dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

users: Configure sudo on some machines 

`doas` is not available on Alma Linux, so we still have to use `sudo` on
the VPS.
dynamic-inventory
Dustin 2025-01-26 07:33:16 -06:00
parent 319cc80a9f
commit 33f315334e
4 changed files with 23 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
group_vars/pyrocufflink/main.yml
View File

@ -16,13 +16,4 @@ root_authorized_keys: |
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBw1T18jnBfR5reKAACOs/LMcs+jbclj6Eh8z56kJE7+ dustin@luma ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBw1T18jnBfR5reKAACOs/LMcs+jbclj6Eh8z56kJE7+ dustin@luma
{% endif %} {% endif %}
sudo_use_pam_ssh_agent: true
sudo_authorized_ssh_keys: |
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIF4yQAS0bAQ9Ymxgxv828MsX0z4ff/Fs//0PQOtPexRJAAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINal4+Gn/KuyP6YTsQuW4cphfDcjrS428osVIqnqMfagAAAABHNzaDo= dustin@luma.pyrocufflink.blue
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDD3Ebb7dyEyCylgEjmhFxvGqbPkT+0KSpI+xEGXLFnn jenkins
# Default flags include -n, which makes Ansible complain about a "missing
# become password," even though it would never actually prompt for one.
ansible_become_flags: -H
fileserver_sftp_only_match: 'Group !server?admins,*' fileserver_sftp_only_match: 'Group !server?admins,*'

9
group_vars/sudo.yml Normal file
View File

@ -0,0 +1,9 @@
ansible_become_method: sudo
sudo_use_pam_ssh_agent: true
sudo_authorized_ssh_keys: |
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIF4yQAS0bAQ9Ymxgxv828MsX0z4ff/Fs//0PQOtPexRJAAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINal4+Gn/KuyP6YTsQuW4cphfDcjrS428osVIqnqMfagAAAABHNzaDo= dustin@luma.pyrocufflink.blue
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDD3Ebb7dyEyCylgEjmhFxvGqbPkT+0KSpI+xEGXLFnn jenkins
# Default flags include -n, which makes Ansible complain about a "missing
# become password," even though it would never actually prompt for one.
ansible_become_flags: -H

7
hosts
View File

@ -206,6 +206,10 @@ smtp1.pyrocufflink.blue
[squid] [squid]
[sudo:children]
pyrocufflink
vps
[synapse] [synapse]
[unifi] [unifi]
@ -217,6 +221,9 @@ vmhost1.pyrocufflink.blue
[vmagent:children] [vmagent:children]
remote-blackbox remote-blackbox
[vps:children]
hostvds
[wheelhost] [wheelhost]
file0.pyrocufflink.blue file0.pyrocufflink.blue

8
users.yml
View File

@ -1,8 +1,14 @@
- hosts: all - hosts: sudo
roles:
- role: sudo
tags:
- sudo
- hosts: '!sudo'
roles: roles:
- role: doas - role: doas
tags: tags:
- doas - doas
- hosts: all
tasks: tasks:
- name: ensure users exist - name: ensure users exist
user: user: