2 files changed, 52 insertions, 0 deletions

diff --git a/terraform/ansible/roles/superusers/tasks/adjust-group.yml b/terraform/ansible/roles/superusers/tasks/adjust-group.yml
new file mode 100644
index 0000000..32666ad
--- /dev/null
+++ b/terraform/ansible/roles/superusers/tasks/adjust-group.yml
@@ -0,0 +1,21 @@
+- vars:
+    members: "{{ getent_group[group][2].split(',') if group in getent_group else [] }}"
+    to_add: "{{ usernames | intersect(superusers) | difference(members) }}"
+    to_remove: "{{ members | difference(superusers) }}"
+  tags: superusers
+  block:
+    - debug: var=group
+    - debug: var=to_add
+    - debug: var=to_remove
+
+    - name: gpasswd --add
+      with_items: "{{ to_add }}"
+      when: (item|length) > 0
+      become: yes
+      shell: "gpasswd --add {{ item }} {{ group }}"
+
+    - name: gpasswd --delete
+      with_items: "{{ to_remove }}"
+      when: (item|length) > 0
+      become: yes
+      shell: "gpasswd --delete {{ item }} {{ group }}"
diff --git a/terraform/ansible/roles/superusers/tasks/main.yml b/terraform/ansible/roles/superusers/tasks/main.yml
new file mode 100644
index 0000000..70623a0
--- /dev/null
+++ b/terraform/ansible/roles/superusers/tasks/main.yml
@@ -0,0 +1,31 @@
+---
+- tags: superusers
+  block:
+    - name: getent passwd
+      getent:
+        database: passwd
+
+    - name: getent group
+      getent:
+        database: group
+
+# NOTE: Accounts are added by the luser module.
+- tags: superusers
+  vars:
+    usernames: "{{ users|dict2items|map(attribute='key')|list }}"
+    unix_groups:
+      - sudo
+      - systemd-journal
+  with_items: "{{ unix_groups }}"
+  loop_control:
+    loop_var: group
+  include_tasks: adjust-group.yml
+
+- name: "Allow 'sudo' group to have passwordless sudo"
+  tags: superusers
+  become: yes
+  lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: '^%sudo'
+    line: '%sudo ALL=(ALL) NOPASSWD: ALL'