From c17fccec08689065c8f4f902544e984521c7437b Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Mon, 22 Apr 2024 19:53:43 +0200
Subject: revamp: user/group handling

---
 roles/core/admin-users/tasks/Debian.yml  |  5 ----
 roles/core/admin-users/tasks/OpenBSD.yml | 12 ---------
 roles/core/admin-users/tasks/main.yml    | 37 -------------------------
 roles/core/admin-users/vars/Debian.yml   |  5 ----
 roles/core/admin-users/vars/OpenBSD.yml  |  4 ---
 roles/core/groups/tasks/main.yml         | 26 ++++++++++++++++++
 roles/core/groups/vars/main.yml          |  3 +++
 roles/core/users/tasks/Debian.yml        |  6 +++++
 roles/core/users/tasks/OpenBSD.yml       | 14 ++++++++++
 roles/core/users/tasks/main.yml          | 46 ++++++++++++++++++++++++++++++++
 roles/core/users/vars/Debian.yml         |  5 ++++
 roles/core/users/vars/OpenBSD.yml        |  4 +++
 roles/core/users/vars/main.yml           |  3 +++
 13 files changed, 107 insertions(+), 63 deletions(-)
 delete mode 100644 roles/core/admin-users/tasks/Debian.yml
 delete mode 100644 roles/core/admin-users/tasks/OpenBSD.yml
 delete mode 100644 roles/core/admin-users/tasks/main.yml
 delete mode 100644 roles/core/admin-users/vars/Debian.yml
 delete mode 100644 roles/core/admin-users/vars/OpenBSD.yml
 create mode 100644 roles/core/groups/tasks/main.yml
 create mode 100644 roles/core/groups/vars/main.yml
 create mode 100644 roles/core/users/tasks/Debian.yml
 create mode 100644 roles/core/users/tasks/OpenBSD.yml
 create mode 100644 roles/core/users/tasks/main.yml
 create mode 100644 roles/core/users/vars/Debian.yml
 create mode 100644 roles/core/users/vars/OpenBSD.yml
 create mode 100644 roles/core/users/vars/main.yml

(limited to 'roles')

