93 lines
2.3 KiB
YAML
93 lines
2.3 KiB
YAML
---
|
|
- name: user | Install doas
|
|
community.general.packaging.os.apk:
|
|
name: doas
|
|
state: present
|
|
|
|
- name: user | Install {{ usershell }}
|
|
community.general.packaging.os.apk:
|
|
name: '{{ usershell }}'
|
|
state: present
|
|
when: usershell not in ['ash', 'sh']
|
|
|
|
- name: user | Create {{ realtime_group }} group
|
|
group:
|
|
name: '{{ realtime_group }}'
|
|
system: true
|
|
state: present
|
|
|
|
- name: user | Create a normal user
|
|
user:
|
|
name: '{{ username }}'
|
|
password: '{{ password | password_hash("sha512") }}'
|
|
update_password: on_create
|
|
append: true
|
|
groups:
|
|
- wheel
|
|
- input
|
|
- audio
|
|
- video
|
|
- libvirt
|
|
- users
|
|
- '{{ realtime_group }}'
|
|
create_home: true
|
|
home: '/home/{{ username }}'
|
|
shell: '{{ shell_mappings[usershell] }}'
|
|
state: present
|
|
comment: Kawaii Linux user
|
|
|
|
- name: user | Double check that group '{{ username }}' exists
|
|
group:
|
|
name: '{{ username }}'
|
|
state: present
|
|
|
|
# We restrict /proc read permission to polkitd group
|
|
- name: user | Add the user to polkitd group
|
|
user:
|
|
name: '{{ username }}'
|
|
append: true
|
|
groups:
|
|
- polkitd
|
|
when: use_polkit
|
|
|
|
- name: user | Add the user to seat group
|
|
user:
|
|
name: '{{ username }}'
|
|
append: true
|
|
groups:
|
|
- seat
|
|
when: seat_manager == 'seatd'
|
|
|
|
- name: user | Ensure correct permissions for directory /etc/doas.d/
|
|
file:
|
|
path: /etc/doas.d
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0750
|
|
|
|
# pm-suspend is from pm-utils package (required by libvirt-client)
|
|
- name: user | Add config for {{ username }} user to doas.conf
|
|
blockinfile:
|
|
path: /etc/doas.d/doas.conf
|
|
block: |
|
|
permit persist {{ username }}
|
|
permit nopass {{ username }} cmd halt
|
|
permit nopass {{ username }} cmd reboot
|
|
permit nopass {{ username }} cmd poweroff
|
|
permit nopass {{ username }} cmd pm-suspend
|
|
marker: '# {mark} CUSTOM SETTINGS FOR THE NORMAL USER'
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
validate: /usr/bin/doas -C %s
|
|
|
|
- name: user | Add pam_limits rules for {{ realtime_group }} group
|
|
pam_limits:
|
|
domain: '@{{ realtime_group }}'
|
|
limit_type: '-'
|
|
limit_item: '{{ item.item }}'
|
|
value: '{{ item.value }}'
|
|
dest: '/etc/security/limits.d/95-{{ realtime_group }}.conf'
|
|
loop: '{{ realtime_pam_limits }}'
|