replace sudoers tasks with module (users, sanoid, munin) (#217)

Reviewed-on: #217 Co-authored-by: Michael Grote <michael.grote@posteo.de> Co-committed-by: Michael Grote <michael.grote@posteo.de>
2024-10-23 20:16:30 +02:00 · 2024-10-23 20:16:30 +02:00 · 506fa8da8d
commit 506fa8da8d
parent 7d43294ce8
5 changed files with 27 additions and 36 deletions
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -41,7 +41,7 @@ users:
      - ssh
      - sudo
    state: present
-    public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
+    public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE
    allow_sudo: true
    allow_passwordless_sudo: true

--- a/roles/mgrote_munin_node/tasks/user.yml
+++ b/roles/mgrote_munin_node/tasks/user.yml
@ -14,13 +14,9 @@
    create_home: false

 - name: Ensure user is added to sudoers
-  become: true
-  ansible.builtin.blockinfile:
-    path: /etc/sudoers
+  community.general.sudoers:
+    name: "users-sudo-munin"
    state: present
-    block: |
-      munin ALL=(ALL) NOPASSWD:ALL
-    validate: '/usr/sbin/visudo -cf %s'
-    backup: true
-    marker_begin: munin-sudoers BEGIN
-    marker_end: munin-sudoers END
+    user: munin
+    commands: ALL
+    nopassword: true
--- a/roles/mgrote_users/tasks/main.yml
+++ b/roles/mgrote_users/tasks/main.yml
@ -4,6 +4,7 @@
    groups_as_list: "{{ (((item.groups) | list) | sort) | unique }}"
  loop: "{{ users }}"
  when: item.groups is defined
+  become: false
  no_log: true

 - name: Ensure groups exist
@ -31,18 +32,18 @@
  ansible.posix.authorized_key:
    user: "{{ item.username }}"
    key: "{{ item.public_ssh_key }}"
-    state: present
+    state: "{{ item.state | default('present') }}"
  when: item.public_ssh_key is defined
  loop: '{{ users }}'
  no_log: true

 - name: Ensure users are added to sudoers
-  ansible.builtin.lineinfile:
-    dest: /etc/sudoers
-    state: present
-    regexp: '^{{ item.username }} '
-    line: "{{ item.username }} ALL=(ALL) {{ 'NOPASSWD:' if (item.allow_passwordless_sudo | d(false)) else '' }}ALL"
-    validate: 'visudo -cf %s'
-  when: item.allow_sudo|default(false) and item.allow_sudo is defined
+  community.general.sudoers:
+    name: "users-sudo-{{ item.username }}"
+    state: "{{ item.state | default('present') }}"
+    user: "{{ item.username }}"
+    commands: ALL
+    nopassword: "{{ item.allow_passwordless_sudo }}"
  loop: '{{ users }}'
+  when: item.allow_sudo|default(false) and item.allow_sudo is defined
  no_log: true
--- a/roles/mgrote_zfs_sanoid/tasks/destination.yml
+++ b/roles/mgrote_zfs_sanoid/tasks/destination.yml
@ -11,17 +11,14 @@
  when:
    - sanoid_syncoid_destination_host

- name: add user to sudoers
+- name: Ensure user is added to sudoers
  become: true
-  ansible.builtin.blockinfile:
-    path: /etc/sudoers
+  community.general.sudoers:
+    name: "users-sudo-{{ sanoid_user }}"
    state: present
-    block: |
-      {{ sanoid_user }} ALL=(ALL) NOPASSWD:ALL
-    validate: '/usr/sbin/visudo -cf %s'
-    backup: true
-    marker_begin: sanoid-sudoers BEGIN
-    marker_end: sanoid-sudoers END
+    user: "{{ sanoid_user }}"
+    commands: ALL
+    nopassword: true
  when:
    - sanoid_syncoid_destination_host

--- a/roles/mgrote_zfs_sanoid/tasks/source.yml
+++ b/roles/mgrote_zfs_sanoid/tasks/source.yml
@ -8,16 +8,13 @@
  when:
    - sanoid_syncoid_source_host

- name: add user to sudoers
+- name: Ensure user is added to sudoers
  become: true
-  ansible.builtin.blockinfile:
-    path: /etc/sudoers
+  community.general.sudoers:
+    name: "users-sudo-{{ sanoid_user }}"
    state: present
-    block: |
-      {{ sanoid_user }} ALL=(ALL) NOPASSWD:ALL
-    validate: '/usr/sbin/visudo -cf %s'
-    backup: true
-    marker_begin: sanoid-sudoers BEGIN
-    marker_end: sanoid-sudoers END
+    user: "{{ sanoid_user }}"
+    commands: ALL
+    nopassword: true
  when:
    - sanoid_syncoid_source_host