diff --git a/roles/core/admin-users/tasks/Debian.yml b/roles/core/admin-users/tasks/Debian.yml
deleted file mode 100644
index 6d8d6f95..00000000
--- a/roles/core/admin-users/tasks/Debian.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: install sudo
-  apt:
-    name: sudo
-    state: present
diff --git a/roles/core/admin-users/tasks/OpenBSD.yml b/roles/core/admin-users/tasks/OpenBSD.yml
deleted file mode 100644
index 1a04a3d3..00000000
--- a/roles/core/admin-users/tasks/OpenBSD.yml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-- name: install sudo
-  openbsd_pkg:
-    name: sudo--
-    state: present
-
-- name: allow wheel group to use sudo
-  lineinfile:
-    regexp: '^#?\s*%wheel(\s+)ALL=\(ALL\) SETENV: ALL$'
-    line: '%wheel\1ALL=(ALL) SETENV: ALL'
-    backrefs: yes
-    dest: /etc/sudoers
diff --git a/roles/core/admin-users/tasks/main.yml b/roles/core/admin-users/tasks/main.yml
deleted file mode 100644
index a5b1c7bd..00000000
--- a/roles/core/admin-users/tasks/main.yml
+++ /dev/null
@@ -1,37 +0,0 @@
----
-- name: load os/distrubtion/version specific variables
-  include_vars: "{{ item }}"
-  with_first_found:
-    - files:
-        - "{{ ansible_distribution_release }}.yml"
-        - "{{ ansible_distribution }}.yml"
-        - "{{ ansible_os_family }}.yml"
-
-- name: load os/distrubtion/version specific tasks
-  vars:
-    params:
-      files:
-      - "{{ ansible_distribution_release }}.yml"
-      - "{{ ansible_distribution }}.yml"
-      - "{{ ansible_os_family }}.yml"
-  loop: "{{ q('first_found', params) }}"
-  loop_control:
-    loop_var: tasks_file
-  include_tasks: "{{ tasks_file }}"
-
-- name: add admin users
-  loop: "{{ admin_users_group | union(admin_users_host) }}"
-  user:
-    name: "{{ item }}"
-    state: present
-    password: "{{ hostvars[inventory_hostname]['vault_user_password_'+item] }}" ## TODO: find nicer way to do this
-    groups: "{{ admin_users_groups }}"
-    append: yes
-    shell: "{{ users[item].shell | default(admin_users_default_shell) }}"
-
-- name: install ssh keys for admin users
-  loop: "{{ admin_users_group | union(admin_users_host) }}"
-  authorized_key:
-    user: "{{ item }}"
-    key: "{{ users[item].ssh | join('\n') }}"
-    exclusive: yes
diff --git a/roles/core/admin-users/vars/Debian.yml b/roles/core/admin-users/vars/Debian.yml
deleted file mode 100644
index af8d20ca..00000000
--- a/roles/core/admin-users/vars/Debian.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-admin_users_default_shell: /bin/zsh
-admin_users_groups:
-  - sudo
-  - adm
diff --git a/roles/core/admin-users/vars/OpenBSD.yml b/roles/core/admin-users/vars/OpenBSD.yml
deleted file mode 100644
index a1d958d6..00000000
--- a/roles/core/admin-users/vars/OpenBSD.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-admin_users_default_shell: /usr/local/bin/zsh
-admin_users_groups:
-  - wheel
diff --git a/roles/core/groups/tasks/main.yml b/roles/core/groups/tasks/main.yml
new file mode 100644
index 00000000..aa19aabc
--- /dev/null
+++ b/roles/core/groups/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+- name: add system groups
+  loop: "{{ system_groups | list }}"
+  group:
+    name: "{{ item }}"
+    state: present
+    system: yes
+
+- name: add normal groups
+  loop: "{{ normal_groups | list }}"
+  group:
+    name: "{{ item }}"
+    state: present
+
+ ## TODO: until something like this https://github.com/ansible/ansible/issues/11024 lands
+ ##       we will do this the quick and dirty way
+
+- name: set group members the hacky way
+  loop: "{{ normal_groups | combine(system_groups) | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  lineinfile:
+    path: /etc/group
+    regexp: '^{{ item.key }}:(.*):[^:]*$'
+    backrefs: yes
+    line: '{{ item.key }}:\1:{{ item.value | sort | join(",") }}'
diff --git a/roles/core/groups/vars/main.yml b/roles/core/groups/vars/main.yml
new file mode 100644
index 00000000..e09ecea3
--- /dev/null
+++ b/roles/core/groups/vars/main.yml
@@ -0,0 +1,3 @@
+---
+normal_groups: "{{ normal_groups_group | combine(normal_groups_host) }}"
+system_groups: "{{ system_groups_group | combine(system_groups_host) }}"
diff --git a/roles/core/users/tasks/Debian.yml b/roles/core/users/tasks/Debian.yml
new file mode 100644
index 00000000..a4827df9
--- /dev/null
+++ b/roles/core/users/tasks/Debian.yml
@@ -0,0 +1,6 @@
+---
+- name: install sudo
+  when: (admin_users | length) > 0
+  apt:
+    name: sudo
+    state: present
diff --git a/roles/core/users/tasks/OpenBSD.yml b/roles/core/users/tasks/OpenBSD.yml
new file mode 100644
index 00000000..d04d3d7a
--- /dev/null
+++ b/roles/core/users/tasks/OpenBSD.yml
@@ -0,0 +1,14 @@
+---
+- name: install sudo
+  when: (admin_users | length) > 0
+  openbsd_pkg:
+    name: sudo--
+    state: present
+
+- name: allow wheel group to use sudo
+  when: (admin_users | length) > 0
+  lineinfile:
+    regexp: '^#?\s*%wheel(\s+)ALL=\(ALL\) SETENV: ALL$'
+    line: '%wheel\1ALL=(ALL) SETENV: ALL'
+    backrefs: yes
+    dest: /etc/sudoers
diff --git a/roles/core/users/tasks/main.yml b/roles/core/users/tasks/main.yml
new file mode 100644
index 00000000..43fe92f4
--- /dev/null
+++ b/roles/core/users/tasks/main.yml
@@ -0,0 +1,46 @@
+---
+- name: load os/distrubtion/version specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - files:
+        - "{{ ansible_distribution_release }}.yml"
+        - "{{ ansible_distribution }}.yml"
+        - "{{ ansible_os_family }}.yml"
+
+- name: load os/distrubtion/version specific tasks
+  vars:
+    params:
+      files:
+      - "{{ ansible_distribution_release }}.yml"
+      - "{{ ansible_distribution }}.yml"
+      - "{{ ansible_os_family }}.yml"
+  loop: "{{ q('first_found', params) }}"
+  loop_control:
+    loop_var: tasks_file
+  include_tasks: "{{ tasks_file }}"
+
+- name: add normal users
+  loop: "{{ normal_users | difference(admin_users) }}"
+  user:
+    name: "{{ item }}"
+    state: present
+    password: "{{ hostvars[inventory_hostname]['vault_user_password_'+item] }}" ## TODO: find nicer way to do this
+    shell: "{{ users[item].shell | default(admin_users_default_shell) }}"
+
+- name: add admin users
+  loop: "{{ admin_users }}"
+  user:
+    name: "{{ item }}"
+    state: present
+    password: "{{ hostvars[inventory_hostname]['vault_user_password_'+item] }}" ## TODO: find nicer way to do this
+    groups: "{{ admin_users_groups }}"
+    append: yes
+    shell: "{{ users[item].shell | default(admin_users_default_shell) }}"
+
+- name: install ssh keys for users
+  loop: "{{ normal_users | union(admin_users) }}"
+  when: "'ssh' in users[item]"
+  authorized_key:
+    user: "{{ item }}"
+    key: "{{ users[item].ssh | join('\n') }}"
+    exclusive: yes
diff --git a/roles/core/users/vars/Debian.yml b/roles/core/users/vars/Debian.yml
new file mode 100644
index 00000000..af8d20ca
--- /dev/null
+++ b/roles/core/users/vars/Debian.yml
@@ -0,0 +1,5 @@
+---
+admin_users_default_shell: /bin/zsh
+admin_users_groups:
+  - sudo
+  - adm
diff --git a/roles/core/users/vars/OpenBSD.yml b/roles/core/users/vars/OpenBSD.yml
new file mode 100644
index 00000000..a1d958d6
--- /dev/null
+++ b/roles/core/users/vars/OpenBSD.yml
@@ -0,0 +1,4 @@
+---
+admin_users_default_shell: /usr/local/bin/zsh
+admin_users_groups:
+  - wheel
diff --git a/roles/core/users/vars/main.yml b/roles/core/users/vars/main.yml
new file mode 100644
index 00000000..7d34279b
--- /dev/null
+++ b/roles/core/users/vars/main.yml
@@ -0,0 +1,3 @@
+---
+normal_users: "{{ normal_users_group | union(normal_users_host) }}"
+admin_users: "{{ admin_users_group | union(admin_users_host) }}"
-- 
cgit v1.2.3