iiab/roles/iiab-admin/tasks/admin-user.yml

- name: Check if user '{{ iiab_admin_user }}' exists    # iiab-admin
  command: "id {{ iiab_admin_user | quote }}"    # quote to avoid ';' exploits
  register: user_info
  failed_when: False    # Hides red errors (stronger than 'ignore_errors: yes')

- name: Establish user {{ iiab_admin_user }} with shell /bin/bash, for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB support commands at the command-line (/usr/bin/iiab-* and /usr/sbin/iiab-*)
  user:
    name: "{{ iiab_admin_user }}"
    shell: /bin/bash
    #password: "{{ iiab_admin_pwd_hash }}"
    #update_password: on_create

- name: If user didn't exist, set password to '{{ iiab_admin_published_pwd }}'    # g0adm1n
  #shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} | chpasswd"
  command: chpasswd
  args:
    stdin: "{{ iiab_admin_user | quote }}:{{ iiab_admin_published_pwd | quote }}"
  when: user_info.rc != 0


# roles/2-common/tasks/packages.yml also installs sudo, but that's too late
- name: 'Install package: sudo'
  package:
    name: sudo

- name: Add user {{ iiab_admin_user }} to group sudo, for support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo
  command: "gpasswd -a {{ iiab_admin_user | quote }} sudo"
  #user:
  #  name: "{{ iiab_admin_user }}"
  #  groups: sudo
  #  append: yes
  when: iiab_admin_can_sudo | bool

- name: Remove user {{ iiab_admin_user }} from group sudo, if not iiab_admin_can_sudo
  command: "gpasswd -d {{ iiab_admin_user | quote }} sudo"
  when: not iiab_admin_can_sudo
  failed_when: False    # Hides red errors (stronger than 'ignore_errors: yes')


- name: Edit the sudoers file -- first make it editable (0640)
  file:
    path: /etc/sudoers
    mode: 0640

- name: Have sudo log all commands it handles
  lineinfile:
    regexp: logfile
    line: "Defaults     logfile = /var/log/sudo.log"
    dest: /etc/sudoers
    state: present

#- name: Lets {{ iiab_admin_user }} sudo without password
##- name: Lets wheel sudo without password
#  lineinfile:
#    line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL"
##    line: "%wheel ALL= NOPASSWD: ALL"
#    dest: /etc/sudoers

- name: Remove the line which requires tty
  lineinfile:
    regexp: requiretty
    dest: /etc/sudoers
    state: absent

- name: End editing the sudoers file -- protect it again (0440)
  file:
    path: /etc/sudoers
    mode: 0440
iiab-admin/tasks/admin-user.yml: act on iiab_admin_can_sudo 2020-10-15 00:58:37 +00:00			`- name: Check if user '{{ iiab_admin_user }}' exists # iiab-admin`
			`command: "id {{ iiab_admin_user \| quote }}" # quote to avoid ';' exploits`
			`register: user_info`
			`failed_when: False # Hides red errors (stronger than 'ignore_errors: yes')`

			`- name: Establish user {{ iiab_admin_user }} with shell /bin/bash, for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB support commands at the command-line (/usr/bin/iiab-* and /usr/sbin/iiab-*)`
Add "shell: /bin/bash" to iiab-admin so shell works?? SEE https://github.com/iiab/iiab/issues/586 2017-12-06 19:44:53 +00:00			`user:`
iiab-admin/tasks/admin-user.yml: act on iiab_admin_can_sudo 2020-10-15 00:58:37 +00:00			`name: "{{ iiab_admin_user }}"`
Add "shell: /bin/bash" to iiab-admin so shell works?? SEE https://github.com/iiab/iiab/issues/586 2017-12-06 19:44:53 +00:00			`shell: /bin/bash`
iiab-admin/tasks/admin-user.yml: act on iiab_admin_can_sudo 2020-10-15 00:58:37 +00:00			`#password: "{{ iiab_admin_pwd_hash }}"`
			`#update_password: on_create`

