From 5aaee7646b5826827d69e02ac9bca58d94f6702a Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 1 Oct 2020 01:21:46 +0200 Subject: [PATCH] Update. --- group_vars/all/main.yml | 109 +++++++++++++++--- roles/common/tasks/main.yml | 14 ++- roles/common/tasks/pure-ftpd-install.yml | 9 ++ .../tasks/{sudoers.yml => sudoers-pc.yml} | 12 +- roles/common/tasks/sudoers-server.yml | 57 +++++++++ .../sudoers.d/{50-user.j2 => 50-user.pc.j2} | 10 +- .../templates/etc/sudoers.d/50-user.server.j2 | 53 +++++++++ .../etc/{sudoers.j2 => sudoers.pc.j2} | 14 +-- roles/common/templates/etc/sudoers.server.j2 | 53 +++++++++ 9 files changed, 297 insertions(+), 34 deletions(-) rename roles/common/tasks/{sudoers.yml => sudoers-pc.yml} (56%) create mode 100644 roles/common/tasks/sudoers-server.yml rename roles/common/templates/etc/sudoers.d/{50-user.j2 => 50-user.pc.j2} (66%) create mode 100644 roles/common/templates/etc/sudoers.d/50-user.server.j2 rename roles/common/templates/etc/{sudoers.j2 => sudoers.pc.j2} (73%) create mode 100644 roles/common/templates/etc/sudoers.server.j2 diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 0894b83..d8d35dc 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1283,50 +1283,131 @@ samba_shares: # ========== -# vars used by roles/common/tasks/sudoers.yml +# vars used by roles/common/tasks/sudoers-pc.yml # ========== -sudo_users: +sudo_pc_users: - chris - sysadm # /etc/sudoers # -sudoers_defaults: +sudoers_pc_defaults: - env_reset - mail_badpass - 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' -sudoers_host_aliases: [] +sudoers_pc_host_aliases: [] -sudoers_user_aliases: [] +sudoers_pc_user_aliases: [] -sudoers_cmnd_aliases: [] +sudoers_pc_cmnd_aliases: [] -sudoers_runas_aliases: [] +sudoers_pc_runas_aliases: [] -sudoers_user_privileges: +sudoers_pc_user_privileges: - name: root entry: 'ALL=(ALL:ALL) ALL' -sudoers_group_privileges: [] +sudoers_pc_group_privileges: [] # /etc/sudoers.d/50-user # -sudoers_file_defaults: [] +sudoers_pc_file_defaults: [] -sudoers_file_host_aliases: [] +sudoers_pc_file_host_aliases: [] -sudoers_file_user_aliases: [] +sudoers_pc_file_user_aliases: [] -sudoers_file_cmnd_aliases: +sudoers_pc_file_cmnd_aliases: - name: MOUNT entry: '/bin/mount,/bin/umount' -sudoers_file_runas_aliases: [] +sudoers_pc_file_runas_aliases: [] + + + +# ========== +# vars used by roles/common/tasks/sudoers-server.yml +# ========== + +sudo_server_users: + - chris + - sysadm + +# /etc/sudoers +# +sudoers_server_defaults: + - env_reset + - mail_badpass + - 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' + +sudoers_server_host_aliases: [] + +sudoers_server_user_aliases: [] + +sudoers_server_cmnd_aliases: [] + +sudoers_server_runas_aliases: [] + +sudoers_server_user_privileges: + - name: root + entry: 'ALL=(ALL:ALL) ALL' + +sudoers_server_group_privileges: [] + +sudoers_server_remove_user: + - back + - www-data + + +# /etc/sudoers.d/50-user +# +sudoers_server_file_defaults: [] + +sudoers_server_file_host_aliases: [] + +sudoers_server_file_user_aliases: [] + +sudoers_server_file_cmnd_aliases: [] + +sudoers_server_file_runas_aliases: [] + +sudoers_server_file_user_back_privileges: + - 'ALL=(root) NOPASSWD: /usr/bin/rsync' + - 'ALL=(root) NOPASSWD: /usr/bin/find' + - 'ALL=(root) NOPASSWD: /usr/bin/realpath' + +sudoers_server_file_user_back_disk_privileges: + - 'ALL=(root) NOPASSWD: /usr/bin/which' + - 'ALL=(root) NOPASSWD: /sbin/hdparm -I /dev/*' + - 'ALL=(root) NOPASSWD: /sbin/fdisk' + - 'ALL=(root) NOPASSWD: /sbin/sgdisk' + - 'ALL=(root) NOPASSWD: /sbin/sfdisk -d /dev/*' + - 'ALL=(root) NOPASSWD: /bin/dd if=/dev/*' + - 'ALL=(root) NOPASSWD: /sbin/parted' + - 'ALL=(root) NOPASSWD: /sbin/gdisk' + +# sudoers_server_file_user_privileges +# - name: +# entry: +# - name : +# entry: +# - ... +# +sudoers_server_file_user_privileges: [] + +# sudoers_server_file_group_privileges +# - name: +# entry: +# - name : +# entry: +# - ... +# +sudoers_server_file_group_privileges: [] diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index b9802b6..726b54b 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -165,13 +165,23 @@ - root-files-scripts -# tags supported inside sudoers.yml: +# tags supported inside sudoers-pc.yml: # # sudoers-remove # sudoers-file-configuration # sudoers-global-configuration -- import_tasks: sudoers.yml +- import_tasks: sudoers-pc.yml when: "groups['client_pc']|string is search(inventory_hostname)" tags: - sudoers +# tags supported inside sudoers-server.yml: +# +# sudoers-remove +# sudoers-file-configuration +# sudoers-global-configuration +- import_tasks: sudoers-server.yml + when: "groups['file_server']|string is search(inventory_hostname)" + tags: + - sudoers + diff --git a/roles/common/tasks/pure-ftpd-install.yml b/roles/common/tasks/pure-ftpd-install.yml index 07f2d94..4c6fc53 100644 --- a/roles/common/tasks/pure-ftpd-install.yml +++ b/roles/common/tasks/pure-ftpd-install.yml @@ -1,5 +1,14 @@ --- +# ========== +# +# mostly copied from: +# https://github.com/gcoop-libre/ansible-role-pure-ftpd +# +# git clone https://github.com/gcoop-libre/ansible-role-pure-ftpd.git +# +# ========== + # --- # Install PureFTP Daemon # --- diff --git a/roles/common/tasks/sudoers.yml b/roles/common/tasks/sudoers-pc.yml similarity index 56% rename from roles/common/tasks/sudoers.yml rename to roles/common/tasks/sudoers-pc.yml index fb277a6..9604d57 100644 --- a/roles/common/tasks/sudoers.yml +++ b/roles/common/tasks/sudoers-pc.yml @@ -1,8 +1,8 @@ --- -- name: (sudoers.yml) update specific sudoers configuration files (/etc/sudoers.d/) +- name: (sudoers-pc.yml) update specific sudoers configuration files (/etc/sudoers.d/) template: - src: etc/sudoers.d/50-user.j2 + src: etc/sudoers.d/50-user.pc.j2 dest: /etc/sudoers.d/50-user validate: visudo -cf %s owner: root @@ -11,9 +11,9 @@ tags: - sudoers-file-configuration -- name: (sudoers.yml) update global sudoers configuration file +- name: (sudoers-pc.yml) update global sudoers configuration file template: - src: etc/sudoers.j2 + src: etc/sudoers.pc.j2 dest: /etc/sudoers owner: root group: root @@ -22,11 +22,11 @@ tags: - sudoers-global-configuration -- name: (sudoers.yml) Ensure all sudo_users are in sudo group +- name: (sudoers-pc.yml) Ensure all sudo_users are in sudo group user: name: "{{ item }}" groups: sudo append: yes - with_items: "{{ sudo_users }}" + with_items: "{{ sudo_pc_users }}" tags: - sudo-users diff --git a/roles/common/tasks/sudoers-server.yml b/roles/common/tasks/sudoers-server.yml new file mode 100644 index 0000000..5302db8 --- /dev/null +++ b/roles/common/tasks/sudoers-server.yml @@ -0,0 +1,57 @@ +--- + +#- name: (sudoers-server.yml) include variables +# include_vars: "{{ item }}" +# with_first_found: +# - "sudoers-{{ inventory_hostname }}.yml" +# - "sudoers-{{ ansible_distribution_release }}.yml" +# - "sudoers-{{ ansible_distribution | lower }}.yml" +# - "sudoers-default.yml" +# tags: +# - sudoers-remove +# - sudoers-file-configuration +# - sudoers-global-configuration + +- name: (sudoers-server.yml) Remove user entries in file /etc/sudoers + lineinfile: + dest: /etc/sudoers + state: absent + regexp: '^{{ item }}' + owner: root + group: root + mode: 0440 + validate: visudo -cf %s + with_items: '{{ sudoers_server_remove_user }}' + tags: + - sudoers-remove + +- name: (sudoers-server.yml) update specific sudoers