external/iiab
1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-02-13 19:52:06 +00:00
Code Issues Releases Wiki Activity
iiab/roles/iiab-admin/tasks/admin-user.yml

56 lines
2.9 KiB
YAML
Raw Blame History

# Summary of how this works with IIAB's Admin Console etc:
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst
# YOU CAN CHANGE THIS USER TO 'pi' OR 'ubuntu' ETC, IN /etc/iiab/local_vars.yml
- name: Does user '{{ iiab_admin_user }}' (iiab_admin_user) exist? # iiab-admin BY DEFAULT
command: "id {{ iiab_admin_user | quote }}" # quote to avoid ';' exploits
register: user_info
failed_when: False # Hides red errors (stronger than 'ignore_errors: yes')
# admin_console_group: iiab-admin # PER default_vars.yml, SHOULD NEVER CHANGE
- name: Establish Linux group '{{ admin_console_group }}' group, for login to Admin Console
group:
name: "{{ admin_console_group }}"
state: present
- name: Configure user '{{ iiab_admin_user }}' with group '{{ admin_console_group }}' for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-*) at the command-line
user:
name: "{{ iiab_admin_user }}"
#group: "{{ iiab_admin_user }}" # Not nec. Anyway this happens during account creation b/c 'USERGROUPS_ENAB yes' is set in any modern /etc/login.defs
groups: "{{ admin_console_group }}" # What guarantees any user's ability to login to Admin Console, just in case the user is not a member of sudo in future. FWIW Ansible adds the user to this group in /etc/group even in cases where that's not nec -- i.e. user iiab-admin's primary group is normally sufficient if it (the correct GID, corresponding to group iiab-admin) is in the 4th column of /etc/passwd.
append: yes
shell: /bin/bash
#password: "{{ iiab_admin_pwd_hash }}" # 2020-10-14: DEPRECATED in favor
#update_password: on_create # of 'command: chpasswd' below.
- name: If user didn't exist, set password to '{{ iiab_admin_published_pwd }}' # g0adm1n
#shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} | chpasswd"
command: chpasswd # Equiv to line above, but safer
args:
stdin: "{{ iiab_admin_user | quote }}:{{ iiab_admin_published_pwd | quote }}"
when: user_info.rc != 0
# sudo-prereqs.yml needs to have been run!
- name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands in /usr/bin like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo
#command: "gpasswd -a {{ iiab_admin_user | quote }} sudo"
user:
name: "{{ iiab_admin_user }}"
groups: sudo
append: yes
when: iiab_admin_can_sudo
- name: Remove user {{ iiab_admin_user }} from group sudo, if not iiab_admin_can_sudo
command: "gpasswd -d {{ iiab_admin_user | quote }} sudo"
when: not iiab_admin_can_sudo
failed_when: False # Hides red errors (stronger than 'ignore_errors: yes')
#- name: Lets {{ iiab_admin_user }} sudo without password
##- name: Lets wheel sudo without password
# lineinfile:
# path: /etc/sudoers
# line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL"
## line: "%wheel ALL= NOPASSWD: ALL"
Reference in a new issue View git blame Copy permalink