diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index 57413067..e98a06d9 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -37,14 +37,31 @@ loop: '{{ users }}' #no_log: true +# teilweiser revert von https://git.mgrote.net/mg/homeserver/commit/506fa8da8d8c4ca74d0d78d044468b991d0d560a +# das modul hat die Sudoers falsch erstellt: +# richtig: ansible-user ALL=(ALL) NOPASSWD:ALL +# falsch: ansible-user ALL=NOPASSWD: ALL +# damit failed ansible wenn der become_user != ansible-user ist +# mit Meldung: +# TASK [geerlingguy.postgresql : Ensure PostgreSQL Python libraries are installed.] +# fatal: [forgejo.mgrote.net]: FAILED! => {"msg": "Missing sudo password"} - name: Ensure users are added to sudoers ansible.builtin.blockinfile: - create: true # todo extra task fur abbau + create: true path: "/etc/sudoers.d/users-sudo-{{ item.username }}" - state: present + state: "{{ item.state | default('present') }}" block: | {{ item.username }} ALL=(ALL) {{ 'NOPASSWD:' if (item.allow_passwordless_sudo | d(false)) else '' }}ALL validate: 'visudo -cf %s' loop: '{{ users }}' when: item.allow_sudo|default(false) and item.allow_sudo is defined - #no_log: true + no_log: true + + +- name: Ensure users are removed from sudoers + ansible.builtin.file: + path: "/etc/sudoers.d/users-sudo-{{ item.username }}" + state: "{{ item.state | default('present') }}" + loop: '{{ users }}' + when: (item.allow_sudo|default(false) and item.allow_sudo is defined) and (item.state == absent) + no_log: true