From c22ee2941daf60cd3647b1c1159c30bc823fd965 Mon Sep 17 00:00:00 2001
From: Andy Pfister <andy.pfister@simplificator.com>
Date: Tue, 17 Oct 2023 17:57:37 +0200
Subject: [PATCH] Revoke sudo permissions

---
 tasks/main.yml        | 19 +++++++++++++++++++
 tasks/revoke-sudo.yml | 10 ++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 tasks/revoke-sudo.yml

diff --git a/tasks/main.yml b/tasks/main.yml
index 93484c4..14c1a97 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -38,6 +38,25 @@
     append: yes
   loop: "{{ linux_accounts_sudo_users }}"
 
+- name: Get sudo group informations
+  getent:
+    database: group
+    key: sudo
+
+- name: "Get users in sudo group"
+  set_fact:
+    users_in_sudo_group: "{{ ansible_facts.getent_group['sudo'][2] | split(',') }}"
+
+- name: "Set accounts to revoke sudo permissions"
+  set_fact:
+    sudo_to_be_removed: "{{ users_in_sudo_group | reject('in', (linux_accounts_sudo_users)) }}"
+
+- name: "Revoke sudo permissions"
+  include_tasks: revoke-sudo.yml
+  loop: "{{ sudo_to_be_removed | difference(linux_accounts_sudo_users) }}"
+  loop_control:
+    loop_var: user
+
 - name: "Create .ssh directory for user accounts"
   file:
     path: "~{{ item.key }}/.ssh"
diff --git a/tasks/revoke-sudo.yml b/tasks/revoke-sudo.yml
new file mode 100644
index 0000000..f8bf3db
--- /dev/null
+++ b/tasks/revoke-sudo.yml
@@ -0,0 +1,10 @@
+- name: Get groups for user '{{ user }}'
+  command: "groups {{ user }}"
+  register: current_groups
+  changed_when: false
+
+- name: Revoke 'sudo' for '{{ user }}'
+  user:
+    name: "{{ user }}"
+    groups: "{{ current_groups.stdout | replace(user + ' : ', '') | replace('sudo', '') | split }}"
+    append: no