From 51bf2a08cfe444c36cb45bef2326b755d22a7db0 Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Thu, 16 Feb 2023 15:12:03 +0100 Subject: [PATCH] fix: specify further sudoes settings --- defaults/main.yml | 15 +++++---- tasks/main.yml | 72 ++++++++++++++++++++++++++++++++++++++----- tasks/verify_vars.yml | 10 ++++++ 3 files changed, 82 insertions(+), 15 deletions(-) create mode 100644 tasks/verify_vars.yml diff --git a/defaults/main.yml b/defaults/main.yml index 8e15f7d..ac845ca 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,11 +1,10 @@ --- sudo_users_sudoers: {} - # myuser: - # commands: - # - /usr/sbin/nologin - # without_password: yes - # myadmin: - # commands: - # - ALL - # without_password: yes \ No newline at end of file +# - commands: +# - ALL +# filename: "" # Optional: Default to user or group +# group: "" # Group or User, not booth! +# nopassword: true +# runas: "" # Optional +# user: "markus": # Group or User, not booth! \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 389747e..4ee6c4b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,6 +3,16 @@ - name: Load variables include_vars: "{{ ansible_os_family }}.yml" +- name: Verify variables + tags: [ testa ] + include_tasks: "{{ lookup('first_found', params) }}" + vars: + params: + files: + - "{{ ansible_distribution }}_verify_vars.yml" + - "{{ ansible_os_family }}_verify_vars.yml" + - "verify_vars.yml" + - name: Install sudo package: name: "{{ item }}" @@ -31,12 +41,60 @@ - absent - directory -- name: Create drop-in files of sudoers.d +- name: "Create sudoers drop-in file to execute commands for specific unix users" + tags: [ "testa" ] community.general.sudoers: - name: "{{ item.key }}" + name: "{{ item.filename | default(item.user) }}" state: present - user: "{{ item.key }}" - nopassword: "{{ item.value.without_password | default(False) }}" - commands: "{{ items.value.command | join(',') if items.value.command is defined and items.value.command | length > 0 else 'ALL' }}" - when: "item.value | length > 0" - with_dict: "{{ sudo_users_sudoers }}" \ No newline at end of file + user: "{{ item.user }}" + nopassword: "{{ item.nopassword | default(false) }}" + commands: "{{ item.commands | default('ALL') }}" + with_items: + - "{{ sudo_users_sudoers }}" + when: item.user is defined and item.user | length > 0 and + item.group is not defined and + item.runas is not defined + +- name: "Create sudoers drop-in file to execute commands for specific unix users as specific unix user" + tags: [ "testa" ] + community.general.sudoers: + name: "{{ item.filename | default(item.user) }}" + state: present + user: "{{ item.user }}" + runas: "{{ item.runas }}" + nopassword: "{{ item.nopassword | default(false) }}" + commands: "{{ item.commands | default('ALL') }}" + with_items: + - "{{ sudo_users_sudoers }}" + when: item.user is defined and item.user | length > 0 and + item.group is not defined and + item.runas is defined and item.runas | length > 0 + +- name: "Create sudoers drop-in file to execute commands for specific unix groups" + tags: [ "testa" ] + community.general.sudoers: + name: "{{ item.filename | default(item.group) }}" + state: present + group: "{{ item.group }}" + nopassword: "{{ item.nopassword | default(false) }}" + commands: "{{ item.commands | default('ALL') }}" + with_items: + - "{{ sudo_users_sudoers }}" + when: item.user is not defined and + item.group is defined and item.group | length > 0 and + item.runas is not defined + +- name: "Create sudoers drop-in file to execute commands for specific unix groups as specifix unix user" + tags: [ "testa" ] + community.general.sudoers: + name: "{{ item.filename | default(item.group) }}" + state: present + group: "{{ item.group }}" + runas: "{{ item.runas }}" + nopassword: "{{ item.nopassword | default(false) }}" + commands: "{{ item.commands | default('ALL') }}" + with_items: + - "{{ sudo_users_sudoers }}" + when: item.user is not defined and + item.group is defined and item.group | length > 0 and + item.runas is defined and item.runas | length > 0 \ No newline at end of file diff --git a/tasks/verify_vars.yml b/tasks/verify_vars.yml new file mode 100644 index 0000000..6903cc3 --- /dev/null +++ b/tasks/verify_vars.yml @@ -0,0 +1,10 @@ +--- + +- name: Verify if not user and group exists for each entry + tags: [ testa ] + ansible.builtin.assert: + that: + - (item.user is defined and item.group is not defined) or + (item.user is not defined and item.group is defined) + with_items: + - "{{ sudo_users_sudoers }}" \ No newline at end of file