Initial COmmit

.ansible-lint

@@ -0,0 +1,4 @@
+---
+
+exclude_paths:
+- .gitea/

.editorconfig

@@ -0,0 +1,12 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = false

.gitea/workflows/ansible-linters.yaml

@@ -0,0 +1,20 @@
+name: Ansible Linter
+
+on:
+  pull_request:
+    types: [ "opened", "reopened", "synchronize" ]
+  push:
+    branches: [ '**' ]
+    tags-ignore: [ '**' ]
+
+jobs:
+  ansible-lint:
+    runs-on:
+    - ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run ansible-lint
+      uses: ansible/ansible-lint@v25.2.1
+      with:
+        args: "--config-file .ansible-lint"
+        setup_python: "true"

.gitea/workflows/markdown-linters.yaml

@@ -0,0 +1,19 @@
+name: Lint Markdown files
+
+on:
+  pull_request:
+    types: [ "opened", "reopened", "synchronize" ]
+  push:
+    branches: [ '**' ]
+    tags-ignore: [ '**' ]
+
+jobs:
+  markdown-lint:
+    container:
+      image: git.cryptic.systems/volker.raschek/markdownlint:0.44.0
+    runs-on:
+    - ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4.2.2
+    - name: Lint Markdown files
+      run: markdownlint --config .markdownlint.yaml .

.gitignore

@@ -0,0 +1 @@
+.ansible

.markdownlint.yaml

@@ -0,0 +1,137 @@
+# markdownlint YAML configuration
+# https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml
+
+# Default state for all rules
+default: true
+
+# Path to configuration file to extend
+extends: null
+
+# MD003/heading-style/header-style - Heading style
+MD003:
+  # Heading style
+  style: "atx"
+
+# MD004/ul-style - Unordered list style
+MD004:
+  style: "dash"
+
+# MD007/ul-indent - Unordered list indentation
+MD007:
+  # Spaces for indent
+  indent: 2
+  # Whether to indent the first level of the list
+  start_indented: false
+
+# MD009/no-trailing-spaces - Trailing spaces
+MD009:
+  # Spaces for line break
+  br_spaces: 2
+  # Allow spaces for empty lines in list items
+  list_item_empty_lines: false
+  # Include unnecessary breaks
+  strict: false
+
+# MD010/no-hard-tabs - Hard tabs
+MD010:
+  # Include code blocks
+  code_blocks: true
+
+# MD012/no-multiple-blanks - Multiple consecutive blank lines
+MD012:
+  # Consecutive blank lines
+  maximum: 1
+
+# MD013/line-length - Line length
+MD013:
+  # Number of characters
+  line_length: 120
+  # Number of characters for headings
+  heading_line_length: 120
+  # Number of characters for code blocks
+  code_block_line_length: 120
+  # Include code blocks
+  code_blocks: false
+  # Include tables
+  tables: false
+  # Include headings
+  headings: true
+  # Strict length checking
+  strict: false
+  # Stern length checking
+  stern: false
+
+# MD022/blanks-around-headings/blanks-around-headers - Headings should be surrounded by blank lines
+MD022:
+  # Blank lines above heading
+  lines_above: 1
+  # Blank lines below heading
+  lines_below: 1
+
+# MD025/single-title/single-h1 - Multiple top-level headings in the same document
+MD025:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter
+  front_matter_title: "^\\s*title\\s*[:=]"
+
+# MD026/no-trailing-punctuation - Trailing punctuation in heading
+MD026:
+  # Punctuation characters
+  punctuation: ".,;:!。，；：！"
+
+# MD029/ol-prefix - Ordered list item prefix
+MD029:
+  # List style
+  style: "one_or_ordered"
+
+# MD030/list-marker-space - Spaces after list markers
+MD030:
+  # Spaces for single-line unordered list items
+  ul_single: 1
+  # Spaces for single-line ordered list items
+  ol_single: 1
+  # Spaces for multi-line unordered list items
+  ul_multi: 1
+  # Spaces for multi-line ordered list items
+  ol_multi: 1
+
+# MD033/no-inline-html - Inline HTML
+MD033:
+  # Allowed elements
+  allowed_elements: []
+
+# MD035/hr-style - Horizontal rule style
+MD035:
+  # Horizontal rule style
+  style: "---"
+
+# MD036/no-emphasis-as-heading/no-emphasis-as-header - Emphasis used instead of a heading
+MD036:
+  # Punctuation characters
+  punctuation: ".,;:!?。，；：！？"
+
+# MD041/first-line-heading/first-line-h1 - First line in a file should be a top-level heading
+MD041:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter
+  front_matter_title: "^\\s*title\\s*[:=]"
+
+# MD044/proper-names - Proper names should have the correct capitalization
+MD044:
+  # List of proper names
+  names:
+  - gitea
+  # Include code blocks
+  code_blocks: false
+
+# MD046/code-block-style - Code block style
+MD046:
+  # Block style
+  style: "fenced"
+
+# MD048/code-fence-style - Code fence style
+MD048:
+  # Code fence syle
+  style: "backtick"

