replace sudoers tasks with module (users, sanoid, munin) (#217)

Reviewed-on: #217 Co-authored-by: Michael Grote <michael.grote@posteo.de> Co-committed-by: Michael Grote <michael.grote@posteo.de>
2024-10-23 20:16:30 +02:00 · 2024-10-23 20:16:30 +02:00 · 506fa8da8d
commit 506fa8da8d
parent 7d43294ce8
5 changed files with 27 additions and 36 deletions
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -41,7 +41,7 @@ users:
      - ssh
      - sudo
    state: present
-    public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
+    public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE
    allow_sudo: true
    allow_passwordless_sudo: true
--- a/roles/mgrote_munin_node/tasks/user.yml
+++ b/roles/mgrote_munin_node/tasks/user.yml
@ -14,13 +14,9 @@
    create_home: false
 - name: Ensure user is added to sudoers
-  become: true
+  community.general.sudoers:
-  ansible.builtin.blockinfile:
+    name: "users-sudo-munin"
    path: /etc/sudoers
    state: present
-    block: |
+    user: munin
-      munin ALL=(ALL) NOPASSWD:ALL
+    commands: ALL
-    validate: '/usr/sbin/visudo -cf %s'
+    nopassword: true
    backup: true
    marker_begin: munin-sudoers BEGIN
    marker_end: munin-sudoers END
--- a/roles/mgrote_users/tasks/main.yml
+++ b/roles/mgrote_users/tasks/main.yml
@ -4,6 +4,7 @@
    groups_as_list: "{{ (((item.groups) | list) | sort) | unique }}"
  loop: "{{ users }}"
  when: item.groups is defined
  become: false
  no_log: true
 - name: Ensure groups exist
@ -31,18 +32,18 @@
  ansible.posix.authorized_key:
    user: "{{ item.username }}"
    key: "{{ item.public_ssh_key }}"
-    state: present
+    state: "{{ item.state | default('present') }}"
  when: item.public_ssh_key is defined
  loop: '{{ users }}'
  no_log: true
 - name: Ensure users are added to sudoers
-  ansible.builtin.lineinfile:
+  community.general.sudoers:
-    dest: /etc/sudoers
+    name: "users-sudo-{{ item.username }}"
-    state: present
+    state: "{{ item.state | default('present') }}"
-    regexp: '^{{ item.username }} '
+    user: "{{ item.username }}"
-    line: "{{ item.username }} ALL=(ALL) {{ 'NOPASSWD:' if (item.allow_passwordless_sudo | d(false)) else '' }}ALL"
+    commands: ALL
-    validate: 'visudo -cf %s'
+    nopassword: "{{ item.allow_passwordless_sudo }}"
  when: item.allow_sudo|default(false) and item.allow_sudo is defined
  loop: '{{ users }}'
  when: item.allow_sudo|default(false) and item.allow_sudo is defined
  no_log: true
--- a/roles/mgrote_zfs_sanoid/tasks/destination.yml
+++ b/roles/mgrote_zfs_sanoid/tasks/destination.yml
@ -11,17 +11,14 @@
  when:
    - sanoid_syncoid_destination_host
- name: add user to sudoers
+- name: Ensure user is added to sudoers
  become: true
-  ansible.builtin.blockinfile:
+  community.general.sudoers:
-    path: /etc/sudoers
+    name: "users-sudo-{{ sanoid_user }}"
    state: present
-    block: |
+    user: "{{ sanoid_user }}"
-      {{ sanoid_user }} ALL=(ALL) NOPASSWD:ALL
+    commands: ALL
-    validate: '/usr/sbin/visudo -cf %s'
+    nopassword: true
    backup: true
    marker_begin: sanoid-sudoers BEGIN
    marker_end: sanoid-sudoers END
  when:
    - sanoid_syncoid_destination_host
--- a/roles/mgrote_zfs_sanoid/tasks/source.yml
+++ b/roles/mgrote_zfs_sanoid/tasks/source.yml
@ -8,16 +8,13 @@
  when:
    - sanoid_syncoid_source_host
- name: add user to sudoers
+- name: Ensure user is added to sudoers
  become: true
-  ansible.builtin.blockinfile:
+  community.general.sudoers:
-    path: /etc/sudoers
+    name: "users-sudo-{{ sanoid_user }}"
    state: present
-    block: |
+    user: "{{ sanoid_user }}"
-      {{ sanoid_user }} ALL=(ALL) NOPASSWD:ALL
+    commands: ALL
-    validate: '/usr/sbin/visudo -cf %s'
+    nopassword: true
    backup: true
    marker_begin: sanoid-sudoers BEGIN
    marker_end: sanoid-sudoers END
  when:
    - sanoid_syncoid_source_host