From 685d50b5e46668ecd78c62691043147b61fbe458 Mon Sep 17 00:00:00 2001
From: L3D <l3d@c3woc.de>
Date: Wed, 14 Feb 2024 22:51:50 +0100
Subject: [PATCH] Create sudo permissions

---
 roles/admin/README.md              | 68 ++++++++++++++++++++++++++++++
 roles/admin/defaults/main.yml      | 31 ++++++++++++++
 roles/admin/tasks/main.yml         | 22 ++++++++++
 roles/admin/tasks/sudo.yml         | 14 ++++++
 roles/admin/tasks/user_ansible.yml | 10 +++++
 roles/admin/tasks/users.yml        | 24 +++++++++++
 roles/admin/vars/main.yml          |  3 ++
 7 files changed, 172 insertions(+)
 create mode 100644 roles/admin/README.md
 create mode 100644 roles/admin/defaults/main.yml
 create mode 100644 roles/admin/tasks/main.yml
 create mode 100644 roles/admin/tasks/sudo.yml
 create mode 100644 roles/admin/tasks/user_ansible.yml
 create mode 100644 roles/admin/tasks/users.yml
 create mode 100644 roles/admin/vars/main.yml

diff --git a/roles/admin/README.md b/roles/admin/README.md
new file mode 100644
index 0000000..56d6064
--- /dev/null
+++ b/roles/admin/README.md
@@ -0,0 +1,68 @@
+ Ansible Role Admin
+====================
+
+Ansible role l3d.users.admin Manage Admin-Permissions of Users.
+
+# WORK IN PROGRESS
+
+There are two variables to define users. The ``l3d_users__default_users`` is ment to put to your group_vars to define a default for your system. The ``l3d_users__local_users`` could be put in your host_vars to define host-specific user and admin roles.
+
+ Variables:
+-----------
+
+### User Management
+
++ The dictionary-variable for your group_vars to set your general users and admins is ``l3d_users__default_users``.
++ The dictionary-variable for your host_vars to set your host-specific users and admins is: ``l3d_users__local_users``.
+The Option of these directory-variables are the following.
+
+| option | values | description |
+| ------ | ------ | --- |
+| name   | string | The user you want to create |
+| state  | ``present`` | Create or delete user |
+| shell | ``/bin/bash`` | The Shell of the User |
+| create_home | ``true`` | create a user home *(needed to store ssh keys)* |
+| admin | ``false`` | enable it to give the user superpowers |
+| admin_commands | string or list | Commands that are allows to be run as admin, eg. 'ALL' or specific script |
+| admin_nopassword | true/false | Need no Password for sudo |
+| pubkeys | string or lookup | see examples |
+| exklusive_pubkeys | ``true`` | delete all undefined ssh keys |
+| password | password hash | See [official FAQ](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) |
+| remove | ``false`` | completly remove user if state is absent |
+
+### Other
+
+| name | default value | description |
+| ---  | --- | --- |
+| submodules_versioncheck | ``false`` | Optionaly enable simple versionscheck of this role |
+
+ Example Playbook
+-----------------
+```yaml
+- name: Create System with User and Passwords
+  hosts: example.com
+  roles:
+    - {role: l3d.users.user, tags: 'user'}
+  vars:
+    l3d_users__local_users:
+      - name: 'alice'
+        state: 'present'
+        shell: '/bin/bash'
+        create_home: true
+        admin: true
+        admin_commands: 'ALL'
+        pubkeys: |
+          ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvvXN33GwkTF4ZOwPgF21Un4R2z9hWUuQt1qIfzQyhC
+          ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAG65EdcM+JLv0gnzT9LcqVU47Pkw0SqiIg7XipXENi8
+          ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJz7zEvUVgJJJsIgfG3izsqYcM22IaKz4jGVUbNRL2PX
+        exklusive_pubkeys: true
+      - name: 'bob'
+        state: 'present'
+        admin: false
+        pubkeys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}"
+
+    l3d_users__create_ansible: true
+    l3d_users__set_ansible_ssh_keys: true
+    l3d_users__ansible_ssh_keys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}"
+    submodules_versioncheck: true
+```
diff --git a/roles/admin/defaults/main.yml b/roles/admin/defaults/main.yml
new file mode 100644
index 0000000..9f15c70
--- /dev/null
+++ b/roles/admin/defaults/main.yml
@@ -0,0 +1,31 @@
+---
