diff --git a/gcube/authorization_service/meta/main.yml b/gcube/authorization_service/meta/main.yml new file mode 100644 index 00000000..ca19ed7e --- /dev/null +++ b/gcube/authorization_service/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - ../../library/roles/tomcat-multiple-instances + - ../../library/roles/nginx diff --git a/ipa-server/defaults/main.yml b/ipa-server/defaults/main.yml new file mode 100644 index 00000000..993e0396 --- /dev/null +++ b/ipa-server/defaults/main.yml @@ -0,0 +1,17 @@ +--- +ipa_server_install: False +ipa_server_use_dns: True + +ipa_server_domain: example.org +ipa_server_realm: '{{ ipa_server_domain | upper }}' + +ipa_server_packages: + - ipa-server + +ipa_server_dns_packages: + - ipa-server-dns + +ipa_installation_options: '--external-cert-file=/etc/pki/ipa/{{ ipa_letsencrypt_ca_filename }} --external-cert-file={{ letsencrypt_acme_certs_dir }}/fullchain --external-cert=file={{ letsencrypt_acme_certs_dir }}/privkey -r {{ ipa_server_realm }} -n {{ ipa_server_domain }} -a {{ ipa_admin_password }} -p {{ ipa_manager_password }} --hostname={{ ansible_fqdn }} -U --setup-dns --no-forwarders --no-reverse --zonemgr=s2i2s-master@isti.cnr.it' + +ipa_ssl_letsencrypt_managed: True +ipa_letsencrypt_ca_filename: lets-encrypt-x3-cross-signed.pem diff --git a/ipa-server/files/lets-encrypt-x3-cross-signed.pem b/ipa-server/files/lets-encrypt-x3-cross-signed.pem new file mode 100644 index 00000000..edb4954e --- /dev/null +++ b/ipa-server/files/lets-encrypt-x3-cross-signed.pem @@ -0,0 +1,47 @@ +-----BEGIN CERTIFICATE----- +MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow +SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT +GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF +q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 +SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 +Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA +a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj +/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T +AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG +CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv +bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k +c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw +VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC +ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz +MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu +Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF +AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo +uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ +wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu +X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG +PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 +KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow +PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD +Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O +rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq +OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b +xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw +7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD +aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV +HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG +SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 +ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr +AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz +R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 +JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo +Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ +-----END CERTIFICATE----- diff --git a/ipa-server/tasks/main.yml b/ipa-server/tasks/main.yml new file mode 100644 index 00000000..09e8d00d --- /dev/null +++ b/ipa-server/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- block: +# - name: Create the acme hooks directory if it does not yet exist +# file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root + +# - name: Install a script that fix the letsencrypt certificate for ipa and then reload the service +# template: src=ipa-letsencrypt-acmetool.sh dest={{ letsencrypt_acme_services_scripts_dir }}/ipa owner=root group=root mode=4555 + + - name: Create the ipa certificate directory + file: dest=/etc/pki/ipa state=directory owner=root group=root mode=0750 + + - name: Install the Letsencrypt CA file with both the root and the trusted CAs + copy: src={{ ipa_letsencrypt_ca_filename }} dest=/etc/pki/ipa/{{ ipa_letsencrypt_ca_filename }} mode=0444 + + when: + - ipa_ssl_letsencrypt_managed + - letsencrypt_acme_install + tags: [ 'ipa', 'letsencrypt', 'ipa_letsencrypt' ] + +- block: + - name: Install the FreeIPA server packages + yum: pkg={{ ipa_server_packages }} state=present + + - name: Install the FreeIPA DNS server packages + yum: pkg={{ ipa_server_dns_packages }} state=present + + when: + - ipa_server_install + - ansible_distribution_file_variety == "RedHat" + + tags: [ 'ipa' ] diff --git a/motd/defaults/main.yml b/motd/defaults/main.yml new file mode 100644 index 00000000..c04b27f4 --- /dev/null +++ b/motd/defaults/main.yml @@ -0,0 +1,8 @@ +--- +motd_setup: True + +motd_additional_text: "\nThis host runs services\n" + +deb_motd_packages: + - update-notifier-common + - landscape-common \ No newline at end of file diff --git a/motd/tasks/deb_motd.yml b/motd/tasks/deb_motd.yml new file mode 100644 index 00000000..72367a38 --- /dev/null +++ b/motd/tasks/deb_motd.yml @@ -0,0 +1,17 @@ +--- +- block: + - name: Install the packages that manage the dynamic motd file on debian based distributions + apt: pkg={{ deb_motd_packages }} state=present update_cache=yes cache_valid_time=3600 + register: motd_pkgs + + - name: Install our motd template file on debian based distributions + template: src=motd.j2 dest=/etc/static-motd owner=root group=root mode=0644 + + - name: Install the dynamic merge script of the motd file on debian based distributions + template: src=update_motd.j2 dest=/etc/update-motd.d/05-motd-message owner=root group=root mode=0755 + + - name: Initialise the motd prompt on debian based distributions + command: run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic + when: motd_pkgs is changed + + tags: motd diff --git a/motd/tasks/main.yml b/motd/tasks/main.yml new file mode 100644 index 00000000..89caf1d0 --- /dev/null +++ b/motd/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- import_tasks: deb_motd.yml + when: ansible_distribution_file_variety == "Debian" + +- import_tasks: rh_motd.yml + when: ansible_distribution_file_variety == "RedHat" diff --git a/motd/tasks/rh_motd.yml b/motd/tasks/rh_motd.yml new file mode 100644 index 00000000..ba773d88 --- /dev/null +++ b/motd/tasks/rh_motd.yml @@ -0,0 +1,6 @@ +- block: + - name: Install our motd template file on RH/CentOS based distributions + template: src=motd.j2 dest=/etc/motd owner=root group=root mode=0644 + + tags: motd + \ No newline at end of file diff --git a/motd/templates/motd.j2 b/motd/templates/motd.j2 new file mode 100644 index 00000000..b4fd8e86 --- /dev/null +++ b/motd/templates/motd.j2 @@ -0,0 +1,2 @@ + +{{ motd_additional_text }} diff --git a/motd/templates/update_motd.j2 b/motd/templates/update_motd.j2 new file mode 100644 index 00000000..95bff2d9 --- /dev/null +++ b/motd/templates/update_motd.j2 @@ -0,0 +1,5 @@ +#!/bin/sh + +cat /etc/static-motd + +exit 0 diff --git a/orientdb/defaults/main.yml b/orientdb/defaults/main.yml index 67553147..b5462b6f 100644 --- a/orientdb/defaults/main.yml +++ b/orientdb/defaults/main.yml @@ -1,10 +1,10 @@ --- orientdb_install: False orientdb_enabled: True -orientdb_version: 2.2.36 +orientdb_version: 3.0.15 orientdb_archive_commpression: tar.gz -orientdb_dir: 'orientdb-community' -orientdb_tar_filename: '{{ orientdb_dir }}-importers-{{ orientdb_version }}' +orientdb_dir: 'orientdb' +orientdb_tar_filename: '{{ orientdb_dir }}-{{ orientdb_version }}' orientdb_tar_file: '{{ orientdb_tar_filename }}.{{ orientdb_archive_commpression }}' orientdb_binary_distribution_url: 'https://s3.us-east-2.amazonaws.com/orientdb3/releases/{{ orientdb_version }}/{{ orientdb_tar_file }}' orientdb_user: orientdb @@ -63,7 +63,7 @@ orientdb_hazelcast_multicast_group: 235.1.1.1 orientdb_hazelcast_multicast_port: 2434 -# For Reference see http://orientdb.com/docs/2.2/Automatic-Backup.html +# For Reference see http://orientdb.com/docs/3.0.x/plugins/Automatic-Backup.html orientdb_automatic_backup: True orientdb_automatic_backup_mode: 'EXPORT' orientdb_automatic_backup_export_options: '' diff --git a/smartgears/smartgears/vars/main.yml b/smartgears/smartgears/vars/main.yml new file mode 100644 index 00000000..05867ab8 --- /dev/null +++ b/smartgears/smartgears/vars/main.yml @@ -0,0 +1,7 @@ +--- +additional_data_directories: + - { name: '{{ d4science_user_home }}', perms: 0755, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' } + - { name: '{{ d4science_user_home }}/tomcat/lib/logback.xml', perms: 0644, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' } + - { name: '/etc/default/tomcat-instance-{{ smartgears_http_port }}', perms: 0644, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' } + - { name: '/etc/default/tomcat-instance-{{ smartgears_http_port }}.local', perms: 0644, create: False, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' } + - { name: '/var/log', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rX' } diff --git a/ubuntu-deb-general/defaults/main.yml b/ubuntu-deb-general/defaults/main.yml index a0c6abec..a5659adf 100644 --- a/ubuntu-deb-general/defaults/main.yml +++ b/ubuntu-deb-general/defaults/main.yml @@ -132,10 +132,14 @@ additional_ca_dest_dir: /usr/local/share/ca-certificates # - { file: "local-ca.crt", dest_file: '{{ additional_ca_dest_dir }}/infn-ca.crt' } # -default_security_limits: +root_security_limits: - { domain: 'root', l_item: 'nofile', type: 'soft', value: '8192' } - { domain: 'root', l_item: 'nofile', type: 'hard', value: '8192' } +users_security_limits: [] + +default_security_limits: '{{ root_security_limits }}' + # default_rsyslog_custom_rules: # - ':msg, contains, "icmp6_send: no reply to icmp error" ~' # - ':msg, contains, "[PYTHON] Can\'t call the metric handler function for" ~' diff --git a/ubuntu-deb-general/meta/main.yml b/ubuntu-deb-general/meta/main.yml index efc43e15..8bde6019 100644 --- a/ubuntu-deb-general/meta/main.yml +++ b/ubuntu-deb-general/meta/main.yml @@ -5,6 +5,7 @@ dependencies: - role: '../../library/roles/deb-set-hostname' - role: '../../library/roles/deb-set-locale' - role: '../../library/roles/timezone' + - role: '../../library/roles/motd' - role: '../../library/roles/linux-kernel-sysctl' - role: '../../library/roles/sshd_config' - role: '../../library/roles/fail2ban' diff --git a/ubuntu-deb-general/tasks/manage_su_limits.yml b/ubuntu-deb-general/tasks/manage_su_limits.yml index 73652c22..3d9ce48e 100644 --- a/ubuntu-deb-general/tasks/manage_su_limits.yml +++ b/ubuntu-deb-general/tasks/manage_su_limits.yml @@ -3,8 +3,13 @@ lineinfile: dest=/etc/pam.d/su line="session required pam_limits.so" insertafter="^#\ \(Replaces\ the\ use\ of\ /etc/limits.*$" tags: [ 'su', 'pam_limits'] -- name: Change the default security limits - pam_limits: domain={{ item.domain }} limit_type={{ item.type }} limit_item={{ item.l_item }} value={{ item.value }} - with_items: '{{ default_security_limits }}' +- name: Change the root user security limits + pam_limits: domain=root limit_type={{ item.type }} limit_item={{ item.l_item }} value={{ item.value }} + with_items: '{{ root_security_limits }}' + tags: [ 'su', 'pam_limits'] + +- name: Change other users security limits + pam_limits: domain={{ item.domain }} limit_type={{ item.type }} limit_item={{ item.l_item }} value={{ item.value }} + with_items: '{{ users_security_limits }}' tags: [ 'su', 'pam_limits'] diff --git a/user_services_perms/defaults/main.yml b/user_services_perms/defaults/main.yml new file mode 100644 index 00000000..8926572e --- /dev/null +++ b/user_services_perms/defaults/main.yml @@ -0,0 +1,14 @@ +--- +service_sudoers_group: adminsu + +common_users_group: service_g +# Define the following if you want some directories readable and writable by the common group but outside the default app data dirs +#additional_data_directories: +# - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' } +# - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' } +# - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' } + +# Define the following array when you want to add commands to the sudoers file +#service_sudo_commands: +# - /etc/init.d/virtuoso-opensource-7 +# - /sbin/reboot diff --git a/user_services_perms/meta/main.yml b/user_services_perms/meta/main.yml new file mode 100644 index 00000000..df990e06 --- /dev/null +++ b/user_services_perms/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - '../../library/roles/users' diff --git a/user_services_perms/tasks/common-users-data-dirs.yml b/user_services_perms/tasks/common-users-data-dirs.yml new file mode 100644 index 00000000..3a40bcdb --- /dev/null +++ b/user_services_perms/tasks/common-users-data-dirs.yml @@ -0,0 +1,25 @@ +--- +- block: + - name: Create the common group used to setup acls + group: name={{ common_users_group }} state=present system=yes + when: additional_data_directories is defined + + - name: Add selected users to the commong group + user: name={{ item.login }} groups={{ common_users_group }} append=yes + with_items: '{{ users_system_users | default([]) }}' + when: additional_data_directories is defined + + - name: Create the users additional data dirs + file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }} + with_items: '{{ additional_data_directories | default([]) }}' + when: item.create and not item.file + + - name: Set the read/write/access permissions on the users additional data dirs + acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes + with_items: '{{ additional_data_directories | default([]) }}' + + - name: Set the default read/write/access permissions on the users additional data dirs + acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes + with_items: '{{ additional_data_directories | default([]) }}' + + tags: [ 'users', 'users_acl' ] diff --git a/user_services_perms/tasks/main.yml b/user_services_perms/tasks/main.yml new file mode 100644 index 00000000..be1cc6f1 --- /dev/null +++ b/user_services_perms/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- import_tasks: sudoers-groups.yml +- import_tasks: sudo-config.yml +- import_tasks: common-users-data-dirs.yml + when: additional_data_directories is defined diff --git a/user_services_perms/tasks/sudo-config.yml b/user_services_perms/tasks/sudo-config.yml new file mode 100644 index 00000000..77c20c58 --- /dev/null +++ b/user_services_perms/tasks/sudo-config.yml @@ -0,0 +1,6 @@ +--- +- name: Install the sudoers config that allows users to execute some privileged commands + template: src=service-sudoers.j2 dest=/etc/sudoers.d/service-group owner=root group=root mode=0440 + when: service_sudo_commands is defined + tags: [ 'service', 'sudo', 'users' ] + diff --git a/user_services_perms/tasks/sudoers-groups.yml b/user_services_perms/tasks/sudoers-groups.yml new file mode 100644 index 00000000..bcacc8ae --- /dev/null +++ b/user_services_perms/tasks/sudoers-groups.yml @@ -0,0 +1,18 @@ +--- +- block: + - name: Add the additional service groups + group: name={{ item }} state=present + with_items: + - '{{ service_sudoers_group }}' + + - name: Add selected users to the limited sudoers group + user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes + with_items: '{{ users_system_users | default([]) }}' + when: item.limited_sudoers_user + + - name: Remove selected users to the limited sudoers group + user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes + with_items: '{{ users_system_users | default([]) }}' + when: not item.limited_sudoers_user + + tags: [ 'services', 'users' ] diff --git a/user_services_perms/templates/service-sudoers.j2 b/user_services_perms/templates/service-sudoers.j2 new file mode 100644 index 00000000..b550ff8d --- /dev/null +++ b/user_services_perms/templates/service-sudoers.j2 @@ -0,0 +1,2 @@ +%{{ service_sudoers_group }} ALL=(ALL) NOPASSWD: {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %} + diff --git a/users/defaults/main.yml b/users/defaults/main.yml index 9d0ecda9..1ca43f58 100644 --- a/users/defaults/main.yml +++ b/users/defaults/main.yml @@ -5,7 +5,9 @@ # Users can have sudo privileges if the 'admin' property is 'true' # admin users can also directly log as root when 'user_admin_can_log_as_root' is set to 'true' -users_sudoers_group: sudo +deb_users_sudoers_group: sudo +rh_users_sudoers_group: wheel +users_sudoers_group: '{{ deb_users_sudoers_group }}' users_sudoers_create_group: False users_sudoers_create_sudo_conf: False users_home_dir: /home diff --git a/users/tasks/main.yml b/users/tasks/main.yml index 9f2bfe3d..6622e6e8 100644 --- a/users/tasks/main.yml +++ b/users/tasks/main.yml @@ -22,10 +22,37 @@ with_items: '{{ users_system_users | default([]) }}' when: item.ssh_key is defined - - name: Add the admin users to the sudoers group - user: name={{ item.login }} groups={{ users_sudoers_group }} append=yes + - name: Add the admin users to the sudoers group on debian based systems + user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes with_items: '{{ users_system_users | default([]) }}' - when: item.admin + when: + - item.admin + - ansible_distribution_file_variety == "Debian" + + - name: Permit sudo without password + lineinfile: + path: /etc/sudoers + state: present + regexp: '^%{{ deb_users_sudoers_group }}\s' + line: '%{{ deb_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL' + when: ansible_distribution_file_variety == "Debian" + tags: [ 'users', 'sudo_wheel' ] + + - name: Add the admin users to the sudoers group on rh/centos systems + user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes + with_items: '{{ users_system_users | default([]) }}' + when: + - item.admin + - ansible_distribution_file_variety == "RedHat" + + - name: Permit sudo without password + lineinfile: + path: /etc/sudoers + state: present + regexp: '^%{{ rh_users_sudoers_group }}\s' + line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL' + when: ansible_distribution_file_variety == "RedHat" + tags: [ 'users', 'sudo_wheel' ] - name: ensure that the users can login with their ssh keys as root if we want ensure direct access authorized_key: user=root key="{{ item.ssh_key }}" state=present