Adds option to make authorized_keys exclusive (default: false)

README.md

@@ -12,26 +12,16 @@ Role Variables
 Defaults:
 
 ```
-hostname: "{{ inventory_hostname }}"
+hostname: {{ inventory_hostname }}
-update_hostname: yes
+update_hostname: no
 locales_gen:
   - en_US.UTF-8
   - de_DE.UTF-8
 locales_default: de_DE.UTF-8
-x11_keymap: de
 users:
   - vagrant
 sudoers:
   - vagrant
-enable_ansible: no
-# Will install a specific Ansible version on the target host
-ensure_ansible_version: 2.10.3
-# Allow sudo with a password (applied to group sudo)
-enable_sudo: yes
-# Allow passwordless sudo (applied to group wheel)
-enable_passwordless_sudo: yes
-# Skip provisioning of the firewall
-skip_firewall: no
 ```
 
 Dependencies
@@ -43,8 +33,7 @@ Example Playbook
 License
 -------
 
-- BSD-3-Clause
+MIT
-- MIT
 
 Author Information
 ------------------

defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 # defaults file for common
-hostname: "{{ inventory_hostname }}"
+hostname: '{{ inventory_hostname }}'
 update_hostname: yes
 locales_gen:
   - en_US.UTF-8
@@ -11,13 +11,5 @@ users:
   - vagrant
 sudoers:
   - vagrant
-enable_ansible: no
-# Will install a specific Ansible version on the target host
 ensure_ansible_version: 2.10.3
-# Allow sudo with a password (applied to group sudo)
-enable_sudo: yes
-# Allow passwordless sudo (applied to group wheel)
-enable_passwordless_sudo: yes
-# Skip provisioning of the firewall
-skip_firewall: no
 authorized_keys_are_exclusive: false # Be careful, this will delete non-Ansible-managed authorized keys from the target!

meta/main.yml

@@ -1,7 +1,7 @@
 galaxy_info:
-  author: jotbe
+  author: your name
-  description: Common packages and configuration
+  description: your description
-  company: ""
+  company: your company (optional)
 
   # If the issue tracker for your role is not on github, uncomment the
   # next line and provide a value
@@ -14,9 +14,7 @@ galaxy_info:
   # - GPL-3.0-only
   # - Apache-2.0
   # - CC-BY-4.0
-  license:
+  license: license (GPL-2.0-or-later, MIT, etc)
-    - BSD-3-Clause
-    - MIT
 
   min_ansible_version: 2.4
 

tasks/ansible-debian.yml

@@ -1,4 +1,4 @@
 ---
 - name: Install Ansible
-  raw: which ansible || python3 -m pip install ansible
+  raw: which ansible || pip3 install ansible
   changed_when: false

tasks/main.yml

@@ -12,13 +12,10 @@
   import_role:
     name: geerlingguy.firewall
   tags: firewall
-  when: not skip_firewall
 
 - include: locales-debian.yml
   become: true
-  when:
+  when: ansible_facts['os_family'] == 'Debian'
-    - ansible_facts['os_family'] == 'Debian'
-    - not ansible_is_chroot
 
 - include: users.yml
   become: true
@@ -31,12 +28,10 @@
   pacman:
     name: "{{ packages }}"
     state: present
-    update_cache: yes
+    #update_cache: yes
   vars:
     packages:
       - python-pip
-      - python-setuptools
-      - python-virtualenv
       - htop
       - tmux
   become: yes
@@ -49,9 +44,6 @@
     #update_cache: yes
   vars:
     packages:
-      - python3-pip
-      - python3-setuptools
-      - python3-virtualenv
       - apt-transport-https
       - htop
       - tmux
@@ -61,10 +53,3 @@
 - name: Install Ansible
   pip:
     name: ansible=={{ ensure_ansible_version }}
-  when: enable_ansible
-
-- name: Install tmuxp
-  pip:
-    name:
-      - tmuxp
-    state: present

tasks/users.yml

@@ -5,40 +5,31 @@
     - sudo
   when: ansible_facts['os_family'] == 'FreeBSD'
 
+- name: 'Allow wheel group to do passwordless sudo'
+  lineinfile:
+    dest: /usr/local/etc/sudoers
+    state: present
+    regexp: '^%wheel'
+    line: '%wheel ALL=(ALL) NOPASSWD:ALL'
+    validate: visudo -cf %s
+  when: ansible_facts['os_family'] == 'FreeBSD'
+
+- name: 'Allow wheel group to do passwordless sudo'
+  lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: '^%wheel'
+    line: '%wheel ALL=(ALL) NOPASSWD:ALL'
+    validate: visudo -cf %s
+  when:
+    - ansible_facts['os_family'] in ['Debian', 'Archlinux']
+
 - name: 'Create users with corresponding groups'
   user:
     name: "{{ item }}"
     groups: users
   with_items: "{{ users }}"
 
-- block:
-    - name: 'Ensure that sudo group is existing'
-      group:
-        name: sudo
-        state: present
-
-    - name: 'Allow sudo group to do sudo'
-      lineinfile:
-        dest: "{{ lookup('first_found', files, errors='ignore') }}"
-        state: present
-        regexp: '^#?\s*%sudo'
-        line: '%sudo   ALL=(ALL) ALL'
-        validate: visudo -cf %s
-      vars:
-        files:
-          - /etc/sudoers
-          - /usr/local/etc/sudoers # e.g. FreeBSD
-
-    - name: 'Add sudoers user to sudo group'
-      user:
-        name: "{{ item }}"
-        groups: sudo
-        append: yes
-      with_items: "{{ sudoers }}"
-  when:
-    - enable_sudo
-    - not enable_passwordless_sudo
-
 - name: 'Add corresponding authorized_keys to each user'
   authorized_key:
     user: "{{ item }}"
@@ -48,34 +39,18 @@
   with_items: "{{ users }}"
   ignore_errors: true
 
-- block:
+- name: 'Ensure that wheel group is existing'
-    - name: 'Ensure that wheel group is existing'
   group:
     name: wheel
     state: present
 
-    - name: 'Add sudoers user to wheel group'
+- name: 'Add sudoers user to wheel group'
   user:
     name: "{{ item }}"
     groups: wheel
     append: yes
   with_items: "{{ sudoers }}"
 
-    - name: 'Allow wheel group to do passwordless sudo'
-      lineinfile:
-        dest: "{{ lookup('first_found', files, errors='ignore') }}"
-        state: present
-        regexp: '^%wheel'
-        line: '%wheel ALL=(ALL) NOPASSWD:ALL'
-        validate: visudo -cf %s
-      vars:
-        files:
-          - /etc/sudoers
-          - /usr/local/etc/sudoers # e.g. FreeBSD
-  when:
-    - enable_sudo
-    - enable_passwordless_sudo
-
 - name: Copy tmux config
   copy:
     src: files/tmux.conf