mirror of
https://github.com/iiab/iiab.git
synced 2025-02-13 19:52:06 +00:00
70 lines
2.6 KiB
YAML
70 lines
2.6 KiB
YAML
- name: Check if user '{{ iiab_admin_user }}' exists # iiab-admin
|
|
command: "id {{ iiab_admin_user | quote }}" # quote to avoid ';' exploits
|
|
register: user_info
|
|
failed_when: False # Hides red errors (stronger than 'ignore_errors: yes')
|
|
|
|
- name: Establish user {{ iiab_admin_user }} with shell /bin/bash, for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB support commands at the command-line (/usr/bin/iiab-* and /usr/sbin/iiab-*)
|
|
user:
|
|
name: "{{ iiab_admin_user }}"
|
|
#group: "{{ iiab_admin_user }}" # Neither nec as 'USERGROUPS_ENAB yes'
|
|
#groups: "{{ iiab_admin_user }}" # is set in any modern /etc/login.defs
|
|
shell: /bin/bash
|
|
#password: "{{ iiab_admin_pwd_hash }}"
|
|
#update_password: on_create
|
|
|
|
- name: If user didn't exist, set password to '{{ iiab_admin_published_pwd }}' # g0adm1n
|
|
#shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} | chpasswd"
|
|
command: chpasswd
|
|
args:
|
|
stdin: "{{ iiab_admin_user | quote }}:{{ iiab_admin_published_pwd | quote }}"
|
|
when: user_info.rc != 0
|
|
|
|
|
|
# roles/2-common/tasks/packages.yml also installs sudo, but that's too late
|
|
- name: 'Install package: sudo'
|
|
package:
|
|
name: sudo
|
|
|
|
- name: Add user {{ iiab_admin_user }} to group sudo, for support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo
|
|
command: "gpasswd -a {{ iiab_admin_user | quote }} sudo"
|
|
#user:
|
|
# name: "{{ iiab_admin_user }}"
|
|
# groups: sudo
|
|
# append: yes
|
|
when: iiab_admin_can_sudo | bool
|
|
|
|
- name: Remove user {{ iiab_admin_user }} from group sudo, if not iiab_admin_can_sudo
|
|
command: "gpasswd -d {{ iiab_admin_user | quote }} sudo"
|
|
when: not iiab_admin_can_sudo
|
|
failed_when: False # Hides red errors (stronger than 'ignore_errors: yes')
|
|
|
|
|
|
- name: Temporarily make file /etc/sudoers editable (0640)
|
|
file:
|
|
path: /etc/sudoers
|
|
mode: 0640
|
|
|
|
- name: '/etc/sudoers: Have sudo log all commands to /var/log/sudo.log'
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
regexp: logfile
|
|
line: "Defaults logfile = /var/log/sudo.log"
|
|
|
|
#- name: Lets {{ iiab_admin_user }} sudo without password
|
|
##- name: Lets wheel sudo without password
|
|
# lineinfile:
|
|
# path: /etc/sudoers
|
|
# line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL"
|
|
## line: "%wheel ALL= NOPASSWD: ALL"
|
|
|
|
# Not nec (heavyhanded removal of customizations+comments) given sudo defaults.
|
|
#- name: Remove all lines that contain 'requiretty'
|
|
# lineinfile:
|
|
# path: /etc/sudoers
|
|
# regexp: requiretty
|
|
# state: absent
|
|
|
|
- name: End editing file /etc/sudoers -- protect it again (0440)
|
|
file:
|
|
path: /etc/sudoers
|
|
mode: 0440
|