+# create users
+l3d_users__default_users: {}
+#  - name: 'alice'
+#    state: 'present'
+#    shell: '/bin/bash'
+#    create_home: true
+#    admin: true
+#    pubkeys: |
+#       ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvvXN33GwkTF4ZOwPgF21Un4R2z9hWUuQt1qIfzQyhC
+#       ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAG65EdcM+JLv0gnzT9LcqVU47Pkw0SqiIg7XipXENi8
+#       ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJz7zEvUVgJJJsIgfG3izsqYcM22IaKz4jGVUbNRL2PX
+#    exklusive_pubkeys: true
+#    password: "$Password_hash"
+#    admin_commands: 'ALL'
+#    admin_nopassword: false
+#  - name: 'bob'
+#    state: 'present'
+#    shell: '/bin/zsh'
+#    admin: false
+#    pubkeys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}"
+#    exklusive_pubkeys: false
+
+l3d_users__local_users: {}
+#  - name: 'charlie'
+#    state: 'present'
+#    admin: false
+#    pubkeys: "{{ lookup('url', 'https://github.com/do1jlr.keys', split_lines=False) }}"
+
+# run simple versionscheck
+submodules_versioncheck: false
diff --git a/roles/admin/tasks/main.yml b/roles/admin/tasks/main.yml
new file mode 100644
index 0000000..37e7d49
--- /dev/null
+++ b/roles/admin/tasks/main.yml
@@ -0,0 +1,22 @@
+---
+- name: Perform optional versionscheck
+  ansible.builtin.include_tasks:
+    file: 'versioncheck.yml'
+  when: submodules_versioncheck | bool
+
+- name: Install sudo
+  ansible.builtin.include_tasks:
+    file: 'sudo.yml'
+
+- name: Merge default and locale Users
+  ansible.builtin.set_fact:
+    _l3d_users__merged_users: "{{ l3d_users__default_users + l3d_users__local_users }}"
+
+- name: Give ansible user superpowes
+  ansible.builtin.include_tasks:
+    file: 'user_ansible.yml'
+  when: l3d_users__create_ansible | bool
+
+- name: Create Groups and Users
+  ansible.builtin.include_tasks:
+    file: 'users.yml'
diff --git a/roles/admin/tasks/sudo.yml b/roles/admin/tasks/sudo.yml
new file mode 100644
index 0000000..1132a80
--- /dev/null
+++ b/roles/admin/tasks/sudo.yml
@@ -0,0 +1,14 @@
+---
+- name: Update apt cache
+  become: true
+  ansible.builtin.apt:
+    cache_valid_time: 3600
+    update_cache: true
+  when:
+    - ansible_pkg_mgr == "apt"
+
+- name: Install sudo
+  become: true
+  ansible.builtin.package:
+    name: 'sudo'
+    state: present
diff --git a/roles/admin/tasks/user_ansible.yml b/roles/admin/tasks/user_ansible.yml
new file mode 100644
index 0000000..e0f553b
--- /dev/null
+++ b/roles/admin/tasks/user_ansible.yml
@@ -0,0 +1,10 @@
+---
+- name: Give ansible user sudo permissions
+  become: true
+  community.general.sudoers:
+    name: 'ansible_superpowers'
+    commands: 'ALL'
+    nopassword: true
+    user: "{{ l3d_users__ansible_user_state | ternary('present', 'absent') }}"
+    validation: 'required'
+    state: 'present'
diff --git a/roles/admin/tasks/users.yml b/roles/admin/tasks/users.yml
new file mode 100644
index 0000000..d51c5e6
--- /dev/null
+++ b/roles/admin/tasks/users.yml
@@ -0,0 +1,24 @@
+---
+- name: Give admins superpower
+  become: true
+  community.general.sudoers:
+    name: "{{ item.name }}-superpowers"
+    user: "{{ item.name }}"
+    state: 'present'
+    commands: "{{ item.admin_commands | default('ALL') }}"
+    nopassword: "{{ item.admin_nopassword | default(false) }}"
+  loop: "{{ _l3d_users_user__merged_users }}"
+  loop_control:
+    label: "user: ['{{ item.name }}']"
+  when: item.state | default ('present') == 'present' and  item.admin | default(false) | bool
+
+- name: Remove superpowers from Users
+  become: true
+  community.general.sudoers:
+    name: "{{ item.name }}-superpowers"
+    state: 'absent'
+    user: "{{ item.name }}"
+  loop: "{{ _l3d_users_user__merged_users }}"
+  loop_control:
+    label: "user: ['{{ item.name }}']"
+  when: item.state | default ('present') == 'present' and not item.admin | default(false) | bool
diff --git a/roles/admin/vars/main.yml b/roles/admin/vars/main.yml
new file mode 100644
index 0000000..23c4cc4
--- /dev/null
+++ b/roles/admin/vars/main.yml
@@ -0,0 +1,3 @@
+---
+playbook_version_number: 3
+playbook_version_path: 'l3d.users.admin.version'