revamp: user/group handling

author: Christian Pointner <equinox@spreadspace.org> 2024-04-22 19:53:43 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2024-04-22 19:53:43 +0200
commit: c17fccec08689065c8f4f902544e984521c7437b (patch)
tree: 762e7e346682fefa054e69391bdb85ba6f8f76b0
parent: ch-apps: upgrade whawty-auth to latest release (diff)
38 files changed, 84 insertions, 36 deletions
diff --git a/chaos-at-home/ch-equinox-t450s.yml b/chaos-at-home/ch-equinox-t450s.yml
index e8986b51..35f76d6d 100644
--- a/chaos-at-home/ch-equinox-t450s.yml
+++ b/chaos-at-home/ch-equinox-t450s.yml
@@ -30,7 +30,7 @@
   - role: storage/zfs/base
   - role: storage/zfs/sanoid
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
   - role: network/wireguard/base
   - role: ws/minet
   - role: ws/pipewire
diff --git a/chaos-at-home/ch-equinox-ws.yml b/chaos-at-home/ch-equinox-ws.yml
index 7869a46c..e89df4f3 100644
--- a/chaos-at-home/ch-equinox-ws.yml
+++ b/chaos-at-home/ch-equinox-ws.yml
@@ -31,7 +31,7 @@
   - role: storage/zfs/base
   - role: storage/zfs/sanoid
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
   - role: ws/pipewire
   - role: ws/flatpak
   post_tasks:
diff --git a/chaos-at-home/ch-hpws-maxi.yml b/chaos-at-home/ch-hpws-maxi.yml
index 8d0e42a9..bdba1e16 100644
--- a/chaos-at-home/ch-hpws-maxi.yml
+++ b/chaos-at-home/ch-hpws-maxi.yml
@@ -11,4 +11,4 @@
   - role: apt-repo/obs-studio
   - role: apt-repo/spreadspace
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
diff --git a/chaos-at-home/ch-hpws-mini1.yml b/chaos-at-home/ch-hpws-mini1.yml
index 70fe8192..5f4f814c 100644
--- a/chaos-at-home/ch-hpws-mini1.yml
+++ b/chaos-at-home/ch-hpws-mini1.yml
@@ -11,4 +11,4 @@
   - role: apt-repo/obs-studio
   - role: apt-repo/spreadspace
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
diff --git a/chaos-at-home/ch-hyperion.yml b/chaos-at-home/ch-hyperion.yml
index b0c97ee0..2b895103 100644
--- a/chaos-at-home/ch-hyperion.yml
+++ b/chaos-at-home/ch-hyperion.yml
@@ -15,6 +15,6 @@
   - role: apt-repo/obs-studio
   - role: apt-repo/spreadspace
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
   - role: streaming/blackmagic/desktopvideo
   - role: streaming/blackmagic/mediaexpress
diff --git a/chaos-at-home/ch-tarvos.yml b/chaos-at-home/ch-tarvos.yml
index 19e247c9..fe0bbe80 100644
--- a/chaos-at-home/ch-tarvos.yml
+++ b/chaos-at-home/ch-tarvos.yml
@@ -14,4 +14,4 @@
   roles:
   - role: apt-repo/spreadspace
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
diff --git a/chaos-at-home/ch-telesto.yml b/chaos-at-home/ch-telesto.yml
index 3e54220e..3cbd6942 100644
--- a/chaos-at-home/ch-telesto.yml
+++ b/chaos-at-home/ch-telesto.yml
@@ -16,7 +16,7 @@
   - role: apt-repo/obs-studio
   - role: apt-repo/spreadspace
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
   - role: streaming/blackmagic/desktopvideo
   - role: streaming/blackmagic/mediaexpress
   post_tasks:
diff --git a/chaos-at-home/ch-ymir.yml b/chaos-at-home/ch-ymir.yml
index 1f9af09c..6aeb64a7 100644
--- a/chaos-at-home/ch-ymir.yml
+++ b/chaos-at-home/ch-ymir.yml
@@ -14,4 +14,4 @@
   roles:
   - role: apt-repo/spreadspace
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
diff --git a/dan/ele-chromebook.yml b/dan/ele-chromebook.yml
