diff --git a/README.md b/README.md index 6e74940..34a797a 100644 --- a/README.md +++ b/README.md @@ -12,16 +12,26 @@ Role Variables Defaults: ``` -hostname: {{ inventory_hostname }} -update_hostname: no +hostname: "{{ inventory_hostname }}" +update_hostname: yes locales_gen: - en_US.UTF-8 - de_DE.UTF-8 locales_default: de_DE.UTF-8 +x11_keymap: de users: - vagrant sudoers: - vagrant +enable_ansible: no +# Will install a specific Ansible version on the target host +ensure_ansible_version: 2.10.3 +# Allow sudo with a password (applied to group sudo) +enable_sudo: yes +# Allow passwordless sudo (applied to group wheel) +enable_passwordless_sudo: yes +# Skip provisioning of the firewall +skip_firewall: no ``` Dependencies @@ -33,7 +43,8 @@ Example Playbook License ------- -MIT +- BSD-3-Clause +- MIT Author Information ------------------ diff --git a/defaults/main.yml b/defaults/main.yml index 108c3d8..d8197fa 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- # defaults file for common -hostname: '{{ inventory_hostname }}' +hostname: "{{ inventory_hostname }}" update_hostname: yes locales_gen: - en_US.UTF-8 @@ -11,4 +11,13 @@ users: - vagrant sudoers: - vagrant -ensure_ansible_version: 2.10.3 \ No newline at end of file +enable_ansible: no +# Will install a specific Ansible version on the target host +ensure_ansible_version: 2.10.3 +# Allow sudo with a password (applied to group sudo) +enable_sudo: yes +# Allow passwordless sudo (applied to group wheel) +enable_passwordless_sudo: yes +# Skip provisioning of the firewall +skip_firewall: no +authorized_keys_are_exclusive: false # Be careful, this will delete non-Ansible-managed authorized keys from the target! diff --git a/meta/main.yml b/meta/main.yml index 3a212a9..9b1bb07 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ galaxy_info: - author: your name - description: your description - company: your company (optional) + author: jotbe + description: Common packages and configuration + company: "" # If the issue tracker for your role is not on github, uncomment the # next line and provide a value @@ -14,7 +14,9 @@ galaxy_info: # - GPL-3.0-only # - Apache-2.0 # - CC-BY-4.0 - license: license (GPL-2.0-or-later, MIT, etc) + license: + - BSD-3-Clause + - MIT min_ansible_version: 2.4 diff --git a/tasks/ansible-debian.yml b/tasks/ansible-debian.yml index 4182ce1..0be6fde 100644 --- a/tasks/ansible-debian.yml +++ b/tasks/ansible-debian.yml @@ -1,4 +1,4 @@ --- - name: Install Ansible - raw: which ansible || pip3 install ansible + raw: which ansible || python3 -m pip install ansible changed_when: false diff --git a/tasks/main.yml b/tasks/main.yml index cd239a5..8935201 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -12,10 +12,13 @@ import_role: name: geerlingguy.firewall tags: firewall + when: not skip_firewall - include: locales-debian.yml become: true - when: ansible_facts['os_family'] == 'Debian' + when: + - ansible_facts['os_family'] == 'Debian' + - not ansible_is_chroot - include: users.yml become: true @@ -28,10 +31,12 @@ pacman: name: "{{ packages }}" state: present - #update_cache: yes + update_cache: yes vars: packages: - python-pip + - python-setuptools + - python-virtualenv - htop - tmux become: yes @@ -44,6 +49,9 @@ #update_cache: yes vars: packages: + - python3-pip + - python3-setuptools + - python3-virtualenv - apt-transport-https - htop - tmux @@ -52,4 +60,11 @@ - name: Install Ansible pip: - name: ansible=={{ ensure_ansible_version }} \ No newline at end of file + name: ansible=={{ ensure_ansible_version }} + when: enable_ansible + +- name: Install tmuxp + pip: + name: + - tmuxp + state: present diff --git a/tasks/users.yml b/tasks/users.yml index 5c38204..8dfd11a 100644 --- a/tasks/users.yml +++ b/tasks/users.yml @@ -5,50 +5,76 @@ - sudo when: ansible_facts['os_family'] == 'FreeBSD' -- name: 'Allow wheel group to do passwordless sudo' - lineinfile: - dest: /usr/local/etc/sudoers - state: present - regexp: '^%wheel' - line: '%wheel ALL=(ALL) NOPASSWD:ALL' - validate: visudo -cf %s - when: ansible_facts['os_family'] == 'FreeBSD' - -- name: 'Allow wheel group to do passwordless sudo' - lineinfile: - dest: /etc/sudoers - state: present - regexp: '^%wheel' - line: '%wheel ALL=(ALL) NOPASSWD:ALL' - validate: visudo -cf %s - when: - - ansible_facts['os_family'] in ['Debian', 'Archlinux'] - - name: 'Create users with corresponding groups' user: name: "{{ item }}" groups: users with_items: "{{ users }}" +- block: + - name: 'Ensure that sudo group is existing' + group: + name: sudo + state: present + + - name: 'Allow sudo group to do sudo' + lineinfile: + dest: "{{ lookup('first_found', files, errors='ignore') }}" + state: present + regexp: '^#?\s*%sudo' + line: '%sudo ALL=(ALL) ALL' + validate: visudo -cf %s + vars: + files: + - /etc/sudoers + - /usr/local/etc/sudoers # e.g. FreeBSD + + - name: 'Add sudoers user to sudo group' + user: + name: "{{ item }}" + groups: sudo + append: yes + with_items: "{{ sudoers }}" + when: + - enable_sudo + - not enable_passwordless_sudo + - name: 'Add corresponding authorized_keys to each user' authorized_key: user: "{{ item }}" state: present key: "{{ lookup('file', 'public_keys/id_{{ item }}.pub') }}" + exclusive: "{{ authorized_keys_are_exclusive | bool }}" with_items: "{{ users }}" - ignore_errors: yes + ignore_errors: true -- name: 'Ensure that wheel group is existing' - group: - name: wheel - state: present +- block: + - name: 'Ensure that wheel group is existing' + group: + name: wheel + state: present -- name: 'Add sudoers user to wheel group' - user: - name: "{{ item }}" - groups: wheel - append: yes - with_items: "{{ sudoers }}" + - name: 'Add sudoers user to wheel group' + user: + name: "{{ item }}" + groups: wheel + append: yes + with_items: "{{ sudoers }}" + + - name: 'Allow wheel group to do passwordless sudo' + lineinfile: + dest: "{{ lookup('first_found', files, errors='ignore') }}" + state: present + regexp: '^%wheel' + line: '%wheel ALL=(ALL) NOPASSWD:ALL' + validate: visudo -cf %s + vars: + files: + - /etc/sudoers + - /usr/local/etc/sudoers # e.g. FreeBSD + when: + - enable_sudo + - enable_passwordless_sudo - name: Copy tmux config copy: