iiab/roles/iiab-admin/tasks/admin-user.yml

# Summary of how this works with IIAB's Admin Console etc:
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst


# YOU CAN CHANGE THIS USER TO 'pi' OR 'ubuntu' ETC, IN /etc/iiab/local_vars.yml
- name: Does user '{{ iiab_admin_user }}' (iiab_admin_user) exist?    # iiab-admin BY DEFAULT
  command: "id {{ iiab_admin_user | quote }}"    # quote to avoid ';' exploits
  register: user_info
  failed_when: False    # Hides red errors (stronger than 'ignore_errors: yes')

# admin_console_group: iiab-admin   # PER default_vars.yml, SHOULD NEVER CHANGE
- name: Establish Linux group '{{ admin_console_group }}' group, for login to Admin Console
  group:
    name: "{{ admin_console_group }}"
    state: present

- name: Configure user '{{ iiab_admin_user }}' with group '{{ admin_console_group }}' for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-*) at the command-line
  user:
    name: "{{ iiab_admin_user }}"
    #group: "{{ iiab_admin_user }}"    # Not nec.  Anyway this happens during account creation b/c 'USERGROUPS_ENAB yes' is set in any modern /etc/login.defs
    groups: "{{ admin_console_group }}"    # What guarantees any user's ability to login to Admin Console, just in case the user is not a member of sudo in future.  FWIW Ansible adds the user to this group in /etc/group even in cases where that's not nec -- i.e. user iiab-admin's primary group is normally sufficient if it (the correct GID, corresponding to group iiab-admin) is in the 4th column of /etc/passwd.
    append: yes
    shell: /bin/bash
    #password: "{{ iiab_admin_pwd_hash }}"    # 2020-10-14: DEPRECATED in favor
    #update_password: on_create               # of 'command: chpasswd' below.

- name: If user didn't exist, set password to '{{ iiab_admin_published_pwd }}'    # g0adm1n
  #shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} | chpasswd"
  command: chpasswd    # Equiv to line above, but safer
  args:
    stdin: "{{ iiab_admin_user | quote }}:{{ iiab_admin_published_pwd | quote }}"
  when: user_info.rc != 0


# sudo-prereqs.yml needs to have been run!

- name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands in /usr/bin like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo
  #command: "gpasswd -a {{ iiab_admin_user | quote }} sudo"
  user:
    name: "{{ iiab_admin_user }}"
    groups: sudo
    append: yes
  when: iiab_admin_can_sudo

- name: Remove user {{ iiab_admin_user }} from group sudo, if not iiab_admin_can_sudo
  command: "gpasswd -d {{ iiab_admin_user | quote }} sudo"
  when: not iiab_admin_can_sudo
  failed_when: False    # Hides red errors (stronger than 'ignore_errors: yes')


#- name: Lets {{ iiab_admin_user }} sudo without password
##- name: Lets wheel sudo without password
#  lineinfile:
#    path: /etc/sudoers
#    line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL"
##    line: "%wheel ALL= NOPASSWD: ALL"
Refine iiab-admin role for Admin Console etc 2020-10-16 18:00:30 +00:00			`# Summary of how this works with IIAB's Admin Console etc:`
			`# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst`


			`# YOU CAN CHANGE THIS USER TO 'pi' OR 'ubuntu' ETC, IN /etc/iiab/local_vars.yml`
			`- name: Does user '{{ iiab_admin_user }}' (iiab_admin_user) exist? # iiab-admin BY DEFAULT`
iiab-admin/tasks/admin-user.yml: act on iiab_admin_can_sudo 2020-10-15 00:58:37 +00:00			`command: "id {{ iiab_admin_user \| quote }}" # quote to avoid ';' exploits`
			`register: user_info`
			`failed_when: False # Hides red errors (stronger than 'ignore_errors: yes')`

