54 lines
1.5 KiB
YAML
54 lines
1.5 KiB
YAML
---
|
|
## ---------------------------------- ##
|
|
## Adds a user to the list of sudoers ##
|
|
## ---------------------------------- ##
|
|
# TODO: add to "admin" groups when needed on OSx/BSD
|
|
# https://stackoverflow.com/questions/33359404/ansible-best-practice-for-maintaining-list-of-sudoers
|
|
|
|
- name: install sudo package
|
|
ansible.builtin.package:
|
|
name: sudo
|
|
state: present
|
|
|
|
# determine default group with sudo privileges
|
|
- name: get all groups
|
|
ansible.builtin.shell: set -o pipefail && getent group | awk -F":" '{print $1}'
|
|
args:
|
|
executable: bash
|
|
changed_when: false
|
|
register: getent_groups
|
|
|
|
- name: find default sudoers group
|
|
when: item in getent_groups.stdout_lines
|
|
# XXX: in ascending order of precedence
|
|
# see: https://wiki.archlinux.org/index.php/Sudo#Example_entries
|
|
loop:
|
|
- sudo
|
|
- wheel
|
|
loop_control:
|
|
loop_var: sudoer_group
|
|
ansible.builtin.set_fact:
|
|
default_sudoers_group: "{{ sudoer_group }}"
|
|
|
|
- name: find preexisting custom sudoers files
|
|
ansible.builtin.find:
|
|
paths: "/etc/sudoers.d"
|
|
patterns: "custom_*"
|
|
register: find_custom_sudoers
|
|
|
|
- name: reset custom sudoers files
|
|
when: find_custom_sudoers.files
|
|
loop: "{{ find_custom_sudoers.files }}"
|
|
loop_control:
|
|
loop_var: custom_sudoer_file
|
|
ansible.builtin.file:
|
|
path: "{{ custom_sudoer_file.path }}"
|
|
state: absent
|
|
|
|
- name: add custom sudoers file
|
|
community.general.sudoers:
|
|
name: custom_nologin
|
|
state: present
|
|
group: "{{ default_sudoers_group }}"
|
|
commands: ALL
|
|
nopassword: true |