jotbe/ansible-role-common
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

feature/sudoers_revamp #1

Merged
jotbe merged 2 commits from feature/sudoers_revamp into master 2021-03-27 14:06:20 +01:00
Conversation 0 Commits 2 Files changed 3 +63 -30
3 changed files with 63 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -22,6 +22,12 @@ users:
- vagrant - vagrant
sudoers: sudoers:
- vagrant - vagrant
# Will install a specific Ansible version on the target host
ensure_ansible_version: 2.10.3
# Allow sudo with a password (applied to group sudo)
enable_sudo: yes
# Allow passwordless sudo (applied to group wheel)
enable_passwordless_sudo: yes
``` ```
Dependencies Dependencies

2
defaults/main.yml
View file

@ -12,3 +12,5 @@ users:
sudoers: sudoers:
- vagrant - vagrant
ensure_ansible_version: 2.10.3 ensure_ansible_version: 2.10.3
enable_sudo: yes
enable_passwordless_sudo: yes

67
tasks/users.yml
View file

@ -5,31 +5,40 @@
- sudo - sudo
when: ansible_facts['os_family'] == 'FreeBSD' when: ansible_facts['os_family'] == 'FreeBSD'
- name: 'Allow wheel group to do passwordless sudo'
lineinfile:
dest: /usr/local/etc/sudoers
state: present
regexp: '^%wheel'
line: '%wheel ALL=(ALL) NOPASSWD:ALL'
validate: visudo -cf %s
when: ansible_facts['os_family'] == 'FreeBSD'
- name: 'Allow wheel group to do passwordless sudo'
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%wheel'
line: '%wheel ALL=(ALL) NOPASSWD:ALL'
validate: visudo -cf %s
when:
- ansible_facts['os_family'] in ['Debian', 'Archlinux']
- name: 'Create users with corresponding groups' - name: 'Create users with corresponding groups'
user: user:
name: "{{ item }}" name: "{{ item }}"
groups: users groups: users
with_items: "{{ users }}" with_items: "{{ users }}"
- block:
- name: 'Ensure that sudo group is existing'
group:
name: sudo
state: present
- name: 'Allow sudo group to do sudo'
lineinfile:
dest: "{{ lookup('first_found', files, errors='ignore') }}"
state: present
regexp: '^#?\s*%sudo'
line: '%sudo ALL=(ALL) ALL'
validate: visudo -cf %s
vars:
files:
- /etc/sudoers
- /usr/local/etc/sudoers # e.g. FreeBSD
- name: 'Add sudoers user to sudo group'
user:
name: "{{ item }}"
groups: sudo
append: yes
with_items: "{{ sudoers }}"
when:
- enable_sudo
- not enable_passwordless_sudo
- name: 'Add corresponding authorized_keys to each user' - name: 'Add corresponding authorized_keys to each user'
authorized_key: authorized_key:
user: "{{ item }}" user: "{{ item }}"
@ -38,18 +47,34 @@
with_items: "{{ users }}" with_items: "{{ users }}"
ignore_errors: yes ignore_errors: yes
- name: 'Ensure that wheel group is existing' - block:
- name: 'Ensure that wheel group is existing'
group: group:
name: wheel name: wheel
state: present state: present
- name: 'Add sudoers user to wheel group' - name: 'Add sudoers user to wheel group'
user: user:
name: "{{ item }}" name: "{{ item }}"
groups: wheel groups: wheel
append: yes append: yes
with_items: "{{ sudoers }}" with_items: "{{ sudoers }}"
- name: 'Allow wheel group to do passwordless sudo'
lineinfile:
dest: "{{ lookup('first_found', files, errors='ignore') }}"
state: present
regexp: '^%wheel'
line: '%wheel ALL=(ALL) NOPASSWD:ALL'
validate: visudo -cf %s
vars:
files:
- /etc/sudoers
- /usr/local/etc/sudoers # e.g. FreeBSD
when:
- enable_sudo
- enable_passwordless_sudo
- name: Copy tmux config - name: Copy tmux config
copy: copy:
src: files/tmux.conf src: files/tmux.conf