.vscode/settings.json

@@ -0,0 +1,14 @@
+{
+  "ansible.python.interpreterPath": "/bin/python",
+  "files.associations": {
+    "**/.gitea/**/*.yml": "yaml",
+    "**/.gitea/**/*.yaml": "yaml",
+    ".drone.yml": "yaml",
+    "docker-compose*.yml": "dockercompose",
+    "*.yml": "ansible",
+    "*.yaml": "ansible",
+    ".yamllint": "yaml",
+    ".yamllint.yml": "yaml",
+    ".yamllint.yaml": "yaml"
+  }
+}

.yamllint.yaml

@@ -0,0 +1,17 @@
+#
+# Documentation:
+# https://yamllint.readthedocs.io/en/stable/
+#
+
+rules:
+  brackets:
+    forbid: false
+    min-spaces-inside: 0
+    max-spaces-inside: 2
+    min-spaces-inside-empty: 0
+    max-spaces-inside-empty: 0
+  indentation:
+    spaces: 2
+    indent-sequences: false
+  line-length:
+    max: 360

LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2025 Markus Pesch
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,24 @@
+# sudo_users
+
+[![Ansible Role](https://img.shields.io/ansible/role/d/58433)](https://galaxy.ansible.com/volker_raschek/root)
+
+With following role can be created sudoers files in `/etc/sudoers.d`. For
+example to grant a user special perimssions to execute a program as root.
+
+## Supported distributions
+
+- Arch Linux
+- Debian
+- Fedora
+- RHEL
+- Ubuntu 20.04
+
+## Features
+
+- Installing sudo
+- Configuring drop-on files in `/etc/sudoers.d`
+
+## Configuring
+
+In the default directory are examples how to configure the network stack. Copy the
+defaults into your `host_vars` or `group_vars` and adapt the examples.

default/main.yml

@@ -0,0 +1,12 @@
+---
+
+root: {}
+#   password: ""
+#   ssh:
+#     config:
+#     - Host: "*"
+#       StrictHostKeyChecking: "no"
+#       UserKnownHostFile: /dev/null
+#     authorized_keys:
+#     - filename: markus@markus-pc.pub
+#       # command: "" # optional

meta/main.yml

@@ -0,0 +1,23 @@
+galaxy_info:
+  namespace: volker_raschek
+  role_name: "root"
+  author: "Markus Pesch"
+  description: Role to configure root
+  company: Cryptic Systems
+  license: MIT
+  min_ansible_version: "2.9"
+  platforms:
+  - name: ArchLinux
+    versions:
+    - all
+  - name: Ubuntu
+    versions:
+    - all
+  - name: Fedora
+    versions:
+    - "35"
+
+  galaxy_tags:
+  - root
+
+dependencies: []

renovate.json

@@ -0,0 +1,9 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "local>volker.raschek/renovate-config:default#master",
+    "local>volker.raschek/renovate-config:container#master",
+    "local>volker.raschek/renovate-config:actions#master",
+    "local>volker.raschek/renovate-config:regexp#master"
+  ]
+}

