homeserver/roles/mgrote_users/tasks/main.yml
Michael Grote 6d060ef363
Some checks failed
ansible-lint / gitleaks (pull_request) Successful in 6s
ansible-lint / Ansible Lint (pull_request) Failing after 43s
dfg
2024-10-23 22:00:54 +02:00

66 lines
2.3 KiB
YAML

---
- name: Set groups as list
ansible.builtin.set_fact:
groups_as_list: "{{ (((item.groups) | list) | sort) | unique }}"
loop: "{{ users }}"
when: item.groups is defined
become: false
no_log: true
- name: Ensure groups exist
ansible.builtin.group:
name: "{{ item }}"
state: present
loop: '{{ groups_as_list }}'
when: groups_as_list is defined
no_log: true
- name: Ensure users exist
ansible.builtin.user:
name: "{{ item.username }}"
uid: "{{ item.uid | default(omit) }}"
shell: "{{ item.shell | default('/bin/bash') }}"
password: "{{ item.password }}"
update_password: "{{ item.update_password | default(omit) }}"
groups: "{{ item.groups | default(omit) }}"
createhome: "{{ item.createhome | default('yes') }}"
state: "{{ item.state | default('present') }}"
loop: '{{ users }}'
#no_log: true
- name: Ensure user ssh-keys exist
ansible.posix.authorized_key:
user: "{{ item.username }}"
key: "{{ item.public_ssh_key }}"
state: "{{ item.state | default('present') }}"
when: item.public_ssh_key is defined
loop: '{{ users }}'
#no_log: true
# teilweiser revert von https://git.mgrote.net/mg/homeserver/commit/506fa8da8d8c4ca74d0d78d044468b991d0d560a
# das modul hat die Sudoers falsch erstellt:
# richtig: ansible-user ALL=(ALL) NOPASSWD:ALL
# falsch: ansible-user ALL=NOPASSWD: ALL
# damit failed ansible wenn der become_user != ansible-user ist
# mit Meldung:
# TASK [geerlingguy.postgresql : Ensure PostgreSQL Python libraries are installed.]
# fatal: [forgejo.mgrote.net]: FAILED! => {"msg": "Missing sudo password"}
- name: Ensure users are added to sudoers
ansible.builtin.blockinfile:
create: true
path: "/etc/sudoers.d/users-sudo-{{ item.username }}"
state: "{{ item.state | default('present') }}"
block: |
{{ item.username }} ALL=(ALL) {{ 'NOPASSWD:' if (item.allow_passwordless_sudo | d(false)) else '' }}ALL
validate: 'visudo -cf %s'
loop: '{{ users }}'
when: item.allow_sudo|default(false) and item.allow_sudo is defined
no_log: true
- name: Ensure users are removed from sudoers
ansible.builtin.file:
path: "/etc/sudoers.d/users-sudo-{{ item.username }}"
state: "{{ item.state | default('present') }}"
loop: '{{ users }}'
when: (item.allow_sudo|default(false) and item.allow_sudo is defined) and (item.state == absent)
# no_log: true