feat: outsource sudoers management

Xenion1987 · Feb 16, 2025 · 59de6d4 · 59de6d4
1 parent 1a58ce9
commit 59de6d4
Show file tree

Hide file tree

Showing 9 changed files with 2 additions and 233 deletions.
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
  Ansible role: user_management
 ===
 
-Manage users, their SSH public key enrollment and sudoers files via Ansible on Linux systems.
+Manage users and their SSH public key enrollment via Ansible on Linux systems.
 
 Requirements
 ---
@@ -27,21 +27,6 @@ main
 | `user_management_default_ssh_from` | `list` | `false` | | `[]` | Default, global `from=""` value added to `authorized_keys` for each user having `user_management_users.ssh_public_keys` defined |
 | `user_management_group_ssh_from` | `list` | `false` | | `[]` | `group_vars` specific `from=""` value added to `authorized_keys` for each user having `user_management_users.ssh_public_keys` defined |
 | `user_management_host_ssh_from` | `list` | `false` | | `[]` | `host_vars` specific `from=""` value added to `authorized_keys` for each user having `user_management_users.ssh_public_keys` defined |
-| `user_management_install_sudo` | `bool` | `false` | `false`, `true` | `true` | Installs `sudo` if set to `true`. |
-| `user_management_manage_sudoers_groups` | `bool` | `false` | `false`, `true` | `false` | Enable or disable sudoers management for groups. |
-| `user_management_manage_sudoers_users` | `bool` | `false` | `false`, `true` | `false` | Enable or disable sudoers management for users. |
-| `user_management_sudoers_groups` | `list` | `false` | | `[]` | A list of sudoers configurations for groups. |
-| `user_management_sudoers_groups.commands` | `list` | `false` | | `[]` | The commands allowed by the sudoers rule. <br />Multiple can be added by passing a list of commands. <br />Use `ALL` for all commands. |
-| `user_management_sudoers_groups.group` | `str` | `false` | | | The name of the group for the sudoers rule. <br />This option cannot be used in conjunction with `user`. |
-| `user_management_sudoers_groups.name` | `str` | `true` | | `user_management_mygroupname` | The name of the sudoers rule. |
-| `user_management_sudoers_groups.nopassword` | `bool` | `false` | `false`, `true` | `false` | Whether a password will be required to run the `sudo`'d command. |
-| `user_management_sudoers_groups.state` | `str` | `true` | `absent`, `present` | `present` | Whether the rule should exist or not. |
-| `user_management_sudoers_users` | `list` | `false` | | `[]` | A list of sudoers configurations for users. |
-| `user_management_sudoers_users.commands` | `list` | `false` | | `[]` | The commands allowed by the sudoers rule. <br />Multiple can be added by passing a list of commands. <br />Use `ALL` for all commands. |
-| `user_management_sudoers_users.name` | `str` | `true` | | `user_management_john.doe` | The name of the sudoers rule. |
-| `user_management_sudoers_users.nopassword` | `bool` | `false` | `false`, `true` | `false` | Whether a password will be required to run the `sudo`'d command. |
-| `user_management_sudoers_users.state` | `str` | `true` | `absent`, `present` | `present` | Whether the rule should exist or not. |
-| `user_management_sudoers_users.user` | `str` | `false` | | | The name of the user for the sudoers rule. <br />This option cannot be used in conjunction with `group`. |
 | `user_management_users` | `list` | `false` | | `[]` | List of users to be managed. |
 | `user_management_users.absolute_home_path` | `str` | `false` | | | Custom `$HOME` root path. Must be specified as absolute path. |
 | `user_management_users.custom_ssh_from` | `list` | `false` | | `[]` | `from=""` value added to `authorized_keys` if user has `user_management_users.ssh_public_keys` defined. <br />If `user_management_default_ssh_from` or `custom_ssh_from` is defined and not set to `'*'`, all values will be concatenated. |