index ad1c5936..411c49b7 100644
--- a/dan/ele-chromebook.yml
+++ b/dan/ele-chromebook.yml
@@ -12,7 +12,7 @@
   hosts: ele-chromebook
   roles:
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
   - role: ws/flatpak
   post_tasks:
   - name: install script to configure hdmi out
diff --git a/dan/ele-dione.yml b/dan/ele-dione.yml
index 52c9528d..95800036 100644
--- a/dan/ele-dione.yml
+++ b/dan/ele-dione.yml
@@ -12,7 +12,7 @@
 - name: Payload Setup
   hosts: ele-dione
   roles:
-  - role: core/admin-users
+  - role: core/users
   - role: storage/zfs/base
   - role: apt-repo/spreadspace
   - role: nginx/base
diff --git a/dan/ele-emcplayer.yml b/dan/ele-emcplayer.yml
index 91b1a555..0b9d7568 100644
--- a/dan/ele-emcplayer.yml
+++ b/dan/ele-emcplayer.yml
@@ -13,7 +13,7 @@
   hosts: "{{ install_hostname }}"
   roles:
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
   post_tasks:
   - name: generate play script
     copy:
diff --git a/dan/ele-hpws-maxi.yml b/dan/ele-hpws-maxi.yml
index a5c67366..1661de96 100644
--- a/dan/ele-hpws-maxi.yml
+++ b/dan/ele-hpws-maxi.yml
@@ -15,4 +15,4 @@
   - role: apt-repo/obs-studio
   - role: apt-repo/spreadspace
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
diff --git a/dan/ele-hpws-mini2.yml b/dan/ele-hpws-mini2.yml
index 800f3e8c..83341a64 100644
--- a/dan/ele-hpws-mini2.yml
+++ b/dan/ele-hpws-mini2.yml
@@ -14,7 +14,7 @@
   roles:
   - role: apt-repo/spreadspace
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
   post_tasks:
   - name: install chromium start script
     copy:
diff --git a/dan/ele-hyperion.yml b/dan/ele-hyperion.yml
index d2134382..3402de41 100644
--- a/dan/ele-hyperion.yml
+++ b/dan/ele-hyperion.yml
@@ -17,7 +17,7 @@
   - role: nginx/base
   - role: monitoring/prometheus/exporter
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
   - role: streaming/blackmagic/desktopvideo
   - role: streaming/blackmagic/mediaexpress
   - role: docker/engine
diff --git a/dan/ele-media.yml b/dan/ele-media.yml
index 5406c56a..d22f91dd 100644
--- a/dan/ele-media.yml
+++ b/dan/ele-media.yml
@@ -12,7 +12,7 @@
 - name: Payload Setup
   hosts: ele-media
   roles:
-  - role: core/admin-users
+  - role: core/users
   - role: storage/zfs/base
   - role: apt-repo/spreadspace
   - role: kubernetes/base
diff --git a/dan/ele-telesto.yml b/dan/ele-telesto.yml
index c33ff5dc..f8f7f55a 100644
--- a/dan/ele-telesto.yml
+++ b/dan/ele-telesto.yml
@@ -12,7 +12,7 @@
 - name: Payload Setup
   hosts: ele-telesto
   roles:
-  - role: core/admin-users
+  - role: core/users
   - role: apt-repo/spreadspace
   - role: nginx/base
   - role: monitoring/prometheus/exporter
diff --git a/dan/ele-thetys.yml b/dan/ele-thetys.yml
index e0775d23..a1a259d2 100644
--- a/dan/ele-thetys.yml
+++ b/dan/ele-thetys.yml
@@ -13,7 +13,7 @@
   hosts: ele-thetys
   roles:
   - role: storage/lvm/base
-  - role: core/admin-users
+  - role: core/users
   - role: apt-repo/spreadspace
   - role: nginx/base
   - role: monitoring/prometheus/exporter
diff --git a/dan/ele-tsdatacop.yml b/dan/ele-tsdatacop.yml
index 33787320..949bbba2 100644
--- a/dan/ele-tsdatacop.yml
+++ b/dan/ele-tsdatacop.yml
@@ -15,7 +15,7 @@
   - role: apt-repo/obs-studio
   - role: apt-repo/spreadspace
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
