munin: erstelle user in Rolle (#295)

Co-authored-by: Michael Grote <michael.grote@posteo.de>
Reviewed-on: mg/ansible#295
Co-authored-by: mg <michael.grote@posteo.de>
Co-committed-by: mg <michael.grote@posteo.de>

group_vars/all.yml

@@ -16,14 +16,6 @@
       public_ssh_key: "{{ ssh_public_key_mg }}"
       allow_sudo: true
       allow_passwordless_sudo: true
-    - username: munin
-      password: "{{ lookup('keepass', 'munin_linux_password_hash', 'password') }}"
-      update_password: on_create
-      groups: root
-      state: present
-      public_ssh_key: "{{ ssh_public_key_mg }}"
-      allow_sudo: true
-      allow_passwordless_sudo: true
     - username: ansible-user
       password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
       update_password: on_create

group_vars/docker.yml

@@ -9,14 +9,6 @@
       public_ssh_key: "{{ ssh_public_key_mg }}"
       allow_sudo: true
       allow_passwordless_sudo: true
-    - username: munin
-      password: "{{ lookup('keepass', 'munin_linux_password_hash', 'password') }}"
-      update_password: on_create
-      groups: root, docker
-      state: present
-      public_ssh_key: "{{ ssh_public_key_mg }}"
-      allow_sudo: true
-      allow_passwordless_sudo: true
     - username: ansible-user
       password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
       update_password: on_create

group_vars/proxmox.yml

@@ -16,14 +16,6 @@
       public_ssh_key: "{{ ssh_public_key_mg }}"
       allow_sudo: true
       allow_passwordless_sudo: true
-    - username: munin
-      password: "{{ lookup('keepass', 'munin_linux_password_hash', 'password') }}"
-      update_password: on_create
-      groups: root
-      state: present
-      public_ssh_key: "{{ ssh_public_key_mg }}"
-      allow_sudo: true
-      allow_passwordless_sudo: true
     - username: ansible-user
       password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
       update_password: on_create

group_vars/proxmoxtest.yml

@@ -20,14 +20,6 @@
       public_ssh_key: "{{ ssh_public_key_mg }}"
       allow_sudo: true
       allow_passwordless_sudo: true
-    - username: munin
-      password: "{{ lookup('keepass', 'munin_linux_password_hash', 'password') }}"
-      update_password: on_create
-      groups: root
-      state: present
-      public_ssh_key: "{{ ssh_public_key_mg }}"
-      allow_sudo: true
-      allow_passwordless_sudo: true
     - username: ansible-user
       password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
       update_password: on_create

host_vars/bastelstube-gui.grote.lan.yml

@@ -26,14 +26,6 @@
       public_ssh_key: "{{ ssh_public_key_mg }}"
       allow_sudo: true
       allow_passwordless_sudo: true
-    - username: munin
-      password: "{{ lookup('keepass', 'munin_linux_password_hash', 'password') }}"
-      update_password: on_create
-      groups: root
-      state: present
-      public_ssh_key: "{{ ssh_public_key_mg }}"
-      allow_sudo: true
-      allow_passwordless_sudo: true
     - username: ansible-user
       password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
       update_password: on_create

playbooks/0_setup.yml

@@ -1,5 +0,0 @@
----
-  - import_playbook: 1_bootstrap.yml
-  - import_playbook: base/apt_sources.yml
-  - import_playbook: 4_update_packages.yml
-  - import_playbook: 2_all.yml

playbooks/1_bootstrap.yml

@@ -7,6 +7,8 @@
       - { role: mgrote.users, tags: "user", become: yes}
       - { role: mgrote.r8152_kernel_module }
       - { role: mgrote.qemu_guest_agent }
+      - { role: mgrote.apt_manage_sources, tags: "apt_sources" }
+      - { role: mgrote.apt_update_packages, tags: "updates"}
     post_tasks:
       - name: Change user password
         become: true
@@ -15,6 +17,7 @@
           update_password: always
           password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}"
 
+
     vars:
       ### reobertdebock.bootstrap
       bootstrap_user: mg

playbooks/2_all.yml

@@ -15,3 +15,4 @@
   - import_playbook: base/monitoring.yml
   - import_playbook: base/remove_snapd.yml
   - import_playbook: base/unattended_upgrades.yml
+  - import_playbook: base/update_packages.yml

roles/mgrote.munin-node/defaults/main.yml

@@ -1,4 +1,5 @@
 ---
+  munin_user_group: root # group to which the user belongs
   munin_node_log: /var/log/munin/munin-node.log
   munin_node_pid: /var/run/munin/munin-node.pid
   munin_node_plugin_timeout: 60 # in sec

roles/mgrote.munin-node/tasks/main.yml

@@ -1,6 +1,8 @@
 ---
   - name: include install-tasks
     include_tasks: install.yml
+  - name: include user tasks
+    include_tasks: user.yml
   - name: include plugin-tasks
     include_tasks: additional.yml
     when: munin_node_plugins is defined

roles/mgrote.munin-node/tasks/user.yml

@@ -0,0 +1,26 @@
+---
+  - name: ensure group exists
+    become: true
+    ansible.builtin.group:
+      name: "{{ munin_user_group }}"
+      state: present
+
+  - name: ensure user exists
+    become: true
+    ansible.builtin.user:
+      name: munin
+      group: "{{ munin_user_group }}"
+      shell: /usr/sbin/nologin
+      create_home: no
+
+  - name: add user to sudoers
+    become: true
+    ansible.builtin.blockinfile:
+      path: /etc/sudoers
+      state: present
+      block:  |
+        munin ALL=(ALL) NOPASSWD:ALL
+      validate: '/usr/sbin/visudo -cf %s'
+      backup: yes
+      marker_begin: munin-sudoers BEGIN
+      marker_end: munin-sudoers END