users: implement support for all 3 options sudo/doas/please for sudo_provider
This commit is contained in:
parent
3854a5f380
commit
048ee930bf
|
@ -42,7 +42,7 @@ This is an Ansible playbook to deploy my system configurations for desktop usage
|
|||
|
||||
## 🖊️ Notes
|
||||
|
||||
- This playbook assumes that the person running it is me 😃. It might do specific tasks that you don't like. Use with your own risks.
|
||||
- This playbook assumes that the person running it is me 😃 and targets a single-user AlpineLinux system. It might do specific tasks that you don't like. Use with your own risks.
|
||||
|
||||
- The playbook assumes it's only run once. As such it doesn't take into account conflicted services when switching options in later runs.
|
||||
|
||||
|
|
|
@ -25,6 +25,8 @@ ntp_client: ntpsec
|
|||
|
||||
dns_resolver: dnscrypt-proxy
|
||||
|
||||
sudo_provider: doas
|
||||
|
||||
# Configurations ───────────────────────────────────────────────────────────────────
|
||||
|
||||
repository: https://ftp.udx.icscoe.jp/Linux/alpine
|
||||
|
@ -34,6 +36,9 @@ username: follie
|
|||
# Don't specify "seat" or "polkitd" group here
|
||||
usergroups: [wheel, input, audio, video, libvirt, users, pipewire]
|
||||
|
||||
# Commands the wheel group is allowed to run without password
|
||||
nopasswd_commands: [halt, reboot, poweroff, pm-suspend, dhcp_release]
|
||||
|
||||
# Public NTP pools: https://www.ntppool.org/en/use.html
|
||||
# Public NTS-enabled servers: https://github.com/jauderho/nts-servers
|
||||
ntp_opts:
|
||||
|
@ -102,6 +107,7 @@ libvirt_daemons:
|
|||
- virtnodedevd
|
||||
- virtqemud
|
||||
- virtstoraged
|
||||
- virtproxyd
|
||||
|
||||
# Whether to use `iwd` or `eiwd`
|
||||
iwd_without_dbus: false
|
||||
|
|
|
@ -65,3 +65,8 @@ ntp_client:
|
|||
dns_resolver:
|
||||
- dnscrypt-proxy
|
||||
- unbound
|
||||
|
||||
sudo_provider:
|
||||
- doas
|
||||
- please
|
||||
- sudo
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
# pm-suspend is from pm-utils package (required by libvirt-client)
|
||||
- name: user | Add doas config for user {{ username }}
|
||||
blockinfile:
|
||||
path: /etc/doas.conf
|
||||
block: |
|
||||
permit persist :wheel
|
||||
{% if nopasswd_commands | length > 0 %}
|
||||
{% for command in nopasswd_commands %}
|
||||
permit nopass {{ username }} cmd {{ command }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
marker: '# {mark} ANSIBLE MANAGED SETTINGS'
|
||||
owner: root
|
||||
group: root
|
||||
mode: '600'
|
||||
validate: /usr/bin/doas -C %s
|
|
@ -1,9 +1,4 @@
|
|||
---
|
||||
- name: user | Install doas
|
||||
community.general.apk:
|
||||
name: doas
|
||||
state: present
|
||||
|
||||
- name: user | Install {{ usershell }}
|
||||
community.general.apk:
|
||||
name: '{{ usershell }}'
|
||||
|
@ -23,7 +18,7 @@
|
|||
state: present
|
||||
comment: Kawaii Linux user
|
||||
|
||||
- name: user | Double check group '{{ username }}'
|
||||
- name: user | Double check the existence of group '{{ username }}'
|
||||
group:
|
||||
name: '{{ username }}'
|
||||
state: present
|
||||
|
@ -45,18 +40,10 @@
|
|||
- seat
|
||||
when: seat_manager == 'seatd'
|
||||
|
||||
# pm-suspend is from pm-utils package (required by libvirt-client)
|
||||
- name: user | Add doas config for user {{ username }}
|
||||
blockinfile:
|
||||
path: /etc/doas.conf
|
||||
block: |
|
||||
permit persist {{ username }}
|
||||
permit nopass {{ username }} cmd halt
|
||||
permit nopass {{ username }} cmd reboot
|
||||
permit nopass {{ username }} cmd poweroff
|
||||
permit nopass {{ username }} cmd pm-suspend
|
||||
marker: '# {mark} CUSTOM SETTINGS FOR THE NORMAL USER'
|
||||
owner: root
|
||||
group: root
|
||||
mode: '600'
|
||||
validate: /usr/bin/doas -C %s
|
||||
- name: user | Install {{ sudo_provider }}
|
||||
community.general.apk:
|
||||
name: '{{ sudo_provider }}'
|
||||
state: present
|
||||
|
||||
- name: user | Configure privilege escalation rules
|
||||
include_tasks: '{{ sudo_provider }}.yml'
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
---
|
||||
# This allows the validation below to pass
|
||||
- name: user | Ensure /etc/please.ini exists
|
||||
file:
|
||||
path: /etc/please.ini
|
||||
mode: '600'
|
||||
owner: root
|
||||
group: root
|
||||
state: touch
|
||||
|
||||
- name: user | Configure please's privilege escalation rules
|
||||
blockinfile:
|
||||
path: /etc/please.ini
|
||||
block: |
|
||||
[wheel_run_as_anyone]
|
||||
name=wheel
|
||||
group=true
|
||||
target=^.*$
|
||||
regex=^.*$
|
||||
require_pass=true
|
||||
|
||||
[wheel_edit_anything]
|
||||
name=wheel
|
||||
group=true
|
||||
target=root
|
||||
type=edit
|
||||
regex=^.*$
|
||||
require_pass=true
|
||||
|
||||
[wheel_list_rules]
|
||||
name=wheel
|
||||
group=true
|
||||
target=^.*$
|
||||
type=list
|
||||
require_pass=false
|
||||
{% if nopasswd_commands | length > 0 %}
|
||||
|
||||
[{{ username }}_run_nopasswd]
|
||||
name={{ username }}
|
||||
target=root
|
||||
regex=^((/usr(/local)?)?/s?bin/)?{{ '(' ~ (nopasswd_commands | list | join('|')) ~ ')' }}(\s+.*)?$
|
||||
require_pass=false
|
||||
{% endif %}
|
||||
marker: ; {mark} ANSIBLE MANAGED SETTINGS
|
||||
validate: /usr/bin/please --check %s
|
||||
mode: '600'
|
||||
owner: root
|
||||
group: root
|
||||
state: present
|
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
- name: user | Allow wheel group to run commands as root
|
||||
community.general.sudoers:
|
||||
name: allow-wheel-group
|
||||
group: wheel
|
||||
commands: ALL
|
||||
host: ALL
|
||||
runas: ALL:ALL
|
||||
validation: required
|
||||
nopassword: false
|
||||
state: present
|
||||
|
||||
- name: user | Allow running commands as root without password for user {{ username }}
|
||||
community.general.sudoers:
|
||||
name: allow-{{ username }}-user
|
||||
user: '{{ username }}'
|
||||
commands: '{{ nopasswd_commands | list }}'
|
||||
host: ALL
|
||||
runas: ALL:ALL
|
||||
validation: required
|
||||
nopassword: true
|
||||
state: present
|
||||
when: nopasswd_commands | length > 0
|
Reference in New Issue