   - role: streaming/blackmagic/desktopvideo
   - role: streaming/blackmagic/mediaexpress
   post_tasks:
diff --git a/dan/ele-uhrturm.yml b/dan/ele-uhrturm.yml
index ff5f3332..2b102803 100644
--- a/dan/ele-uhrturm.yml
+++ b/dan/ele-uhrturm.yml
@@ -11,7 +11,6 @@
 - name: Payload Setup
   hosts: ele-uhrturm
   roles:
-  - role: core/admin-users
   - role: streaming/blackmagic/desktopvideo
   - role: apt-repo/spreadspace
   - role: docker/engine
diff --git a/dan/ele-ymir.yml b/dan/ele-ymir.yml
index d82c42cd..ac94cbee 100644
--- a/dan/ele-ymir.yml
+++ b/dan/ele-ymir.yml
@@ -16,7 +16,7 @@
   - role: nginx/base
   - role: monitoring/prometheus/exporter
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
   post_tasks:
   ## TODO: move to network/netplan when this is done
   - name: install vlan interfaces
diff --git a/dan/sk-2019.yml b/dan/sk-2019.yml
index 525c2353..3d555ba5 100644
--- a/dan/sk-2019.yml
+++ b/dan/sk-2019.yml
@@ -7,7 +7,7 @@
   # - role: core/sshd/base
   # - role: core/zsh
   - role: core/cpu-microcode
-  # - role: core/admin-users
+  # - role: core/users
   - role: storage/luks/base
   - role: storage/zfs/base
   - role: apt-repo/spreadspace
diff --git a/dan/sk-2019vm.yml b/dan/sk-2019vm.yml
index 3f1baedd..d7c42245 100644
--- a/dan/sk-2019vm.yml
+++ b/dan/sk-2019vm.yml
@@ -7,7 +7,7 @@
   - role: core/sshd/base
   - role: core/zsh
   - role: core/cpu-microcode
-  - role: core/admin-users
+  - role: core/users
   - role: storage/luks/base
   - role: storage/zfs/base
   - role: storage/zfs/sanoid
diff --git a/dan/sk-cloudio.yml b/dan/sk-cloudio.yml
index ba809fdf..244c771c 100644
--- a/dan/sk-cloudio.yml
+++ b/dan/sk-cloudio.yml
@@ -11,7 +11,7 @@
 - name: Payload Setup
   hosts: sk-cloudio
   roles:
-  - role: core/admin-users
+  - role: core/users
   - role: storage/zfs/base
   - role: apt-repo/spreadspace
   - role: storage/zfs/sanoid
diff --git a/dan/sk-tomnext-nc.yml b/dan/sk-tomnext-nc.yml
index aa0a6abe..b8a6dc13 100644
--- a/dan/sk-tomnext-nc.yml
+++ b/dan/sk-tomnext-nc.yml
@@ -10,7 +10,7 @@
 - name: Payload Setup
   hosts: sk-tomnext-nc
   roles:
-  - role: core/admin-users
+  - role: core/users
   - role: storage/zfs/base
   - role: apt-repo/spreadspace
   - role: storage/zfs/sanoid
diff --git a/dan/sk-tomnext.yml b/dan/sk-tomnext.yml
index c643499f..8ad69918 100644
--- a/dan/sk-tomnext.yml
+++ b/dan/sk-tomnext.yml
@@ -7,7 +7,7 @@
   - role: core/sshd/base
   - role: core/zsh
   - role: core/cpu-microcode
-  - role: core/admin-users
+  - role: core/users
   - role: storage/luks/base
   - role: storage/zfs/base
   - role: storage/zfs/sanoid
diff --git a/dan/sk-torrent.yml b/dan/sk-torrent.yml
index cd29e91d..e6a176c1 100644
--- a/dan/sk-torrent.yml
+++ b/dan/sk-torrent.yml
@@ -6,5 +6,5 @@
   - role: core/base
   - role: core/sshd/base
   - role: core/zsh
-  - role: core/admin-users
+  - role: core/users
   - role: skillz/torrent
diff --git a/inventory/group_vars/all/vars.yml b/inventory/group_vars/all/vars.yml
index f72f71ef..03bce8d5 100644
--- a/inventory/group_vars/all/vars.yml
+++ b/inventory/group_vars/all/vars.yml
@@ -12,11 +12,19 @@ ssh_users_root:
 ssh_keys_root: "{{ ssh_users_root | default([]) | map('extract', users) | map(attribute='ssh') | flatten | list }}"
 ssh_keys_root_extra: []
 