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -2,7 +2,6 @@
 user_management_default_home_root: null
 user_management_default_home_move: false
 user_management_default_shell: null
-user_management_install_sudo: true
 
 user_management_default_primary_group: null
 user_management_default_secondary_groups: []
@@ -29,21 +28,3 @@ user_management_users:
     state: absent
     userdel_force: false
     userdel_remove: false
-
-user_management_manage_sudoers_groups: false
-user_management_sudoers_groups:
-  - name: user_management_mygroupname
-    group: user_management_mygroupname
-    commands:
-      - ALL
-    nopassword: false
-    state: absent
-
-user_management_manage_sudoers_users: false
-user_management_sudoers_users:
-  - name: user_management_john.doe
-    user: user_management_john.doe
-    commands:
-      - ALL
-    nopassword: false
-    state: absent
diff --git a/meta/argument_specs.yml b/meta/argument_specs.yml
@@ -70,127 +70,6 @@ argument_specs:
         # elements: str
         required: false
         type: list
-      user_management_install_sudo:
-        choices:
-          - false
-          - true
-        default: true
-        description:
-          - Installs `sudo` if set to `true`.
-        required: false
-        type: bool
-      user_management_manage_sudoers_groups:
-        choices:
-          - false
-          - true
-        default: false
-        description:
-          - Enable or disable sudoers management for groups.
-        required: false
-        type: bool
-      user_management_manage_sudoers_users:
-        choices:
-          - false
-          - true
-        default: false
-        description:
-          - Enable or disable sudoers management for users.
-        required: false
-        type: bool
-      user_management_sudoers_groups:
-        default: []
-        description:
-          - A list of sudoers configurations for groups.
-        # elements: dict
-        required: false
-        type: list
-        options:
-          commands:
-            default: []
-            description:
-              - The commands allowed by the sudoers rule.
-              - Multiple can be added by passing a list of commands.
-              - Use `ALL` for all commands.
-            # elements: str
-            required: false
-            type: list
-          group:
-            description:
-              - The name of the group for the sudoers rule.
-              - This option cannot be used in conjunction with `user`.
-            required: false
-            type: str
-          name:
-            default: user_management_mygroupname
-            description:
-              - The name of the sudoers rule.
-            required: true
-            type: str
-          nopassword:
-            choices:
-              - false
-              - true
-            default: false
-            description:
-              - Whether a password will be required to run the `sudo`'d command.
-            required: false
-            type: bool
-          state:
-            choices:
-              - "absent"
-              - "present"
-            default: "present"
-            description:
-              - Whether the rule should exist or not.
-            required: true
-            type: str
-      user_management_sudoers_users:
-        default: []
-        description:
-          - A list of sudoers configurations for users.
-        # elements: dict
-        required: false
-        type: list
-        options:
-          commands:
-            default: []
-            description:
-              - The commands allowed by the sudoers rule.
-              - Multiple can be added by passing a list of commands.
-              - Use `ALL` for all commands.
-            # elements: str
-            required: false
-            type: list
-          name:
-            default: user_management_john.doe
-            description:
-              - The name of the sudoers rule.
-            required: true
-            type: str
-          nopassword:
-            choices:
-              - false
-              - true
-            default: false
-            description:
-              - Whether a password will be required to run the `sudo`'d command.
-            required: false
-            type: bool
-          state:
-            choices:
-              - "absent"
-              - "present"
-            default: "present"
-            description:
-              - Whether the rule should exist or not.
-            required: true
-            type: str
-          user:
-            description:
-              - The name of the user for the sudoers rule.
-              - This option cannot be used in conjunction with `group`.
-            required: false
-            type: str
       user_management_users:
         default: []
         description:

diff --git a/meta/main.yml b/meta/main.yml
@@ -7,7 +7,7 @@ dependencies: []
 galaxy_info:
   role_name: "user_management"
   author: "Xenion1987"
-  description: "Manage users, their SSH public key enrollment and sudoers files via Ansible on Linux systems."
+  description: "Manage users and their SSH public key enrollment via Ansible on Linux systems."
   company: "Access-InTech"
   license: "BSD, MIT"
   min_ansible_version: "2.11"
@@ -24,6 +24,5 @@ galaxy_info:
   galaxy_tags:
     - authorizedkeys
     - groups
-    - sudoers
     - system
     - users
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,12 +1,6 @@
 ---
 # tasks file for roles/user_management
 
