+ set sudo commands for user

2024-10-28 17:41:19 +01:00 · 2024-10-28 17:41:19 +01:00 · c606a745bb
commit c606a745bb
parent e446123f46
5 changed files with 45 additions and 6 deletions
--- a/tasks/install_acmesh.yml
+++ b/tasks/install_acmesh.yml
@ -25,3 +25,5 @@
      --set-default-ca
      --server {{ acme_sh_default_ca_server | quote }}
    creates: "{{ acme_sh_home }}/ca_set_by_ansible"
+
+
--- a/tasks/issue_certs.yml
+++ b/tasks/issue_certs.yml
@ -9,21 +9,21 @@
  ansible.builtin.copy:
    content: "{{ item['pre_hook'] | default('') }}"
    dest: "{{ acme_sh_cert_home }}/{{ item['domains'][0] }}_ecc/pre_hook.sh"
-    mode: "755"
+    mode: "750"
  loop: "{{ acme_sh_domains }}"

 - name: Copy post_hooks
  ansible.builtin.copy:
    content: "{{ item['post_hook'] | default('')}}"
    dest: "{{ acme_sh_cert_home }}/{{ item['domains'][0] }}_ecc/post_hook.sh"
-    mode: "755"
+    mode: "750"
  loop: "{{ acme_sh_domains }}"

 - name: Copy update_hooks
  ansible.builtin.copy:
    content: "{{ item['renew_hook'] | default('')}}"
    dest: "{{ acme_sh_cert_home }}/{{ item['domains'][0] }}_ecc/renew_hook.sh"
-    mode: "755"
+    mode: "750"
  loop: "{{ acme_sh_domains }}"


--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@ -1,9 +1,10 @@
 ---
- name: Install git
+- name: Install git and acl
  become: true
  ansible.builtin.apt:
    name:
      - git
+      - acl
    state: present
    update_cache: yes

@ -20,6 +21,35 @@
    append: true
  when: acme_sh_user_groups|length > 0

+- name: Add custom sudoers content if provided
+  become: true
+  ansible.builtin.copy:
+    content: "{{ acme_sh_user_sudoers_file_contents }}"
+    dest: "/etc/sudoers.d/{{ acme_sh_user_sudoers_file }}"
+    mode: "0440"
+    validate: "visudo -cf %s"
+  when: acme_sh_user_sudoers_file_contents | length > 0
+
+- name: Ensure sudoers file exists
+  become: true
+  ansible.builtin.file:
+    path: "/etc/sudoers.d/{{ acme_sh_user_sudoers_file }}"
+    state: touch
+    mode: "0440"
+  when: acme_sh_user_sudoers_file_contents | default('') == ""
+
+- name: Add commands to sudoers file for acme_user
+  become: true
+  ansible.builtin.lineinfile:
+    path: "/etc/sudoers.d/{{ acme_sh_user_sudoers_file }}"
+    create: true
+    line: "{{ acme_sh_user }} ALL=(ALL) NOPASSWD: {{ item }}"
+    validate: "visudo -cf %s"
+  loop: "{{ acme_sh_user_sudo_commands }}"
+  when:
+    - acme_sh_user_sudo_commands | length > 1
+    - acme_sh_user_sudoers_file_contents | default('') == ""
+
 - name: Install acme.sh
  become: true
  become_user: "{{ acme_sh_user }}"