fix: specify further sudoes settings
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
93fe0a4826
commit
51bf2a08cf
@ -1,11 +1,10 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
sudo_users_sudoers: {}
|
sudo_users_sudoers: {}
|
||||||
# myuser:
|
# - commands:
|
||||||
# commands:
|
|
||||||
# - /usr/sbin/nologin
|
|
||||||
# without_password: yes
|
|
||||||
# myadmin:
|
|
||||||
# commands:
|
|
||||||
# - ALL
|
# - ALL
|
||||||
# without_password: yes
|
# filename: "" # Optional: Default to user or group
|
||||||
|
# group: "" # Group or User, not booth!
|
||||||
|
# nopassword: true
|
||||||
|
# runas: "" # Optional
|
||||||
|
# user: "markus": # Group or User, not booth!
|
@ -3,6 +3,16 @@
|
|||||||
- name: Load variables
|
- name: Load variables
|
||||||
include_vars: "{{ ansible_os_family }}.yml"
|
include_vars: "{{ ansible_os_family }}.yml"
|
||||||
|
|
||||||
|
- name: Verify variables
|
||||||
|
tags: [ testa ]
|
||||||
|
include_tasks: "{{ lookup('first_found', params) }}"
|
||||||
|
vars:
|
||||||
|
params:
|
||||||
|
files:
|
||||||
|
- "{{ ansible_distribution }}_verify_vars.yml"
|
||||||
|
- "{{ ansible_os_family }}_verify_vars.yml"
|
||||||
|
- "verify_vars.yml"
|
||||||
|
|
||||||
- name: Install sudo
|
- name: Install sudo
|
||||||
package:
|
package:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
@ -31,12 +41,60 @@
|
|||||||
- absent
|
- absent
|
||||||
- directory
|
- directory
|
||||||
|
|
||||||
- name: Create drop-in files of sudoers.d
|
- name: "Create sudoers drop-in file to execute commands for specific unix users"
|
||||||
|
tags: [ "testa" ]
|
||||||
community.general.sudoers:
|
community.general.sudoers:
|
||||||
name: "{{ item.key }}"
|
name: "{{ item.filename | default(item.user) }}"
|
||||||
state: present
|
state: present
|
||||||
user: "{{ item.key }}"
|
user: "{{ item.user }}"
|
||||||
nopassword: "{{ item.value.without_password | default(False) }}"
|
nopassword: "{{ item.nopassword | default(false) }}"
|
||||||
commands: "{{ items.value.command | join(',') if items.value.command is defined and items.value.command | length > 0 else 'ALL' }}"
|
commands: "{{ item.commands | default('ALL') }}"
|
||||||
when: "item.value | length > 0"
|
with_items:
|
||||||
with_dict: "{{ sudo_users_sudoers }}"
|
- "{{ sudo_users_sudoers }}"
|
||||||
|
when: item.user is defined and item.user | length > 0 and
|
||||||
|
item.group is not defined and
|
||||||
|
item.runas is not defined
|
||||||
|
|
||||||
|
- name: "Create sudoers drop-in file to execute commands for specific unix users as specific unix user"
|
||||||
|
tags: [ "testa" ]
|
||||||
|
community.general.sudoers:
|
||||||
|
name: "{{ item.filename | default(item.user) }}"
|
||||||
|
state: present
|
||||||
|
user: "{{ item.user }}"
|
||||||
|
runas: "{{ item.runas }}"
|
||||||
|
nopassword: "{{ item.nopassword | default(false) }}"
|
||||||
|
commands: "{{ item.commands | default('ALL') }}"
|
||||||
|
with_items:
|
||||||
|
- "{{ sudo_users_sudoers }}"
|
||||||
|
when: item.user is defined and item.user | length > 0 and
|
||||||
|
item.group is not defined and
|
||||||
|
item.runas is defined and item.runas | length > 0
|
||||||
|
|
||||||
|
- name: "Create sudoers drop-in file to execute commands for specific unix groups"
|
||||||
|
tags: [ "testa" ]
|
||||||
|
community.general.sudoers:
|
||||||
|
name: "{{ item.filename | default(item.group) }}"
|
||||||
|
state: present
|
||||||
|
group: "{{ item.group }}"
|
||||||
|
nopassword: "{{ item.nopassword | default(false) }}"
|
||||||
|
commands: "{{ item.commands | default('ALL') }}"
|
||||||
|
with_items:
|
||||||
|
- "{{ sudo_users_sudoers }}"
|
||||||
|
when: item.user is not defined and
|
||||||
|
item.group is defined and item.group | length > 0 and
|
||||||
|
item.runas is not defined
|
||||||
|
|
||||||
|
- name: "Create sudoers drop-in file to execute commands for specific unix groups as specifix unix user"
|
||||||
|
tags: [ "testa" ]
|
||||||
|
community.general.sudoers:
|
||||||
|
name: "{{ item.filename | default(item.group) }}"
|
||||||
|
state: present
|
||||||
|
group: "{{ item.group }}"
|
||||||
|
runas: "{{ item.runas }}"
|
||||||
|
nopassword: "{{ item.nopassword | default(false) }}"
|
||||||
|
commands: "{{ item.commands | default('ALL') }}"
|
||||||
|
with_items:
|
||||||
|
- "{{ sudo_users_sudoers }}"
|
||||||
|
when: item.user is not defined and
|
||||||
|
item.group is defined and item.group | length > 0 and
|
||||||
|
item.runas is defined and item.runas | length > 0
|
10
tasks/verify_vars.yml
Normal file
10
tasks/verify_vars.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Verify if not user and group exists for each entry
|
||||||
|
tags: [ testa ]
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- (item.user is defined and item.group is not defined) or
|
||||||
|
(item.user is not defined and item.group is defined)
|
||||||
|
with_items:
|
||||||
|
- "{{ sudo_users_sudoers }}"
|
Loading…
Reference in New Issue
Block a user