users: implement support for all 3 options sudo/doas/please for sudo_provider

2023-10-01 00:00:00 +07:00 · 2023-10-01 00:00:00 +07:00 · 048ee930bf
parent 3854a5f380
commit 048ee930bf
7 changed files with 109 additions and 22 deletions
--- a/README.md
+++ b/README.md
@ -42,7 +42,7 @@ This is an Ansible playbook to deploy my system configurations for desktop usage

 ## 🖊️ Notes

- This playbook assumes that the person running it is me 😃. It might do specific tasks that you don't like. Use with your own risks.
+- This playbook assumes that the person running it is me 😃 and targets a single-user AlpineLinux system. It might do specific tasks that you don't like. Use with your own risks.

 - The playbook assumes it's only run once. As such it doesn't take into account conflicted services when switching options in later runs.

--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -25,6 +25,8 @@ ntp_client: ntpsec

 dns_resolver: dnscrypt-proxy

+sudo_provider: doas
+
 # Configurations ───────────────────────────────────────────────────────────────────

 repository: https://ftp.udx.icscoe.jp/Linux/alpine
@ -34,6 +36,9 @@ username: follie
 # Don't specify "seat" or "polkitd" group here
 usergroups: [wheel, input, audio, video, libvirt, users, pipewire]

+# Commands the wheel group is allowed to run without password
+nopasswd_commands: [halt, reboot, poweroff, pm-suspend, dhcp_release]
+
 # Public NTP pools: https://www.ntppool.org/en/use.html
 # Public NTS-enabled servers: https://github.com/jauderho/nts-servers
 ntp_opts:
@ -102,6 +107,7 @@ libvirt_daemons:
  - virtnodedevd
  - virtqemud
  - virtstoraged
+  - virtproxyd

 # Whether to use `iwd` or `eiwd`
 iwd_without_dbus: false
--- a/requirements/accepted_variables.yml
+++ b/requirements/accepted_variables.yml
@ -65,3 +65,8 @@ ntp_client:
 dns_resolver:
  - dnscrypt-proxy
  - unbound
+
+sudo_provider:
+  - doas
+  - please
+  - sudo
--- a/roles/user/tasks/doas.yml
+++ b/roles/user/tasks/doas.yml
@ -0,0 +1,17 @@
+---
+# pm-suspend is from pm-utils package (required by libvirt-client)
+- name: user | Add doas config for user {{ username }}
+  blockinfile:
+    path: /etc/doas.conf
+    block: |
+      permit persist :wheel
+      {% if nopasswd_commands | length > 0 %}
+      {% for command in nopasswd_commands %}
+      permit nopass {{ username }} cmd {{ command }}
+      {% endfor %}
+      {% endif %}
+    marker: '# {mark} ANSIBLE MANAGED SETTINGS'
+    owner: root
+    group: root
+    mode: '600'
+    validate: /usr/bin/doas -C %s
--- a/roles/user/tasks/main.yml
+++ b/roles/user/tasks/main.yml
@ -1,9 +1,4 @@
 ---
- name: user | Install doas
-  community.general.apk:
-    name: doas
-    state: present
-
 - name: user | Install {{ usershell }}
  community.general.apk:
    name: '{{ usershell }}'
@ -23,7 +18,7 @@
    state: present
    comment: Kawaii Linux user

- name: user | Double check group '{{ username }}'
+- name: user | Double check the existence of group '{{ username }}'
  group:
    name: '{{ username }}'
    state: present
@ -45,18 +40,10 @@
      - seat
  when: seat_manager == 'seatd'

-# pm-suspend is from pm-utils package (required by libvirt-client)
- name: user | Add doas config for user {{ username }}
-  blockinfile:
-    path: /etc/doas.conf
-    block: |
-      permit persist {{ username }}
-      permit nopass {{ username }} cmd halt
-      permit nopass {{ username }} cmd reboot
-      permit nopass {{ username }} cmd poweroff
-      permit nopass {{ username }} cmd pm-suspend
-    marker: '# {mark} CUSTOM SETTINGS FOR THE NORMAL USER'
-    owner: root
-    group: root
-    mode: '600'
-    validate: /usr/bin/doas -C %s
+- name: user | Install {{ sudo_provider }}
+  community.general.apk:
+    name: '{{ sudo_provider }}'
+    state: present
+
+- name: user | Configure privilege escalation rules
+  include_tasks: '{{ sudo_provider }}.yml'
--- a/roles/user/tasks/please.yml
+++ b/roles/user/tasks/please.yml
@ -0,0 +1,49 @@
+---
+# This allows the validation below to pass
+- name: user | Ensure /etc/please.ini exists
+  file:
+    path: /etc/please.ini
+    mode: '600'
+    owner: root
+    group: root
+    state: touch
+
+- name: user | Configure please's privilege escalation rules
+  blockinfile:
+    path: /etc/please.ini
+    block: |
+      [wheel_run_as_anyone]
+      name=wheel
+      group=true
+      target=^.*$
+      regex=^.*$
+      require_pass=true
+
+      [wheel_edit_anything]
+      name=wheel
+      group=true
+      target=root
+      type=edit
+      regex=^.*$
+      require_pass=true
+
+      [wheel_list_rules]
+      name=wheel
+      group=true
+      target=^.*$
+      type=list
+      require_pass=false
+      {% if nopasswd_commands | length > 0 %}
+
+      [{{ username }}_run_nopasswd]
+      name={{ username }}
+      target=root
+      regex=^((/usr(/local)?)?/s?bin/)?{{ '(' ~ (nopasswd_commands | list | join('|')) ~ ')' }}(\s+.*)?$
+      require_pass=false
+      {% endif %}
+    marker: ; {mark} ANSIBLE MANAGED SETTINGS
+    validate: /usr/bin/please --check %s
+    mode: '600'
+    owner: root
+    group: root
+    state: present
--- a/roles/user/tasks/sudo.yml
+++ b/roles/user/tasks/sudo.yml
@ -0,0 +1,23 @@
+---
+- name: user | Allow wheel group to run commands as root
+  community.general.sudoers:
+    name: allow-wheel-group
+    group: wheel
+    commands: ALL
+    host: ALL
+    runas: ALL:ALL
+    validation: required
+    nopassword: false
+    state: present
+
+- name: user | Allow running commands as root without password for user {{ username }}
+  community.general.sudoers:
+    name: allow-{{ username }}-user
+    user: '{{ username }}'
+    commands: '{{ nopasswd_commands | list }}'
+    host: ALL
+    runas: ALL:ALL
+    validation: required
+    nopassword: true
+    state: present
+  when: nopasswd_commands | length > 0