From 6562f19bd9bf187f1944825be4d846c1390cf468 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 20:27:03 +0200 Subject: [PATCH 01/32] dfg --- roles/mgrote_user_setup/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mgrote_user_setup/tasks/main.yml b/roles/mgrote_user_setup/tasks/main.yml index c0995f31..1972a747 100644 --- a/roles/mgrote_user_setup/tasks/main.yml +++ b/roles/mgrote_user_setup/tasks/main.yml @@ -13,7 +13,7 @@ - name: Ensure dotfiles-repository is cloned # noqa latest[git] become: true - become_user: "{{ item.user }}" + # become_user: "{{ item.user }}" ansible.builtin.git: repo: "{{ dotfiles_repo_url }}" dest: "{{ item.home }}/dotfiles" -- 2.43.0 From 410088295c0aac47716cd08c9e036fab800e5548 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 20:30:23 +0200 Subject: [PATCH 02/32] dsfg --- roles/mgrote_user_setup/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/mgrote_user_setup/tasks/main.yml b/roles/mgrote_user_setup/tasks/main.yml index 1972a747..5bdd59ae 100644 --- a/roles/mgrote_user_setup/tasks/main.yml +++ b/roles/mgrote_user_setup/tasks/main.yml @@ -110,7 +110,6 @@ - name: Ensure vundle-repository is cloned become: true - become_user: "{{ item.user }}" ansible.builtin.git: repo: "{{ dotfiles_vim_vundle_repo_url }}" dest: "{{ item.home }}/.vim/bundle/Vundle.vim" -- 2.43.0 From 620c55124d0403eb7b194e378c1e34c6d12ea494 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:07:20 +0200 Subject: [PATCH 03/32] dfgg --- playbooks/3_service/git.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/playbooks/3_service/git.yml b/playbooks/3_service/git.yml index 86582928..7f31daab 100644 --- a/playbooks/3_service/git.yml +++ b/playbooks/3_service/git.yml @@ -2,7 +2,11 @@ - hosts: git roles: - role: geerlingguy.postgresql - tags: "db" + tags: + - db + - postgres + - psql + - postgresql become: true - role: roles-ansible.gitea tags: "gitea" -- 2.43.0 From 80f96919403401ae6742ff83336d223382c97873 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:08:20 +0200 Subject: [PATCH 04/32] dfgdsf --- group_vars/git.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/git.yml b/group_vars/git.yml index aaadf0b9..d5b7e1a0 100644 --- a/group_vars/git.yml +++ b/group_vars/git.yml @@ -29,6 +29,8 @@ postgresql_users: - name: "{{ gitea_db_user }}" password: "{{ gitea_db_password }}" +postgres_users_no_log: false + ### oefenweb.ufw ufw_rules: - rule: allow -- 2.43.0 From f6513024f66eb9deac0d65a4b62523884b986098 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:10:43 +0200 Subject: [PATCH 05/32] sdfgdf --- group_vars/git.yml | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/group_vars/git.yml b/group_vars/git.yml index d5b7e1a0..1fc3b636 100644 --- a/group_vars/git.yml +++ b/group_vars/git.yml @@ -22,6 +22,38 @@ apt_packages_extra: ### mgrote_restic restic_folders_to_backup: "/usr/local /etc /root /home {{ gitea_home }}" +### mgrote_user +users: + - username: mg + password: "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}" + update_password: always + groups: + - ssh + - sudo + state: present + public_ssh_key: "{{ ssh_public_key_mg }}" + allow_sudo: true + allow_passwordless_sudo: true + - username: ansible-user + password: "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}" + update_password: always + groups: + - ssh + - sudo + state: present + public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE + allow_sudo: true + allow_passwordless_sudo: true + - username: "{{ gitea_db_user }}" + password: "{{ gitea_db_password }}" + update_password: always + groups: + - ssh + - sudo + state: present +# allow_sudo: true +# allow_passwordless_sudo: true + ### geerlingguy_postgres postgresql_databases: - name: "{{ gitea_db_name }}" @@ -29,7 +61,7 @@ postgresql_users: - name: "{{ gitea_db_user }}" password: "{{ gitea_db_password }}" -postgres_users_no_log: false +postgres_users_no_log: false # TODO wieder weg ### oefenweb.ufw ufw_rules: -- 2.43.0 From 36c351433685308b2d2482d58b931db739f89d92 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:12:58 +0200 Subject: [PATCH 06/32] dsfg --- group_vars/git.