From e4f94a3ab645d9a53edd28b592491eed68c40cc8 Mon Sep 17 00:00:00 2001
From: Someone <someone@somenet.org>
Date: Fri, 4 Oct 2024 13:42:33 +0200
Subject: [PATCH] [roles/base/ansible/setup] set role defaults, install sudo,
 create remote-management-user + env

---
 .../setup/files/default/authorized_keys       |   8 ++
 .../base/ansible/setup/files/default/sudoers  |  61 +++++++++++
 .../setup/files/default/sudoers.d.ansible     |   9 ++
 roles/base/ansible/setup/tasks/main.yml       | 101 ++++++++++++++++++
 4 files changed, 179 insertions(+)
 create mode 100644 roles/base/ansible/setup/files/default/authorized_keys
 create mode 100644 roles/base/ansible/setup/files/default/sudoers
 create mode 100644 roles/base/ansible/setup/files/default/sudoers.d.ansible
 create mode 100644 roles/base/ansible/setup/tasks/main.yml

diff --git a/roles/base/ansible/setup/files/default/authorized_keys b/roles/base/ansible/setup/files/default/authorized_keys
new file mode 100644
index 0000000..5d71d13
--- /dev/null
+++ b/roles/base/ansible/setup/files/default/authorized_keys
@@ -0,0 +1,8 @@
+#
+################################################
+### Managed by someone's ansible provisioner ###
+################################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG5GnAMN6EfWmBWZUnVkHSBh5rLskXi+3vUju3k7H7OO somesible_provisioner.2020-12
diff --git a/roles/base/ansible/setup/files/default/sudoers b/roles/base/ansible/setup/files/default/sudoers
new file mode 100644
index 0000000..fd8ac61
--- /dev/null
+++ b/roles/base/ansible/setup/files/default/sudoers
@@ -0,0 +1,61 @@
+#
+################################################
+### Managed by someone's ansible provisioner ###
+################################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# Please consider adding local content in /etc/sudoers.d/ instead of
+# directly modifying this file.
+#
+# See the man page for details on how to write a sudoers file.
+#
+Defaults    env_reset
+Defaults    mail_badpass
+Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# This fixes CVE-2005-4890 and possibly breaks some versions of kdesu
+# (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532)
+Defaults    use_pty
+
+# This preserves proxy settings from user environments of root
+# equivalent users (group sudo)
+#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
+
+# This allows running arbitrary commands, but so does ALL, and it means
+# different sudoers have their choice of editor respected.
+#Defaults:%sudo env_keep += "EDITOR"
+
+# Completely harmless preservation of a user preference.
+#Defaults:%sudo env_keep += "GREP_COLOR"
+
+# While you shouldn't normally run git as root, you need to with etckeeper
+#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
+
+# Per-user preferences; root won't have sensible values for them.
+#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
+
+# "sudo scp" or "sudo rsync" should be able to use your SSH agent.
+#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
+
+# Ditto for GPG agent
+#Defaults:%sudo env_keep += "GPG_AGENT_INFO"
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# User privilege specification
+root    ALL=(ALL:ALL) ALL
+
+# Allow members of group sudo to execute any command
+%sudo   ALL=(ALL:ALL) NOPASSWD: ALL
+
+# See sudoers(5) for more information on "@include" directives:
+
+@includedir /etc/sudoers.d
diff --git a/roles/base/ansible/setup/files/default/sudoers.d.ansible b/roles/base/ansible/setup/files/default/sudoers.d.ansible
new file mode 100644
index 0000000..48fe0c4
--- /dev/null
+++ b/roles/base/ansible/setup/files/default/sudoers.d.ansible
@@ -0,0 +1,9 @@
+#
+################################################
+### Managed by someone's ansible provisioner ###
+################################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+
+ansible ALL=(ALL:ALL) NOPASSWD: ALL
diff --git a/roles/base/ansible/setup/tasks/main.yml b/roles/base/ansible/setup/tasks/main.yml
new file mode 100644
index 0000000..02e801c
--- /dev/null
+++ b/roles/base/ansible/setup/tasks/main.yml
@@ -0,0 +1,101 @@
+#####################################
+### someone's ansible provisioner ###
+#####################################
+# Part of: https://git.somenet.org/root/pub/somesible.git
+# 2017-2024 by someone <someone@somenet.org>
+#
+# sudo-user for remote provisioning and periodic local provisioning.
+#
+---
+- name: install sudo
+  apt:
+    pkg:
+    - acl
+    - sudo
+    state: present
+    policy_rc_d: 101
+  tags: "online"
+  ignore_errors: "{{ignore_online_errors | bool}}"
+
+
+- name: create ansible public-files dir
+  file:
+    path: "/opt/somesible"
+    state: directory
+    mode: 0755
+    owner: "root"
+    group: "root"
+
+
+- name: create ansible user
+  user:
+    name: "ansible"
+    uid: 609
+    home: "/var/ansible"
+    shell: "/bin/bash"
+    createhome: no
+    system: yes
+    group: "root"
+    state: present
+
+
+- name: create ansible user's homedir
+  file:
+    path: "/var/ansible"
+    state: directory
+    mode: 0700
+    owner: "ansible"
+    group: "root"
+
+
+- name: add ansible to sudoers
+  copy:
+    src: "{{item}}"
+    dest: "/etc/sudoers.d/ansible"
+    mode: 0440
+    owner: "root"
+    group: "root"
+    validate: /usr/sbin/visudo -cf %s
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/sudoers.d.ansible"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/sudoers.d.ansible"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/sudoers.d.ansible"
+    - "default/sudoers.d.ansible"
+
+
+- name: override default sudoers file
+  copy:
+    src: "{{item}}"
+    dest: "/etc/sudoers"
+    mode: 0440
+    owner: "root"
+    group: "root"
+    validate: /usr/sbin/visudo -cf %s
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/sudoers"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/sudoers"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/sudoers"
+    - "default/sudoers"
+
+
+- name: set ansible .ssh-dir permissions
+  file:
+    path: "/var/ansible/.ssh"
+    state: directory
+    mode: 0700
+    owner: "ansible"
+    group: "root"
+
+
+- name: copy authorized_keys
+  copy:
+    src: "{{item}}"
+    dest: "/var/ansible/.ssh/authorized_keys"
+    mode: 0600
+    owner: "ansible"
+    group: "root"
+  with_first_found:
+    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/authorized_keys"
+    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/authorized_keys"
+    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/authorized_keys"
+    - "default/authorized_keys"
-- 
2.43.0