+## to be overriden in host_vars
+normal_users_host: []
 admin_users_host: []
-sshd_allowusers_host: "{{ admin_users_host }}"
+sshd_allowusers_host: "{{ normal_users_host | union(admin_users_host) }}"
+normal_groups_host: {}
+system_groups_host: {}
 
+## to be overriden in group_vars
+normal_users_group: []
 admin_users_group: []
-sshd_allowusers_group: "{{ admin_users_group }}"
+sshd_allowusers_group: "{{ normal_users_group | union(admin_users_group) }}"
+normal_groups_group: {}
+system_groups_group: {}
 
 
 apt_repo_provider: default
diff --git a/inventory/group_vars/chaos-at-home/vars.yml b/inventory/group_vars/chaos-at-home/vars.yml
index 1dda9cb0..316d28a3 100644
--- a/inventory/group_vars/chaos-at-home/vars.yml
+++ b/inventory/group_vars/chaos-at-home/vars.yml
@@ -1,9 +1,6 @@
 ---
 zsh_banner: chaos-at-home
 
-admin_users_group:
-  - equinox
-
 acme_account_email: admin@chaos-at-home.org
 
 apt_repo_provider: anexia
diff --git a/roles/core/groups/tasks/main.yml b/roles/core/groups/tasks/main.yml
new file mode 100644
index 00000000..aa19aabc
--- /dev/null
+++ b/roles/core/groups/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+- name: add system groups
+  loop: "{{ system_groups | list }}"
+  group:
+    name: "{{ item }}"
+    state: present
+    system: yes
+
+- name: add normal groups
+  loop: "{{ normal_groups | list }}"
+  group:
+    name: "{{ item }}"
+    state: present
+
+ ## TODO: until something like this https://github.com/ansible/ansible/issues/11024 lands
+ ##       we will do this the quick and dirty way
+
+- name: set group members the hacky way
+  loop: "{{ normal_groups | combine(system_groups) | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  lineinfile:
+    path: /etc/group
+    regexp: '^{{ item.key }}:(.*):[^:]*$'
+    backrefs: yes
+    line: '{{ item.key }}:\1:{{ item.value | sort | join(",") }}'
diff --git a/roles/core/groups/vars/main.yml b/roles/core/groups/vars/main.yml
new file mode 100644
index 00000000..e09ecea3
--- /dev/null
+++ b/roles/core/groups/vars/main.yml
@@ -0,0 +1,3 @@
+---
+normal_groups: "{{ normal_groups_group | combine(normal_groups_host) }}"
+system_groups: "{{ system_groups_group | combine(system_groups_host) }}"
diff --git a/roles/core/admin-users/tasks/Debian.yml b/roles/core/users/tasks/Debian.yml
index 6d8d6f95..a4827df9 100644
--- a/roles/core/admin-users/tasks/Debian.yml
+++ b/roles/core/users/tasks/Debian.yml
@@ -1,5 +1,6 @@
 ---
 - name: install sudo
+  when: (admin_users | length) > 0
   apt:
     name: sudo
     state: present
diff --git a/roles/core/admin-users/tasks/OpenBSD.yml b/roles/core/users/tasks/OpenBSD.yml
index 1a04a3d3..d04d3d7a 100644
--- a/roles/core/admin-users/tasks/OpenBSD.yml
+++ b/roles/core/users/tasks/OpenBSD.yml
@@ -1,10 +1,12 @@
 ---
 - name: install sudo
+  when: (admin_users | length) > 0
   openbsd_pkg:
     name: sudo--
     state: present
 