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/git.yml b/group_vars/git.yml index 1fc3b636..b9aaab2b 100644 --- a/group_vars/git.yml +++ b/group_vars/git.yml @@ -51,8 +51,8 @@ users: - ssh - sudo state: present -# allow_sudo: true -# allow_passwordless_sudo: true + allow_sudo: true + allow_passwordless_sudo: true ### geerlingguy_postgres postgresql_databases: -- 2.43.0 From 2c4b98c1cc630aa6d8eab5b6f5100d37d7e7b44f Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:23:39 +0200 Subject: [PATCH 07/32] dsfg --- group_vars/git.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/group_vars/git.yml b/group_vars/git.yml index b9aaab2b..2d255e9c 100644 --- a/group_vars/git.yml +++ b/group_vars/git.yml @@ -44,13 +44,22 @@ users: public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE allow_sudo: true allow_passwordless_sudo: true - - username: "{{ gitea_db_user }}" + - username: "{{ gitea_db_user }}" # wieder weg password: "{{ gitea_db_password }}" update_password: always groups: - ssh - sudo - state: present + state: absent + allow_sudo: true + allow_passwordless_sudo: true + - username: postgres + password: postgres + update_password: always + groups: + - ssh + - sudo + state: absent allow_sudo: true allow_passwordless_sudo: true -- 2.43.0 From 700d7f6492c39d772005725892885de1b097f057 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:24:24 +0200 Subject: [PATCH 08/32] dsfg --- roles/mgrote_users/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index 797d8e55..4b40e8fb 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -26,7 +26,7 @@ createhome: "{{ item.createhome | default('yes') }}" state: "{{ item.state | default('present') }}" loop: '{{ users }}' - no_log: true + #no_log: true - name: Ensure user ssh-keys exist ansible.posix.authorized_key: @@ -35,7 +35,7 @@ state: "{{ item.state | default('present') }}" when: item.public_ssh_key is defined loop: '{{ users }}' - no_log: true + #no_log: true - name: Ensure users are added to sudoers community.general.sudoers: @@ -46,4 +46,4 @@ nopassword: "{{ item.allow_passwordless_sudo }}" loop: '{{ users }}' when: item.allow_sudo|default(false) and item.allow_sudo is defined - no_log: true + #no_log: true -- 2.43.0 From 1638c87836efbae26904cfb057b4d9d9f6225ebc Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:25:09 +0200 Subject: [PATCH 09/32] dsfg --- group_vars/git.yml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/group_vars/git.yml b/group_vars/git.yml index 2d255e9c..47d28736 100644 --- a/group_vars/git.yml +++ b/group_vars/git.yml @@ -44,22 +44,13 @@ users: public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE allow_sudo: true allow_passwordless_sudo: true - - username: "{{ gitea_db_user }}" # wieder weg - password: "{{ gitea_db_password }}" - update_password: always - groups: - - ssh - - sudo - state: absent - allow_sudo: true - allow_passwordless_sudo: true - username: postgres password: postgres update_password: always groups: - ssh - sudo - state: absent + state: present allow_sudo: true allow_passwordless_sudo: true -- 2.43.0 From ffa9f9d033ab4ab13832ada508d8f48f9143c54d Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:25:50 +0200 Subject: [PATCH 10/32] sdfgsdfg --- group_vars/git.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/git.yml b/group_vars/git.yml index 47d28736..c6db17ce 100644 --- a/group_vars/git.yml +++ b/group_vars/git.yml @@ -45,7 +45,7 @@ users: allow_sudo: true allow_passwordless_sudo: true - username: postgres - password: postgres + password: "$6$ThboZY/siUzHZqSx$vhHAQ3EsJyXgkLyk2P8V3.H2fs4Vhh4heJxJNC/6qH5FJIGDCjrle3XcHaJk8tQoXwLpxy.Guc3jkXjqxVGJg." update_password: always groups: - ssh -- 2.43.0 From 65c7739f718c9fb321c496afb7f81e75ce1126c7 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:29:17 +0200 Subject: [PATCH 11/32] sdfg --- group_vars/git.yml | 32 -------------------------------- 1 file changed, 32 deletions(-) diff --git a/group_vars/git.yml b/group_vars/git.yml index c6db17ce..33aa08af 100644 --- a/group_vars/git.yml +++ b/group_vars/git.yml @@ -22,38 +22,6 @@ apt_packages_extra: ### mgrote_restic restic_folders_to_backup: "/usr/local /etc /root /home {{ gitea_home }}" -### mgrote_user -users: - - username: mg - password: "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}" - update_password: always - groups: - - ssh - - sudo - state: present - public_ssh_key: "{{ ssh_public_key_mg }}" - allow_sudo: true - allow_passwordless_sudo: true - - username: ansible-user - password: "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}" - update_password: always - groups: - - ssh - - sudo - state: present - public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE - allow_sudo: true - allow_passwordless_sudo: true - - username: postgres - password: "$6$ThboZY/siUzHZqSx$vhHAQ3EsJyXgkLyk2P8V3.H2fs4Vhh4heJxJNC/6qH5FJIGDCjrle3XcHaJk8tQoXwLpxy.Guc3jkXjqxVGJg." - update_password: always - groups: - - ssh - - sudo - state: present - allow_sudo: true - allow_passwordless_sudo: true - ### geerlingguy_postgres postgresql_databases: - name: "{{ gitea_db_name }}" -- 2.43.0 From e1fce955e41418507bf9cf66f805b53c23ca67d9 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:39:46 +0200 Subject: [PATCH 12/32] df --- roles/mgrote_users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index 4b40e8fb..0e035719 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -42,7 +42,7 @@ name: "users-sudo-{{ item.username }}" state: "{{ item.state | default('present') }}" user: "{{ item.username }}" - commands: ALL + commands: ALL=(ALL) nopassword: "{{ item.allow_passwordless_sudo }}" loop: '{{ users }}' when: item.allow_sudo|default(false) and item.allow_sudo is defined -- 2.43.0 From 69b7938e31f6946a9a26a1b9f2c479367b6050d1 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:40:19 +0200 Subject: [PATCH 13/32] df --- roles/mgrote_users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index 0e035719..0ec2843e 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -42,7 +42,7 @@ name: "users-sudo-{{ item.username }}" state: "{{ item.state | default('present') }}" user: "{{ item.username }}" - commands: ALL=(ALL) + commands: "ALL=(ALL)" nopassword: "{{ item.allow_passwordless_sudo }}" loop: '{{ users }}' when: item.allow_sudo|default(false) and item.allow_sudo is defined -- 2.43.0 From 47ed42905acf33ead73a9dbecc3109ec17374f10 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:41:00 +0200 Subject: [PATCH 14/32] dfg --- roles/mgrote_users/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index 0ec2843e..8e9aeaa2 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -44,6 +44,7 @@ user: "{{ item.username }}" commands: "ALL=(ALL)" nopassword: "{{ item.allow_passwordless_sudo }}" + validation: absent #todo loop: '{{ users }}' when: item.allow_sudo|default(false) and item.allow_sudo is defined #no_log: true -- 2.43.0 From eecf4f5448037457314516ee2a97cd9b0a7c9dd3 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:41:54 +0200 Subject: [PATCH 15/32] dfg --- roles/mgrote_users/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index 8e9aeaa2..fc1f905b 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -42,9 +42,9 @@ name: "users-sudo-{{ item.username }}" state: "{{ item.state | default('present') }}" user: "{{ item.username }}" - commands: "ALL=(ALL)" + commands: ALL nopassword: "{{ item.allow_passwordless_sudo }}" - validation: absent #todo + validation: absent #todo required loop: '{{ users }}' when: item.allow_sudo|default(false) and item.allow_sudo is defined #no_log: true -- 2.43.0 From b884bdf9d3c6925fd1404e55fe8829f1be0f0694 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:42:36 +0200 Subject: [PATCH 16/32] dfg --- roles/mgrote_users/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index fc1f905b..03b2d95e 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -43,6 +43,7 @@ state: "{{ item.state | default('present') }}" user: "{{ item.username }}" commands: ALL + host: ALL nopassword: "{{ item.allow_passwordless_sudo }}" validation: absent #todo required loop: '{{ users }}' -- 2.43.0 From 3f2588c0ceb1e3c566bf7c1f5ac07c798a1650e0 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:44:44 +0200 Subject: [PATCH 17/32] dfg --- roles/mgrote_users/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index 03b2d95e..074abe52 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -42,8 +42,8 @@ name: "users-sudo-{{ item.username }}" state: "{{ item.state | default('present') }}" user: "{{ item.username }}" - commands: ALL - host: ALL + commands: "ALL" + host: "ALL" nopassword: "{{ item.allow_passwordless_sudo }}" validation: absent #todo required loop: '{{ users }}' -- 2.43.0 From c07cf038f2148290d81d37c2bcedb05b7f40061c Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:47:37 +0200 Subject: [PATCH 18/32] dsfg --- roles/mgrote_users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index 074abe52..f1d2dcdc 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -41,7 +41,7 @@ community.general.sudoers: name: "users-sudo-{{ item.username }}" state: "{{ item.state | default('present') }}" - user: "{{ item.username }}" + user: "(ALL)" commands: "ALL" host: "ALL" nopassword: "{{ item.allow_passwordless_sudo }}" -- 2.43.0 From 31b48cb6c81496a1823be346dbeaa8be6c97b15e Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:48:42 +0200 Subject: [PATCH 19/32] dsfg --- roles/mgrote_users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index f1d2dcdc..7d72eb01 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -41,7 +41,7 @@ community.general.sudoers: name: "users-sudo-{{ item.username }}" state: "{{ item.state | default('present') }}" - user: "(ALL)" + user: "{{ item.username }} ALL=(ALL)" commands: "ALL" host: "ALL" nopassword: "{{ item.allow_passwordless_sudo }}" -- 2.43.0 From 06b5260fc2a15cb66050a979bc49f9c0056a3530 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 21:53:19 +0200 Subject: [PATCH 20/32] dsfg --- roles/mgrote_users/tasks/main.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index 7d72eb01..57413067 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -38,14 +38,13 @@ #no_log: true - name: Ensure users are added to sudoers - community.general.sudoers: - name: "users-sudo-{{ item.username }}" - state: "{{ item.state | default('present') }}" - user: "{{ item.username }} ALL=(ALL)" - commands: "ALL" - host: "ALL" - nopassword: "{{ item.allow_passwordless_sudo }}" - validation: absent #todo required + ansible.builtin.blockinfile: + create: true # todo extra task fur abbau + path: "/etc/sudoers.d/users-sudo-{{ item.username }}" + state: present + block: | + {{ item.username }} ALL=(ALL) {{ 'NOPASSWD:' if (item.allow_passwordless_sudo | d(false)) else '' }}ALL + validate: 'visudo -cf %s' loop: '{{ users }}' when: item.allow_sudo|default(false) and item.allow_sudo is defined #no_log: true -- 2.43.0 From 4b23b06cc163e902abcb1881e5232dd007c75145 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 22:00:15 +0200 Subject: [PATCH 21/32] dfgd --- roles/mgrote_users/tasks/main.yml | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index 57413067..e98a06d9 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -37,14 +37,31 @@ loop: '{{ users }}' #no_log: true +# teilweiser revert von https://git.mgrote.net/mg/homeserver/commit/506fa8da8d8c4ca74d0d78d044468b991d0d560a +# das modul hat die Sudoers falsch erstellt: +# richtig: ansible-user ALL=(ALL) NOPASSWD:ALL +# falsch: ansible-user ALL=NOPASSWD: ALL +# damit failed ansible wenn der become_user != ansible-user ist +# mit Meldung: +# TASK [geerlingguy.postgresql : Ensure PostgreSQL Python libraries are installed.] +# fatal: [forgejo.mgrote.net]: FAILED! => {"msg": "Missing sudo password"} - name: Ensure users are added to sudoers ansible.builtin.blockinfile: - create: true # todo extra task fur abbau + create: true path: "/etc/sudoers.d/users-sudo-{{ item.username }}" - state: present + state: "{{ item.state | default('present') }}" block: | {{ item.username }} ALL=(ALL) {{ 'NOPASSWD:' if (item.allow_passwordless_sudo | d(false)) else '' }}ALL validate: 'visudo -cf %s' loop: '{{ users }}' when: item.allow_sudo|default(false) and item.allow_sudo is defined - #no_log: true + no_log: true + + +- name: Ensure users are removed from sudoers + ansible.builtin.file: + path: "/etc/sudoers.d/users-sudo-{{ item.username }}" + state: "{{ item.state | default('present') }}" + loop: '{{ users }}' + when: (item.allow_sudo|default(false) and item.allow_sudo is defined) and (item.state == absent) + no_log: true -- 2.43.0 From f3ee42cab1b0686233542d665e0a56e131a4065c Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 22:00:32 +0200 Subject: [PATCH 22/32] dfgf --- roles/mgrote_users/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index e98a06d9..39033fda 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -57,7 +57,6 @@ when: item.allow_sudo|default(false) and item.allow_sudo is defined no_log: true - - name: Ensure users are removed from sudoers ansible.builtin.file: path: "/etc/sudoers.d/users-sudo-{{ item.username }}" -- 2.43.0 From 6d060ef363ea9e9f6b5e8af0830f19db038d893e Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 22:00:54 +0200 Subject: [PATCH 23/32] dfg --- roles/mgrote_users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index 39033fda..e1482991 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -63,4 +63,4 @@ state: "{{ item.state | default('present') }}" loop: '{{ users }}' when: (item.allow_sudo|default(false) and item.allow_sudo is defined) and (item.state == absent) - no_log: true + # no_log: true -- 2.43.0 From 066a72924f3c892f4378f47a9f774aa3e9fc4388 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 22:01:46 +0200 Subject: [PATCH 24/32] dxfg --- roles/mgrote_user_setup/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/mgrote_user_setup/tasks/main.yml b/roles/mgrote_user_setup/tasks/main.yml index 5bdd59ae..ab300f97 100644 --- a/roles/mgrote_user_setup/tasks/main.yml +++ b/roles/mgrote_user_setup/tasks/main.yml @@ -13,7 +13,7 @@ - name: Ensure dotfiles-repository is cloned # noqa latest[git] become: true - # become_user: "{{ item.user }}" + become_user: "{{ item.user }}" ansible.builtin.git: repo: "{{ dotfiles_repo_url }}" dest: "{{ item.home }}/dotfiles" @@ -109,6 +109,7 @@ loop: "{{ dotfiles }}" - name: Ensure vundle-repository is cloned + become_user: "{{ item.user }}" become: true ansible.builtin.git: repo: "{{ dotfiles_vim_vundle_repo_url }}" -- 2.43.0 From 7d507da49a5d3b5dff73e0c13c6a769cb89f8337 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 22:02:37 +0200 Subject: [PATCH 25/32] dfgdf --- roles/mgrote_users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index e1482991..da4d40d0 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -62,5 +62,5 @@ path: "/etc/sudoers.d/users-sudo-{{ item.username }}" state: "{{ item.state | default('present') }}" loop: '{{ users }}' - when: (item.allow_sudo|default(false) and item.allow_sudo is defined) and (item.state == absent) + when: (item.allow_sudo|default(false) and item.allow_sudo is defined) and (item.state is absent) # no_log: true -- 2.43.0 From f3e44bb6330d2dcbf976c63272884dc762c7d07f Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 22:03:30 +0200 Subject: [PATCH 26/32] dfg --- roles/mgrote_users/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index da4d40d0..6dc2da34 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -38,7 +38,7 @@ #no_log: true # teilweiser revert von https://git.mgrote.net/mg/homeserver/commit/506fa8da8d8c4ca74d0d78d044468b991d0d560a -# das modul hat die Sudoers falsch erstellt: +# das modul erstellt die sudoers falsch: # richtig: ansible-user ALL=(ALL) NOPASSWD:ALL # falsch: ansible-user ALL=NOPASSWD: ALL # damit failed ansible wenn der become_user != ansible-user ist @@ -62,5 +62,5 @@ path: "/etc/sudoers.d/users-sudo-{{ item.username }}" state: "{{ item.state | default('present') }}" loop: '{{ users }}' - when: (item.allow_sudo|default(false) and item.allow_sudo is defined) and (item.state is absent) + when: (item.allow_sudo|default(false) and item.allow_sudo is defined) and ("absent" in item.state) # no_log: true -- 2.43.0 From f7872e080700d8d9003148e5d6af07ab570bbb31 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 22:07:31 +0200 Subject: [PATCH 27/32] dfgd --- roles/mgrote_users/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index 6dc2da34..3e3a852c 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -26,7 +26,7 @@ createhome: "{{ item.createhome | default('yes') }}" state: "{{ item.state | default('present') }}" loop: '{{ users }}' - #no_log: true + no_log: true - name: Ensure user ssh-keys exist ansible.posix.authorized_key: @@ -35,7 +35,7 @@ state: "{{ item.state | default('present') }}" when: item.public_ssh_key is defined loop: '{{ users }}' - #no_log: true + no_log: true # teilweiser revert von https://git.mgrote.net/mg/homeserver/commit/506fa8da8d8c4ca74d0d78d044468b991d0d560a # das modul erstellt die sudoers falsch: @@ -63,4 +63,4 @@ state: "{{ item.state | default('present') }}" loop: '{{ users }}' when: (item.allow_sudo|default(false) and item.allow_sudo is defined) and ("absent" in item.state) - # no_log: true + no_log: true -- 2.43.0 From b4293cde9fa60caf3a1563c9de1079884c9aaa7f Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 22:10:19 +0200 Subject: [PATCH 28/32] dfg --- group_vars/git.