Refine iiab-admin role for Admin Console etc 2020-10-16 18:00:30 +00:00			`# admin_console_group: iiab-admin # PER default_vars.yml, SHOULD NEVER CHANGE`
			`- name: Establish Linux group '{{ admin_console_group }}' group, for login to Admin Console`
			`group:`
			`name: "{{ admin_console_group }}"`
			`state: present`

iiab-check-firmware to /usr/bin ; rename systemd services to iiab-* 2021-07-28 02:36:07 +00:00			`- name: Configure user '{{ iiab_admin_user }}' with group '{{ admin_console_group }}' for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-*) at the command-line`
Add "shell: /bin/bash" to iiab-admin so shell works?? SEE https://github.com/iiab/iiab/issues/586 2017-12-06 19:44:53 +00:00			`user:`
iiab-admin/tasks/admin-user.yml: act on iiab_admin_can_sudo 2020-10-15 00:58:37 +00:00			`name: "{{ iiab_admin_user }}"`
Refine iiab-admin role for Admin Console etc 2020-10-16 18:00:30 +00:00			`#group: "{{ iiab_admin_user }}" # Not nec. Anyway this happens during account creation b/c 'USERGROUPS_ENAB yes' is set in any modern /etc/login.defs`
			`groups: "{{ admin_console_group }}" # What guarantees any user's ability to login to Admin Console, just in case the user is not a member of sudo in future. FWIW Ansible adds the user to this group in /etc/group even in cases where that's not nec -- i.e. user iiab-admin's primary group is normally sufficient if it (the correct GID, corresponding to group iiab-admin) is in the 4th column of /etc/passwd.`
			`append: yes`
Add "shell: /bin/bash" to iiab-admin so shell works?? SEE https://github.com/iiab/iiab/issues/586 2017-12-06 19:44:53 +00:00			`shell: /bin/bash`
Update admin-user.yml 2020-10-15 03:31:57 +00:00			`#password: "{{ iiab_admin_pwd_hash }}" # 2020-10-14: DEPRECATED in favor`
Refine iiab-admin role for Admin Console etc 2020-10-16 18:00:30 +00:00			`#update_password: on_create # of 'command: chpasswd' below.`
iiab-admin/tasks/admin-user.yml: act on iiab_admin_can_sudo 2020-10-15 00:58:37 +00:00
			`- name: If user didn't exist, set password to '{{ iiab_admin_published_pwd }}' # g0adm1n`
			`#shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} \| chpasswd"`
Update admin-user.yml 2020-10-15 03:31:57 +00:00			`command: chpasswd # Equiv to line above, but safer`
iiab-admin/tasks/admin-user.yml: act on iiab_admin_can_sudo 2020-10-15 00:58:37 +00:00			`args:`
			`stdin: "{{ iiab_admin_user \| quote }}:{{ iiab_admin_published_pwd \| quote }}"`
			`when: user_info.rc != 0`


Refine iiab-admin role for Admin Console etc 2020-10-16 18:00:30 +00:00			`# sudo-prereqs.yml needs to have been run!`
Misc Fixes: Clean up whitespace warnings 2017-10-19 06:33:02 +00:00
iiab-check-firmware to /usr/bin ; rename systemd services to iiab-* 2021-07-28 02:36:07 +00:00			`- name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands in /usr/bin like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo`
Refine iiab-admin role for Admin Console etc 2020-10-16 18:00:30 +00:00			`#command: "gpasswd -a {{ iiab_admin_user \| quote }} sudo"`
			`user:`
			`name: "{{ iiab_admin_user }}"`
			`groups: sudo`
			`append: yes`
			`when: iiab_admin_can_sudo`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
iiab-admin/tasks/admin-user.yml: act on iiab_admin_can_sudo 2020-10-15 00:58:37 +00:00			`- name: Remove user {{ iiab_admin_user }} from group sudo, if not iiab_admin_can_sudo`
			`command: "gpasswd -d {{ iiab_admin_user \| quote }} sudo"`
			`when: not iiab_admin_can_sudo`
			`failed_when: False # Hides red errors (stronger than 'ignore_errors: yes')`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
Misc Fixes: Clean up whitespace warnings 2017-10-19 06:33:02 +00:00
admin-user.yml: skip wheels group (& its NOPASSWD: in /etc/sudoers) 2020-10-11 03:15:42 +00:00			`#- name: Lets {{ iiab_admin_user }} sudo without password`
			`##- name: Lets wheel sudo without password`
			`# lineinfile:`
Update admin-user.yml 2020-10-15 03:09:41 +00:00			`# path: /etc/sudoers`
admin-user.yml: skip wheels group (& its NOPASSWD: in /etc/sudoers) 2020-10-11 03:15:42 +00:00			`# line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL"`
			`## line: "%wheel ALL= NOPASSWD: ALL"`