configuration
-  company: your company (optional)
+  company: ""
 
   # If the issue tracker for your role is not on github, uncomment the
   # next line and provide a value
@@ -14,7 +14,9 @@ galaxy_info:
   # - GPL-3.0-only
   # - Apache-2.0
   # - CC-BY-4.0
-  license: license (GPL-2.0-or-later, MIT, etc)
+  license:
+    - BSD-3-Clause
+    - MIT
 
   min_ansible_version: 2.4
 

tasks/ansible-debian.yml

@@ -1,4 +1,4 @@
 ---
 - name: Install Ansible
-  raw: which ansible || pip3 install ansible
+  raw: which ansible || python3 -m pip install ansible
   changed_when: false

tasks/main.yml

@@ -12,10 +12,13 @@
   import_role:
     name: geerlingguy.firewall
   tags: firewall
+  when: not skip_firewall
 
 - include: locales-debian.yml
   become: true
-  when: ansible_facts['os_family'] == 'Debian'
+  when:
+    - ansible_facts['os_family'] == 'Debian'
+    - not ansible_is_chroot
 
 - include: users.yml
   become: true
@@ -28,10 +31,12 @@
   pacman:
     name: "{{ packages }}"
     state: present
-    #update_cache: yes
+    update_cache: yes
   vars:
     packages:
       - python-pip
+      - python-setuptools
+      - python-virtualenv
       - htop
       - tmux
   become: yes
@@ -44,6 +49,9 @@
     #update_cache: yes
   vars:
     packages:
+      - python3-pip
+      - python3-setuptools
+      - python3-virtualenv
       - apt-transport-https
       - htop
       - tmux
@@ -53,3 +61,10 @@
 - name: Install Ansible
   pip:
     name: ansible=={{ ensure_ansible_version }}
+  when: enable_ansible
+
+- name: Install tmuxp
+  pip:
+    name:
+      - tmuxp
+    state: present

tasks/users.yml

@@ -5,51 +5,77 @@
     - sudo
   when: ansible_facts['os_family'] == 'FreeBSD'
 
-- name: 'Allow wheel group to do passwordless sudo'
-  lineinfile:
-    dest: /usr/local/etc/sudoers
-    state: present
-    regexp: '^%wheel'
-    line: '%wheel ALL=(ALL) NOPASSWD:ALL'
-    validate: visudo -cf %s
-  when: ansible_facts['os_family'] == 'FreeBSD'
-
-- name: 'Allow wheel group to do passwordless sudo'
-  lineinfile:
-    dest: /etc/sudoers
-    state: present
-    regexp: '^%wheel'
-    line: '%wheel ALL=(ALL) NOPASSWD:ALL'
-    validate: visudo -cf %s
-  when:
-    - ansible_facts['os_family'] in ['Debian', 'Archlinux']
-
 - name: 'Create users with corresponding groups'
   user:
     name: "{{ item }}"
     groups: users
   with_items: "{{ users }}"
 
+- block:
+    - name: 'Ensure that sudo group is existing'
+      group:
+        name: sudo
+        state: present
+
+    - name: 'Allow sudo group to do sudo'
+      lineinfile:
+        dest: "{{ lookup('first_found', files, errors='ignore') }}"
+        state: present
+        regexp: '^#?\s*%sudo'
+        line: '%sudo   ALL=(ALL) ALL'
+        validate: visudo -cf %s
+      vars:
+        files:
+          - /etc/sudoers
+          - /usr/local/etc/sudoers # e.g. FreeBSD
+
+    - name: 'Add sudoers user to sudo group'
+      user:
+        name: "{{ item }}"
+        groups: sudo
+        append: yes
+      with_items: "{{ sudoers }}"
+  when:
+    - enable_sudo
+    - not enable_passwordless_sudo
+
 - name: 'Add corresponding authorized_keys to each user'
   authorized_key:
     user: "{{ item }}"
     state: present
     key: "{{ lookup('file', 'public_keys/id_{{ item }}.pub') }}"
+    exclusive: "{{ authorized_keys_are_exclusive | bool }}"
   with_items: "{{ users }}"
-  ignore_errors: yes
+  ignore_errors: true
 
-- name: 'Ensure that wheel group is existing'
+- block:
+    - name: 'Ensure that wheel group is existing'
       group:
         name: wheel
         state: present
 
-- name: 'Add sudoers user to wheel group'
+    - name: 'Add sudoers user to wheel group'
       user:
         name: "{{ item }}"
         groups: wheel
         append: yes
       with_items: "{{ sudoers }}"
 
+    - name: 'Allow wheel group to do passwordless sudo'
+      lineinfile:
+        dest: "{{ lookup('first_found', files, errors='ignore') }}"
+        state: present
+        regexp: '^%wheel'
+        line: '%wheel ALL=(ALL) NOPASSWD:ALL'
+        validate: visudo -cf %s
+      vars:
+        files:
+          - /etc/sudoers
+          - /usr/local/etc/sudoers # e.g. FreeBSD
+  when:
+    - enable_sudo
+    - enable_passwordless_sudo
+
 - name: Copy tmux config
   copy:
     src: files/tmux.conf