From 531d2ed356834041ba2b1b70075b898081cc6812 Mon Sep 17 00:00:00 2001 From: L3D Date: Thu, 15 Feb 2024 00:25:34 +0100 Subject: [PATCH] Update user permissions and improve linting --- roles/admin/README.md | 2 +- roles/admin/defaults/main.yml | 2 +- roles/admin/tasks/users.yml | 4 +-- roles/admin/tasks/versioncheck.yml | 44 ++++++++++++++++++++++++++++++ roles/user/README.md | 2 ++ roles/user/defaults/main.yml | 4 ++- 6 files changed, 53 insertions(+), 5 deletions(-) create mode 100644 roles/admin/tasks/versioncheck.yml diff --git a/roles/admin/README.md b/roles/admin/README.md index 56d6064..bf96b2a 100644 --- a/roles/admin/README.md +++ b/roles/admin/README.md @@ -24,7 +24,7 @@ The Option of these directory-variables are the following. | create_home | ``true`` | create a user home *(needed to store ssh keys)* | | admin | ``false`` | enable it to give the user superpowers | | admin_commands | string or list | Commands that are allows to be run as admin, eg. 'ALL' or specific script | -| admin_nopassword | true/false | Need no Password for sudo | +| admin_nopassword | false | Need no Password for sudo | | pubkeys | string or lookup | see examples | | exklusive_pubkeys | ``true`` | delete all undefined ssh keys | | password | password hash | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) | diff --git a/roles/admin/defaults/main.yml b/roles/admin/defaults/main.yml index 9f15c70..dab5a0b 100644 --- a/roles/admin/defaults/main.yml +++ b/roles/admin/defaults/main.yml @@ -5,13 +5,13 @@ l3d_users__default_users: {} # state: 'present' # shell: '/bin/bash' # create_home: true -# admin: true # pubkeys: | # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvvXN33GwkTF4ZOwPgF21Un4R2z9hWUuQt1qIfzQyhC # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAG65EdcM+JLv0gnzT9LcqVU47Pkw0SqiIg7XipXENi8 # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJz7zEvUVgJJJsIgfG3izsqYcM22IaKz4jGVUbNRL2PX # exklusive_pubkeys: true # password: "$Password_hash" +# admin: true # admin_commands: 'ALL' # admin_nopassword: false # - name: 'bob' diff --git a/roles/admin/tasks/users.yml b/roles/admin/tasks/users.yml index d51c5e6..e1a5010 100644 --- a/roles/admin/tasks/users.yml +++ b/roles/admin/tasks/users.yml @@ -7,7 +7,7 @@ state: 'present' commands: "{{ item.admin_commands | default('ALL') }}" nopassword: "{{ item.admin_nopassword | default(false) }}" - loop: "{{ _l3d_users_user__merged_users }}" + loop: "{{ _l3d_users__merged_users }}" loop_control: label: "user: ['{{ item.name }}']" when: item.state | default ('present') == 'present' and item.admin | default(false) | bool @@ -18,7 +18,7 @@ name: "{{ item.name }}-superpowers" state: 'absent' user: "{{ item.name }}" - loop: "{{ _l3d_users_user__merged_users }}" + loop: "{{ _l3d_users__merged_users }}" loop_control: label: "user: ['{{ item.name }}']" when: item.state | default ('present') == 'present' and not item.admin | default(false) | bool diff --git a/roles/admin/tasks/versioncheck.yml b/roles/admin/tasks/versioncheck.yml new file mode 100644 index 0000000..7dd80c5 --- /dev/null +++ b/roles/admin/tasks/versioncheck.yml @@ -0,0 +1,44 @@ +--- +# Copyright (c) 2021 L3D +# this file is released with the MIT license. +# License: https://github.com/roles-ansible/ansible_role_template/blob/main/LICENSE +- name: Create directory for versionscheck + become: true + ansible.builtin.file: + path: '/etc/.ansible-version' + state: directory + mode: '0755' + when: submodules_versioncheck | bool + +- name: Check playbook version + become: true + ansible.builtin.slurp: + src: "/etc/.ansible-version/{{ playbook_version_path }}" + register: playbook_version + when: submodules_versioncheck | bool + failed_when: false + +- name: Print remote role version # noqa: H500 + ansible.builtin.debug: + msg: "Remote role version: {{ playbook_version.content | default('Y3VycmVudGx5IG5vdCBkZXBsb3llZAo=') | b64decode | string }}" + when: submodules_versioncheck | bool + +- name: Print locale role version # noqa: H500 + ansible.builtin.debug: + msg: "Local role version: '{{ playbook_version_number | string }}'." + when: submodules_versioncheck | bool + +- name: Check if your version is outdated + ansible.builtin.fail: + msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!" + when: + - playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck | bool + +- name: Write new version to remote disk + become: true + ansible.builtin.copy: + content: "{{ playbook_version_number }}" + dest: "/etc/.ansible-version/{{ playbook_version_path }}" + mode: '0644' + when: submodules_versioncheck | bool + tags: skip_ansible_lint_template-instead-of-copy diff --git a/roles/user/README.md b/roles/user/README.md index 0dee46f..ca7da02 100644 --- a/roles/user/README.md +++ b/roles/user/README.md @@ -22,6 +22,8 @@ The Option of these directory-variables are the following. | shell | ``/bin/bash`` | The Shell of the User | | create_home | ``true`` | create a user home *(needed to store ssh keys)* | | admin | ``false`` | enable it to give the user superpowers | +| admin_commands | string or list | Commands that are allows to be run as admin, eg. 'ALL' or specific script | +| admin_nopassword | false | Need no Password for sudo | | pubkeys | string or lookup | see examples | | exklusive_pubkeys | ``true`` | delete all undefined ssh keys | | password | password hash | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) | diff --git a/roles/user/defaults/main.yml b/roles/user/defaults/main.yml index 1a49442..5661a94 100644 --- a/roles/user/defaults/main.yml +++ b/roles/user/defaults/main.yml @@ -5,13 +5,15 @@ l3d_users__default_users: {} # state: 'present' # shell: '/bin/bash' # create_home: true -# admin: true # pubkeys: | # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvvXN33GwkTF4ZOwPgF21Un4R2z9hWUuQt1qIfzQyhC # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAG65EdcM+JLv0gnzT9LcqVU47Pkw0SqiIg7XipXENi8 # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJz7zEvUVgJJJsIgfG3izsqYcM22IaKz4jGVUbNRL2PX # exklusive_pubkeys: true # password: "$Password_hash" +# admin: true +# admin_commands: 'ALL' +# admin_nopassword: false # - name: 'bob' # state: 'present' # shell: '/bin/zsh'