2020-10-15 00:58:37 +00:00
- name : Check if user '{{ iiab_admin_user }}' exists # iiab-admin
command : "id {{ iiab_admin_user | quote }}" # quote to avoid ';' exploits
register : user_info
failed_when: False # Hides red errors (stronger than 'ignore_errors : yes ')
2020-10-15 03:31:57 +00:00
- name : Establish user {{ iiab_admin_user }} with shell /bin/bash, for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-* and /usr/sbin/iiab-*) at the command-line
2017-12-06 19:44:53 +00:00
user :
2020-10-15 00:58:37 +00:00
name : "{{ iiab_admin_user }}"
2020-10-15 03:19:18 +00:00
#group: "{{ iiab_admin_user }}" # Neither nec as 'USERGROUPS_ENAB yes'
#groups: "{{ iiab_admin_user }}" # is set in any modern /etc/login.defs
2017-12-06 19:44:53 +00:00
shell : /bin/bash
2020-10-15 03:31:57 +00:00
#password: "{{ iiab_admin_pwd_hash }}" # 2020-10-14: DEPRECATED in favor
#update_password: on_create # of 'command: chpasswd' below. See: #2570
2020-10-15 00:58:37 +00:00
- name : If user didn't exist, set password to '{{ iiab_admin_published_pwd }}' # g0adm1n
#shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} | chpasswd"
2020-10-15 03:31:57 +00:00
command : chpasswd # Equiv to line above, but safer
2020-10-15 00:58:37 +00:00
args :
stdin : "{{ iiab_admin_user | quote }}:{{ iiab_admin_published_pwd | quote }}"
when : user_info.rc != 0
# roles/2-common/tasks/packages.yml also installs sudo, but that's too late
- name: 'Install package : sudo'
package :
name : sudo
2017-10-19 06:33:02 +00:00
2020-10-15 00:58:37 +00:00
- name : Add user {{ iiab_admin_user }} to group sudo, for support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo
command : "gpasswd -a {{ iiab_admin_user | quote }} sudo"
#user:
# name: "{{ iiab_admin_user }}"
# groups: sudo
# append: yes
when : iiab_admin_can_sudo | bool
2017-05-27 18:09:50 +00:00
2020-10-15 00:58:37 +00:00
- name : Remove user {{ iiab_admin_user }} from group sudo, if not iiab_admin_can_sudo
command : "gpasswd -d {{ iiab_admin_user | quote }} sudo"
when : not iiab_admin_can_sudo
failed_when: False # Hides red errors (stronger than 'ignore_errors : yes ')
2017-05-27 18:09:50 +00:00
2017-10-19 06:33:02 +00:00
2020-10-15 03:09:41 +00:00
- name : Temporarily make file /etc/sudoers editable (0640)
2017-12-06 19:44:53 +00:00
file :
path : /etc/sudoers
mode : 0640
2017-05-27 18:09:50 +00:00
2020-10-15 03:09:41 +00:00
- name: '/etc/sudoers : Have sudo log all commands to /var/log/sudo.log'
2017-12-06 19:44:53 +00:00
lineinfile :
2020-10-15 03:09:41 +00:00
path : /etc/sudoers
2017-12-06 19:44:53 +00:00
regexp : logfile
2017-12-07 16:33:33 +00:00
line : "Defaults logfile = /var/log/sudo.log"
2017-05-27 18:09:50 +00:00
2020-10-11 03:15:42 +00:00
#- name: Lets {{ iiab_admin_user }} sudo without password
##- name: Lets wheel sudo without password
# lineinfile:
2020-10-15 03:09:41 +00:00
# path: /etc/sudoers
2020-10-11 03:15:42 +00:00
# line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL"
## line: "%wheel ALL= NOPASSWD: ALL"
2017-05-27 18:09:50 +00:00
2020-10-15 03:09:41 +00:00
# Not nec (heavyhanded removal of customizations+comments) given sudo defaults.
#- name: Remove all lines that contain 'requiretty'
# lineinfile:
# path: /etc/sudoers
# regexp: requiretty
# state: absent
2017-10-19 06:33:02 +00:00
2020-10-15 03:09:41 +00:00
- name : End editing file /etc/sudoers -- protect it again (0440)
2017-12-06 19:44:53 +00:00
file :
path : /etc/sudoers
mode : 0440