tasks/main.yml

@@ -0,0 +1,115 @@
+---
+
+- name: Set or unset root password
+  block:
+  - name: Set root password
+    ansible.builtin.user:
+      name: root
+      password: "{{ root.password | password_hash('sha512') }}"
+      password_lock: false
+    when: root.password is defined and root.password | length > 0 and root.password != "!"
+    no_log: true
+
+  - name: Update ansible_become_pass
+    ansible.builtin.set_fact:
+      ansible_become_pass: "{{ root.password }}"
+    when: root.password is defined and root.password | length > 0 and root.password != "!"
+    no_log: true
+
+  - name: Lock root login
+    ansible.builtin.user:
+      name: root
+      password_lock: true
+    when: root.password is defined and root.password | length <= 0
+
+- name: Create .ssh directory
+  ansible.builtin.file:
+    path: "/root/.ssh"
+    state: directory
+    owner: "root"
+    group: "root"
+    mode: "0700"
+
+- name: "Create authorized_keys file"
+  ansible.builtin.template:
+    src: root/.ssh/authorized_keys.j2
+    dest: "/root/.ssh/authorized_keys"
+    owner: "root"
+    group: "root"
+    mode: "0600"
+  when: root.ssh is defined and
+        root.ssh.authorized_keys is defined and
+        root.ssh.authorized_keys | length > 0
+
+- name: "Remove authorized_keys file"
+  ansible.builtin.file:
+    path: "/root/.ssh/authorized_keys"
+    state: absent
+  when: root.ssh is defined and
+        root.ssh.authorized_keys is defined and
+        root.ssh.authorized_keys | length <= 0 or
+        root.ssh is defined and
+        root.ssh.authorized_keys is not defined or
+        root.ssh is not defined
+
+- name: "Generate private and public SSH key"
+  when: root.ssh is defined and
+        (
+          root.ssh.private_keys is not defined or
+          root.ssh.private_keys | length <= 0
+        )
+  block:
+  - name: "Check if private SSH key already exists"
+    ansible.builtin.stat:
+      path: "/root/.ssh/{{ inventory_hostname_short }}.key"
+    register: stat_result
+  - name: "Generate private SSH key"
+    community.crypto.openssh_keypair:
+      path: "/root/.ssh/{{ inventory_hostname_short }}.key"
+      type: ed25519
+      size: 512
+      state: present
+      comment: "root@{{ inventory_hostname_short }}"
+      force: false
+    when: not stat_result.stat.exists
+
+- name: "Create private and public SSH key"
+  when: root.ssh is defined and
+        root.ssh.private_keys is defined and
+        root.ssh.private_keys | length > 0
+  block:
+  - name: "Create private SSH keys"
+    ansible.builtin.copy:
+      src: "{{ playbook_dir }}/ssh/private_keys/{{ item }}"
+      dest: "/root/.ssh/{{ item }}"
+      owner: "root"
+      group: "root"
+      mode: "0600"
+    with_items:
+    - "{{ root.ssh.private_keys }}"
+
+  - name: "Extract public SSH keys from private keys"
+    ansible.builtin.shell:
+    args:
+      executable: /bin/bash
+      cmd: "ssh-keygen -y -f /root/.ssh/{{ item }} > /root/.ssh/{{ item }}.pub"
+    register: _root_ssh_pub_key_extraction
+    changed_when: _root_ssh_pub_key_extraction.rc == 0
+    failed_when: _root_ssh_pub_key_extraction.rc > 0
+    with_items:
+    - "{{ root.ssh.private_keys }}"
+
+- name: "Create custom SSH client config"
+  ansible.builtin.template:
+    src: root/.ssh/config.j2
+    dest: /root/.ssh/config
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when: root.ssh.config is defined and root.ssh.config | length >= 0
+
+- name: "Remove custom SSH client config"
+  ansible.builtin.file:
+    path: "/root/.ssh/config"
+    state: absent
+  when: root.ssh.config is not defined

templates/root/.ssh/authorized_keys.j2

@@ -0,0 +1,10 @@
+#
+# {{ ansible_managed }}
+#
+{% for authorized_key in root.ssh.authorized_keys %}
+{% if authorized_key.command is defined and authorized_key.command | length > 0 %}
+command="{{ authorized_key.command }}" {{ lookup('file', 'ssh/authorized_keys/' + authorized_key.filename ) }}
+{% else %}
+{{ lookup('file', 'ssh/authorized_keys/' + authorized_key.filename ) }}
+{% endif %}
+{% endfor %}

templates/root/.ssh/config.j2

@@ -0,0 +1,15 @@
+#jinja2: lstrip_blocks: True
+#
+# {{ ansible_managed }}
+#
+
+{% for config in root.ssh.config %}
+{% for property, value in config.items() %}
+{% if property == "Host" %}
+{{ property }} {{ value }}
+{% else %}
+  {{ property }} {{ value }}
+{% endif %}
+{% endfor %}
+
+{% endfor %}