dfgd

roles/mgrote_users/tasks/main.yml

@@ -37,14 +37,31 @@
   loop: '{{ users }}'
   #no_log: true
 
+# teilweiser revert von https://git.mgrote.net/mg/homeserver/commit/506fa8da8d8c4ca74d0d78d044468b991d0d560a
+# das modul hat die Sudoers falsch erstellt:
+# richtig: ansible-user ALL=(ALL) NOPASSWD:ALL
+# falsch: ansible-user ALL=NOPASSWD: ALL
+# damit failed ansible wenn der become_user != ansible-user ist
+# mit Meldung:
+# TASK [geerlingguy.postgresql : Ensure PostgreSQL Python libraries are installed.]
+# fatal: [forgejo.mgrote.net]: FAILED! => {"msg": "Missing sudo password"}
 - name: Ensure users are added to sudoers
   ansible.builtin.blockinfile:
-    create: true # todo extra task fur abbau
+    create: true
     path: "/etc/sudoers.d/users-sudo-{{ item.username }}"
-    state: present
+    state: "{{ item.state | default('present') }}"
     block: |
       {{ item.username }} ALL=(ALL) {{ 'NOPASSWD:' if (item.allow_passwordless_sudo | d(false)) else '' }}ALL
     validate: 'visudo -cf %s'
   loop: '{{ users }}'
   when: item.allow_sudo|default(false) and item.allow_sudo is defined
-  #no_log: true
+  no_log: true
+
+
+- name: Ensure users are removed from sudoers
+  ansible.builtin.file:
+    path: "/etc/sudoers.d/users-sudo-{{ item.username }}"
+    state: "{{ item.state | default('present') }}"
+  loop: '{{ users }}'
+  when: (item.allow_sudo|default(false) and item.allow_sudo is defined) and (item.state == absent)
+  no_log: true