configuration files (/etc/sudoers.d/) + template: + src: etc/sudoers.d/50-user.server.j2 + dest: /etc/sudoers.d/50-user + #validate: visudo -cf %s + owner: root + group: root + mode: 0440 + tags: + - sudoers-file-configuration + +- name: (sudoers-server.yml) update global sudoers configuration file + template: + src: etc/sudoers.server.j2 + dest: /etc/sudoers + owner: root + group: root + mode: 0440 + #validate: visudo -cf %s + tags: + - sudoers-global-configuration + +- name: (sudoers-server.yml) Ensure all sudo_users are in sudo group + user: + name: "{{ item }}" + groups: sudo + append: yes + with_items: "{{ sudo_server_users }}" + tags: + - sudo-users diff --git a/roles/common/templates/etc/sudoers.d/50-user.j2 b/roles/common/templates/etc/sudoers.d/50-user.pc.j2 similarity index 66% rename from roles/common/templates/etc/sudoers.d/50-user.j2 rename to roles/common/templates/etc/sudoers.d/50-user.pc.j2 index ed81711..aad4371 100644 --- a/roles/common/templates/etc/sudoers.d/50-user.j2 +++ b/roles/common/templates/etc/sudoers.d/50-user.pc.j2 @@ -1,26 +1,26 @@ # {{ ansible_managed }} -{% for item in sudoers_file_defaults | default([]) %} +{% for item in sudoers_pc_file_defaults | default([]) %} Defaults {{ item }} {% endfor %} # Host alias specification -{% for item in sudoers_file_host_aliases | default([]) %} +{% for item in sudoers_pc_file_host_aliases | default([]) %} Host_Alias {{ item.name }} = {{ item.entry }} {% endfor %} # User alias specification -{% for item in sudoers_file_user_aliases | default([]) %} +{% for item in sudoers_pc_file_user_aliases | default([]) %} User_Alias {{ item.name }} = {{ item.entry }} {% endfor %} # Cmnd alias specification -{% for item in sudoers_file_cmnd_aliases | default([]) %} +{% for item in sudoers_pc_file_cmnd_aliases | default([]) %} Cmnd_Alias {{ item.name }} = {{ item.entry }} {% endfor %} # Runas alias specification -{% for item in sudoers_file_runas_aliases | default([]) %} +{% for item in sudoers_pc_file_runas_aliases | default([]) %} Runas_Alias {{ item.name }} = {{ item.entry }} {% endfor %} diff --git a/roles/common/templates/etc/sudoers.d/50-user.server.j2 b/roles/common/templates/etc/sudoers.d/50-user.server.j2 new file mode 100644 index 0000000..6449a5c --- /dev/null +++ b/roles/common/templates/etc/sudoers.d/50-user.server.j2 @@ -0,0 +1,53 @@ +# {{ ansible_managed }} + +{% for item in sudoers_server_file_defaults | default([]) %} +Defaults {{ item }} +{% endfor %} + +# Host alias specification +{% for item in sudoers_server_file_host_aliases | default([]) %} +Host_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# User alias specification +{% for item in sudoers_server_file_user_aliases | default([]) %} +User_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# Cmnd alias specification +{% for item in sudoers_server_file_cmnd_aliases | default([]) %} +Cmnd_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# Runas alias specification +{% for item in sudoers_server_file_runas_aliases | default([]) %} +Runas_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# User privilege specification + +{# rule for user 'back' #} +{% for item in sudoers_server_file_user_back_privileges | default([]) %} +back {{ item }} +{% endfor -%} + + +{%- if ansible_virtualization_role == 'host' %} + +{% for item in sudoers_server_file_user_back_disk_privileges | default([]) %} +back {{ item }} +{% endfor %} +{% endif -%} + +{# other (host specific) rules #} +{%- if (sudoers_server_file_user_privileges is defined and sudoers_server_file_user_privileges) %} + +{% for item in sudoers_server_file_user_privileges | default([]) %} +{{ item.name }} {{ item.entry }} +{% endfor %} +{% endif %} + +# Group privilege specification +{% for item in sudoers_server_file_group_privileges | default([]) %} +{{ item.name }} {{ item.entry }} +{% endfor -%} diff --git a/roles/common/templates/etc/sudoers.j2 b/roles/common/templates/etc/sudoers.pc.j2 similarity index 73% rename from roles/common/templates/etc/sudoers.j2 rename to roles/common/templates/etc/sudoers.pc.j2 index d8ea85b..d411a60 100644 --- a/roles/common/templates/etc/sudoers.j2 +++ b/roles/common/templates/etc/sudoers.pc.j2 @@ -7,34 +7,34 @@ # # See the man page for details on how to write a sudoers file. # -{% for item in sudoers_defaults %} +{% for item in sudoers_pc_defaults %} {% if item != '' %} Defaults {{ item }} {% endif %} {% endfor %} # Host alias specification -{% for item in sudoers_host_aliases | default([]) %} +{% for item in sudoers_pc_host_aliases | default([]) %} Host_Alias {{ item.name }} = {{ item.entry }} {% endfor %} # User alias specification -{% for item in sudoers_user_aliases | default([]) %} +{% for item in sudoers_pc_user_aliases | default([]) %} User_Alias {{ item.name }} = {{ item.entry }} {% endfor %} # Cmnd alias specification -{% for item in sudoers_cmnd_aliases | default([]) %} +{% for item in sudoers_pc_cmnd_aliases | default([]) %} Cmnd_Alias {{ item.name }} = {{ item.entry }} {% endfor %} # Runas alias specification -{% for item in sudoers_runas_aliases | default([]) %} +{% for item in sudoers_pc_runas_aliases | default([]) %} Runas_Alias {{ item.name }} = {{ item.entry }} {% endfor %} # User privilege specification -{% for item in sudoers_user_privileges | default([]) %} +{% for item in sudoers_pc_user_privileges | default([]) %} {{ item.name }} {{ item.entry }} {% endfor %} @@ -46,7 +46,7 @@ Runas_Alias {{ item.name }} = {{ item.entry }} # Group privilege specification -{% for item in sudoers_group_privileges | default([]) %} +{% for item in sudoers_pc_group_privileges | default([]) %} {{ item.name }} {{ item.entry }} {% endfor %} diff --git a/roles/common/templates/etc/sudoers.server.j2 b/roles/common/templates/etc/sudoers.server.j2 new file mode 100644 index 0000000..5670066 --- /dev/null +++ b/roles/common/templates/etc/sudoers.server.j2 @@ -0,0 +1,53 @@ +# {{ ansible_managed }} + +# This file MUST be edited with the 'visudo' command as root. +# +# Please consider adding local content in /etc/sudoers.d/ instead of +# directly modifying this file. +# +# See the man page for details on how to write a sudoers file. +# +{% for item in sudoers_server_defaults %} +{% if item != '' %} +Defaults {{ item }} +{% endif %} +{% endfor %} + +# Host alias specification +{% for item in sudoers_server_host_aliases | default([]) %} +Host_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# User alias specification +{% for item in sudoers_server_user_aliases | default([]) %} +User_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# Cmnd alias specification +{% for item in sudoers_server_cmnd_aliases | default([]) %} +Cmnd_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# Runas alias specification +{% for item in sudoers_server_runas_aliases | default([]) %} +Runas_Alias {{ item.name }} = {{ item.entry }} +{% endfor %} + +# User privilege specification +{% for item in sudoers_server_user_privileges | default([]) %} +{{ item.name }} {{ item.entry }} +{% endfor %} + +# Allow members of group sudo to execute any command +%sudo ALL=(ALL:ALL) ALL + +# Group privilege specification + +{% for item in sudoers_server_group_privileges | default([]) %} +{{ item.name }} {{ item.entry }} +{% endfor %} + +# See sudoers(5) for more information on "#include" directives: + +#includedir /etc/sudoers.d +