 - name: allow wheel group to use sudo
+  when: (admin_users | length) > 0
   lineinfile:
     regexp: '^#?\s*%wheel(\s+)ALL=\(ALL\) SETENV: ALL$'
     line: '%wheel\1ALL=(ALL) SETENV: ALL'
diff --git a/roles/core/admin-users/tasks/main.yml b/roles/core/users/tasks/main.yml
index a5b1c7bd..43fe92f4 100644
--- a/roles/core/admin-users/tasks/main.yml
+++ b/roles/core/users/tasks/main.yml
@@ -19,8 +19,16 @@
     loop_var: tasks_file
   include_tasks: "{{ tasks_file }}"
 
+- name: add normal users
+  loop: "{{ normal_users | difference(admin_users) }}"
+  user:
+    name: "{{ item }}"
+    state: present
+    password: "{{ hostvars[inventory_hostname]['vault_user_password_'+item] }}" ## TODO: find nicer way to do this
+    shell: "{{ users[item].shell | default(admin_users_default_shell) }}"
+
 - name: add admin users
-  loop: "{{ admin_users_group | union(admin_users_host) }}"
+  loop: "{{ admin_users }}"
   user:
     name: "{{ item }}"
     state: present
@@ -29,8 +37,9 @@
     append: yes
     shell: "{{ users[item].shell | default(admin_users_default_shell) }}"
 
-- name: install ssh keys for admin users
-  loop: "{{ admin_users_group | union(admin_users_host) }}"
+- name: install ssh keys for users
+  loop: "{{ normal_users | union(admin_users) }}"
+  when: "'ssh' in users[item]"
   authorized_key:
     user: "{{ item }}"
     key: "{{ users[item].ssh | join('\n') }}"
diff --git a/roles/core/admin-users/vars/Debian.yml b/roles/core/users/vars/Debian.yml
index af8d20ca..af8d20ca 100644
--- a/roles/core/admin-users/vars/Debian.yml
+++ b/roles/core/users/vars/Debian.yml
diff --git a/roles/core/admin-users/vars/OpenBSD.yml b/roles/core/users/vars/OpenBSD.yml
index a1d958d6..a1d958d6 100644
--- a/roles/core/admin-users/vars/OpenBSD.yml
+++ b/roles/core/users/vars/OpenBSD.yml
diff --git a/roles/core/users/vars/main.yml b/roles/core/users/vars/main.yml
new file mode 100644
index 00000000..7d34279b
--- /dev/null
+++ b/roles/core/users/vars/main.yml
@@ -0,0 +1,3 @@
+---
+normal_users: "{{ normal_users_group | union(normal_users_host) }}"
+admin_users: "{{ admin_users_group | union(admin_users_host) }}"
diff --git a/spreadspace/s2-chromebook.yml b/spreadspace/s2-chromebook.yml
index 4aa8e5c0..972fbbc4 100644
--- a/spreadspace/s2-chromebook.yml
+++ b/spreadspace/s2-chromebook.yml
@@ -13,7 +13,7 @@
   roles:
   - role: apt-repo/backports
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
   - role: ws/minet
   - role: ws/pipewire
   - role: ws/flatpak
diff --git a/spreadspace/s2-mr-snuggles.yml b/spreadspace/s2-mr-snuggles.yml
index b8427fed..dde079d4 100644
--- a/spreadspace/s2-mr-snuggles.yml
+++ b/spreadspace/s2-mr-snuggles.yml
@@ -9,7 +9,7 @@
   - role: core/cpu-microcode
   - role: apt-repo/backports
   - role: ws/base
-  - role: core/admin-users
+  - role: core/users
   - role: ws/minet
   post_tasks:
   - name: disable caps-lock
author	Christian Pointner <equinox@spreadspace.org>	2024-04-22 19:53:43 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2024-04-22 19:53:43 +0200
commit	c17fccec08689065c8f4f902544e984521c7437b (patch)
tree	762e7e346682fefa054e69391bdb85ba6f8f76b0
parent	ch-apps: upgrade whawty-auth to latest release (diff)