-- name: "PACKAGE | sudo"
-  when: user_management_install_sudo
-  ansible.builtin.package:
-    name: sudo
-    state: present
-
 - name: "GROUP | Ensure default primary group is created"
   when: user_management_default_primary_group is defined and user_management_default_primary_group
   ansible.builtin.group:
@@ -46,19 +40,3 @@
       loop: "{{ user_management_users }}"
       ansible.builtin.include_tasks:
         file: manage_authorized_keys.yml
-
-- name: INCLUDE TASKS | 'manage_sudoers.yml' for groups
-  loop: "{{ user_management_sudoers_groups }}"
-  when:
-    - user_management_install_sudo
-    - user_management_manage_sudoers_groups
-  ansible.builtin.include_tasks:
-    file: manage_sudoers.yml
-
-- name: INCLUDE TASKS | 'manage_sudoers.yml' for users
-  loop: "{{ user_management_sudoers_users }}"
-  when:
-    - user_management_install_sudo
-    - user_management_manage_sudoers_users
-  ansible.builtin.include_tasks:
-    file: manage_sudoers.yml
diff --git a/tasks/manage_sudoers.yml b/tasks/manage_sudoers.yml
diff --git a/tests/output_sudoers_groups.yml b/tests/output_sudoers_groups.yml
diff --git a/tests/output_sudoers_users.yml b/tests/output_sudoers_users.yml
diff --git a/tests/test.yml b/tests/test.yml
@@ -15,22 +15,6 @@
         state: present
         ssh_public_keys:
           - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDW6k6qtP1YfJ7eOSN1zDf8C6lTJuV+ethOvEJwTKJrGoQrKKukVfedjUL+e7XMszVT57iiV8rC+syZsJ6wkwJR2ahOUlU9hACbRc+X5mmVROLKlO+NaxrbMzsTJXeCJK6Oo+05f2kSPqGfjV3CZSq4Xv5mUMhaDkGUg/rqG5BIdqFDwirqxbUbPOIYeosLT1tbgxHvOTwsUqulEZS5h8mOt1Hahi1ZrfUOyharJvpc5rzYk/hq1zwTXTNtArOLCaSbvY+o61BAsnQBzg6Z+Elyrox53kWW8c0MuG0iPfehqW20eE9xZVBQfwutLmMHMNeUD2UwLDfxnoVXIlgn5T4Z4F2uMyKWKl9IsoIuguizX98SuASEXg4wsAEf2MSCxwk7AGO3yCgqRsnm7sIEEdvxUIewcuZn1ZtN0c3UjcsqRnoXgBOXpynsRStdZTPTM+o1LGma+Wp8FkMH1ZnuQ+BrCQ1ENKcS4oeTcG91Ud9Yiu/qfWVU64RrYpz0JvHWoApdzM73Xro2Sz9BuQH5uSCIya8PNEqGdH1GRDxbDkv41+scWwq/5i5CSlWmNogU377tPld9hqJJA//eniErgKO/QSJKmaDDzFe+eQh6F2Kn/NUVKqbPHbDlkYAZGT37L5iCOG1By55wwnemz40GS2Wo+a4nViDJGhuFty+4yR8fWQ== ansible-playground_20231122_194549
-    user_management_manage_sudoers_users: true
-    user_management_sudoers_users:
-      - name: 30-john.doe
-        user: john.doe
-        commands:
-          - ALL
-        nopassword: true
-        state: present
-    user_management_manage_sudoers_groups: true
-    user_management_sudoers_groups:
-      - name: 20-playground
-        group: playground
-        commands:
-          - ALL
-        nopassword: true
-        state: present
 
   roles:
     - "../../user_management" # noqa: syntax-check[specific]
@@ -40,15 +24,3 @@
       when: user_management_users
       ansible.builtin.include_tasks:
         file: output_user_management_users.yml
-
-    - name: Include output tasks for sudoers user files
-      loop: "{{ user_management_sudoers_users }}"
-      when: user_management_manage_sudoers_users
-      ansible.builtin.include_tasks:
-        file: output_sudoers_users.yml
-
-    - name: Include output tasks for sudoers group files
-      loop: "{{ user_management_sudoers_groups }}"
-      when: user_management_manage_sudoers_groups
-      ansible.builtin.include_tasks:
-        file: output_sudoers_groups.yml