			`- name: If user didn't exist, set password to '{{ iiab_admin_published_pwd }}' # g0adm1n`
			`#shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} \| chpasswd"`
			`command: chpasswd`
			`args:`
			`stdin: "{{ iiab_admin_user \| quote }}:{{ iiab_admin_published_pwd \| quote }}"`
			`when: user_info.rc != 0`


			`# roles/2-common/tasks/packages.yml also installs sudo, but that's too late`
			`- name: 'Install package: sudo'`
			`package:`
			`name: sudo`
Misc Fixes: Clean up whitespace warnings 2017-10-19 06:33:02 +00:00
iiab-admin/tasks/admin-user.yml: act on iiab_admin_can_sudo 2020-10-15 00:58:37 +00:00			`- name: Add user {{ iiab_admin_user }} to group sudo, for support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo`
			`command: "gpasswd -a {{ iiab_admin_user \| quote }} sudo"`
			`#user:`
			`# name: "{{ iiab_admin_user }}"`
			`# groups: sudo`
			`# append: yes`
			`when: iiab_admin_can_sudo \| bool`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
iiab-admin/tasks/admin-user.yml: act on iiab_admin_can_sudo 2020-10-15 00:58:37 +00:00			`- name: Remove user {{ iiab_admin_user }} from group sudo, if not iiab_admin_can_sudo`
			`command: "gpasswd -d {{ iiab_admin_user \| quote }} sudo"`
			`when: not iiab_admin_can_sudo`
			`failed_when: False # Hides red errors (stronger than 'ignore_errors: yes')`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
Misc Fixes: Clean up whitespace warnings 2017-10-19 06:33:02 +00:00
iiab-admin/tasks/admin-user.yml: act on iiab_admin_can_sudo 2020-10-15 00:58:37 +00:00			`- name: Edit the sudoers file -- first make it editable (0640)`
Add "shell: /bin/bash" to iiab-admin so shell works?? SEE https://github.com/iiab/iiab/issues/586 2017-12-06 19:44:53 +00:00			`file:`
			`path: /etc/sudoers`
			`mode: 0640`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
cleaner Ansible output 2017-10-27 15:44:19 +00:00			`- name: Have sudo log all commands it handles`
Add "shell: /bin/bash" to iiab-admin so shell works?? SEE https://github.com/iiab/iiab/issues/586 2017-12-06 19:44:53 +00:00			`lineinfile:`
			`regexp: logfile`
Update admin-user.yml 2017-12-07 16:33:33 +00:00			`line: "Defaults logfile = /var/log/sudo.log"`
Add "shell: /bin/bash" to iiab-admin so shell works?? SEE https://github.com/iiab/iiab/issues/586 2017-12-06 19:44:53 +00:00			`dest: /etc/sudoers`
			`state: present`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
admin-user.yml: skip wheels group (& its NOPASSWD: in /etc/sudoers) 2020-10-11 03:15:42 +00:00			`#- name: Lets {{ iiab_admin_user }} sudo without password`
			`##- name: Lets wheel sudo without password`
			`# lineinfile:`
			`# line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL"`
			`## line: "%wheel ALL= NOPASSWD: ALL"`
			`# dest: /etc/sudoers`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
cleaner Ansible output 2017-10-27 15:44:19 +00:00			`- name: Remove the line which requires tty`
Add "shell: /bin/bash" to iiab-admin so shell works?? SEE https://github.com/iiab/iiab/issues/586 2017-12-06 19:44:53 +00:00			`lineinfile:`
			`regexp: requiretty`
			`dest: /etc/sudoers`
			`state: absent`
Misc Fixes: Clean up whitespace warnings 2017-10-19 06:33:02 +00:00
iiab-admin/tasks/admin-user.yml: act on iiab_admin_can_sudo 2020-10-15 00:58:37 +00:00			`- name: End editing the sudoers file -- protect it again (0440)`
Add "shell: /bin/bash" to iiab-admin so shell works?? SEE https://github.com/iiab/iiab/issues/586 2017-12-06 19:44:53 +00:00			`file:`
			`path: /etc/sudoers`
			`mode: 0440`