From 2b901193da1df9f76d88ac9c4c95a210ac2b3c90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Wed, 3 Jul 2024 12:13:22 +0200 Subject: [PATCH] Add sudoers file and clone repo into /srv --- ansible/roles/ansible_controller/tasks/main.yml | 5 +++++ ansible/roles/ssh_users/tasks/main.yml | 4 ++++ ansible/roles/ssh_users/templates/sudoers | 4 ++++ 3 files changed, 13 insertions(+) create mode 100644 ansible/roles/ssh_users/templates/sudoers diff --git a/ansible/roles/ansible_controller/tasks/main.yml b/ansible/roles/ansible_controller/tasks/main.yml index 14ad64bd..c5a0c2e2 100644 --- a/ansible/roles/ansible_controller/tasks/main.yml +++ b/ansible/roles/ansible_controller/tasks/main.yml @@ -15,3 +15,8 @@ - name: set the hostname ansible.builtin.hostname: name: "ansible-controller" + +- name: clone devops repo into /srv/devops + ansible.builtin.git: + repo: "https://github.com/ooni/devops.git" + dest: /srv/devops diff --git a/ansible/roles/ssh_users/tasks/main.yml b/ansible/roles/ssh_users/tasks/main.yml index ad4bd95d..cabc6734 100644 --- a/ansible/roles/ssh_users/tasks/main.yml +++ b/ansible/roles/ssh_users/tasks/main.yml @@ -59,3 +59,7 @@ remove: yes with_items: user_list.stdout_lines when: "item != 'nobody' and item not in (admin_usernames | union(non_admin_usernames))" + + +- name: sudoers.d/80-admins + template: src=sudoers dest=/etc/sudoers.d/80-admins owner=root group=root mode=0440 validate='visudo -cf %s' diff --git a/ansible/roles/ssh_users/templates/sudoers b/ansible/roles/ssh_users/templates/sudoers new file mode 100644 index 00000000..35f19537 --- /dev/null +++ b/ansible/roles/ssh_users/templates/sudoers @@ -0,0 +1,4 @@ +# ansible-managed in roles/ssh_users/templates/sudoers +{% for username in admin_usernames %} +{{ ssh_users[username].login }} ALL=(ALL:ALL) NOPASSWD: ALL +{% endfor %}