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/group_vars/git.yml b/group_vars/git.yml index 33aa08af..aaadf0b9 100644 --- a/group_vars/git.yml +++ b/group_vars/git.yml @@ -29,8 +29,6 @@ postgresql_users: - name: "{{ gitea_db_user }}" password: "{{ gitea_db_password }}" -postgres_users_no_log: false # TODO wieder weg - ### oefenweb.ufw ufw_rules: - rule: allow -- 2.43.0 From c315cb0de917c6d243b90048f73de3759aaab935 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 22:11:19 +0200 Subject: [PATCH 29/32] dfgd --- roles/mgrote_users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index 3e3a852c..2ee8856c 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -57,7 +57,7 @@ when: item.allow_sudo|default(false) and item.allow_sudo is defined no_log: true -- name: Ensure users are removed from sudoers +- name: Ensure users are removed from sudoers # ungetestet ansible.builtin.file: path: "/etc/sudoers.d/users-sudo-{{ item.username }}" state: "{{ item.state | default('present') }}" -- 2.43.0 From 29cf608bdf92e321cc344570e05511025e8d49d1 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 22:17:41 +0200 Subject: [PATCH 30/32] dfg --- roles/mgrote_users/tasks/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index 2ee8856c..6cf206cb 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -53,6 +53,9 @@ block: | {{ item.username }} ALL=(ALL) {{ 'NOPASSWD:' if (item.allow_passwordless_sudo | d(false)) else '' }}ALL validate: 'visudo -cf %s' + owner: root + group: root + mode: "0644" loop: '{{ users }}' when: item.allow_sudo|default(false) and item.allow_sudo is defined no_log: true @@ -60,7 +63,7 @@ - name: Ensure users are removed from sudoers # ungetestet ansible.builtin.file: path: "/etc/sudoers.d/users-sudo-{{ item.username }}" - state: "{{ item.state | default('present') }}" + state: absent loop: '{{ users }}' when: (item.allow_sudo|default(false) and item.allow_sudo is defined) and ("absent" in item.state) no_log: true -- 2.43.0 From 673f341bcb0e0f3766f5578c9c0e78bc63947b3e Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 22:18:34 +0200 Subject: [PATCH 31/32] dfg --- roles/mgrote_users/tasks/main.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index 6cf206cb..c76a21da 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -45,7 +45,7 @@ # mit Meldung: # TASK [geerlingguy.postgresql : Ensure PostgreSQL Python libraries are installed.] # fatal: [forgejo.mgrote.net]: FAILED! => {"msg": "Missing sudo password"} -- name: Ensure users are added to sudoers +- name: Ensure users are added or removed to/from sudoers ansible.builtin.blockinfile: create: true path: "/etc/sudoers.d/users-sudo-{{ item.username }}" @@ -59,11 +59,3 @@ loop: '{{ users }}' when: item.allow_sudo|default(false) and item.allow_sudo is defined no_log: true - -- name: Ensure users are removed from sudoers # ungetestet - ansible.builtin.file: - path: "/etc/sudoers.d/users-sudo-{{ item.username }}" - state: absent - loop: '{{ users }}' - when: (item.allow_sudo|default(false) and item.allow_sudo is defined) and ("absent" in item.state) - no_log: true -- 2.43.0 From 29e61c0f8af82adc58df6133c240566d83cead99 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Wed, 23 Oct 2024 22:20:01 +0200 Subject: [PATCH 32/32] dfsgds --- roles/mgrote_users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mgrote_users/tasks/main.yml b/roles/mgrote_users/tasks/main.yml index c76a21da..cde9e3a9 100644 --- a/roles/mgrote_users/tasks/main.yml +++ b/roles/mgrote_users/tasks/main.yml @@ -55,7 +55,7 @@ validate: 'visudo -cf %s' owner: root group: root - mode: "0644" + mode: "0440" loop: '{{ users }}' when: item.allow_sudo|default(false) and item.allow_sudo is defined no_log: true -- 2.43.0