--- - name: Set groups as list ansible.builtin.set_fact: groups_as_list: "{{ (((item.groups) | list) | sort) | unique }}" loop: "{{ users }}" when: item.groups is defined become: false no_log: "{{ no_debug | default('true') }}" - name: Ensure groups exist ansible.builtin.group: name: "{{ item }}" state: present loop: '{{ groups_as_list }}' when: groups_as_list is defined no_log: "{{ no_debug | default('true') }}" - name: Ensure users exist ansible.builtin.user: name: "{{ item.username }}" uid: "{{ item.uid | default(omit) }}" shell: "{{ item.shell | default('/bin/bash') }}" password: "{{ item.password }}" update_password: "{{ item.update_password | default(omit) }}" groups: "{{ item.groups | default(omit) }}" createhome: "{{ item.createhome | default('yes') }}" state: "{{ item.state | default('present') }}" loop: '{{ users }}' no_log: "{{ no_debug | default('true') }}" - name: Ensure user ssh-keys exist ansible.posix.authorized_key: user: "{{ item.username }}" key: "{{ item.public_ssh_key }}" state: "{{ item.state | default('present') }}" when: item.public_ssh_key is defined loop: '{{ users }}' no_log: "{{ no_debug | default('true') }}" # teilweiser revert von https://git.mgrote.net/mg/homeserver/commit/506fa8da8d8c4ca74d0d78d044468b991d0d560a # das modul erstellt die sudoers falsch: # richtig: ansible-user ALL=(ALL) NOPASSWD:ALL # falsch: ansible-user ALL=NOPASSWD: ALL # damit failed ansible wenn der become_user != ansible-user ist # mit Meldung: # TASK [geerlingguy.postgresql : Ensure PostgreSQL Python libraries are installed.] # fatal: [forgejo.mgrote.net]: FAILED! => {"msg": "Missing sudo password"} - name: Ensure users are added or removed to/from sudoers ansible.builtin.blockinfile: create: true path: "/etc/sudoers.d/users-sudo-{{ item.username }}" state: "{{ item.state | default('present') }}" block: | {{ item.username }} ALL=(ALL) {{ 'NOPASSWD:' if (item.allow_passwordless_sudo | d(false)) else '' }}ALL validate: 'visudo -cf %s' owner: root group: root mode: "0440" loop: '{{ users }}' when: item.allow_sudo|default(false) and item.allow_sudo is defined no_log: "{{ no_debug | default('true') }}"