Merge pull request #22 from Zuehlke/feature/correct-sudo-usage

tknerr · web-flow · commit 8d39f758ea3f · 2021-07-04T15:09:41.000+02:00
Revert to natural become / sudo usage (least privilege by default)
diff --git a/roles/ansible-lint/tasks/main.yml b/roles/ansible-lint/tasks/main.yml
@@ -4,4 +4,5 @@
   pip:
     name: ansible-lint
     version: 5.0.12
-    state: present
+    state: present
+  become: yes
diff --git a/roles/bashrc_d/tasks/main.yml b/roles/bashrc_d/tasks/main.yml
@@ -4,8 +4,6 @@
     path: ~/.bashrc.d
     state: directory
     mode: 0755
-  become: yes
-  become_user: "{{ ansible_env.SUDO_USER }}"
 
 - name: Setup ~/.bashrc to load .bash files from ~/.bashrc.d
   blockinfile:
@@ -15,6 +13,4 @@
       for config in "$HOME"/.bashrc.d/*.bash ; do
         . "$config"
       done
-      unset -v config
-  become: yes
-  become_user: "{{ ansible_env.SUDO_USER }}"
+      unset -v config
diff --git a/roles/cache/tasks/main.yml b/roles/cache/tasks/main.yml
@@ -9,8 +9,10 @@
       d {{ download_cache_dir }} 1777 root root -
     dest: /etc/tmpfiles.d/downloads.conf
     mode: 0644
+  become: yes
 
 - name: Ensure {{ download_cache_dir }} is created
   command:
     cmd: systemd-tmpfiles --create
     creates: "{{ download_cache_dir }}"
+  become: yes
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
@@ -13,9 +13,11 @@
     deb: "{{ download_cache_dir }}/{{ item.deb_file }}"
     state: present
   with_items: "{{ docker_deb_packages }}"
+  become: yes
 
 - name: Add VM user to 'docker' group
   user:
-    name: "{{ ansible_env.SUDO_USER }}"
+    name: "{{ ansible_env.USER }}"
     groups: docker
-    append: yes
+    append: yes
+  become: yes
diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml
@@ -4,14 +4,13 @@
   apt:
     name: git
     state: present
+  become: yes
 
 - name: Set up the PS1 shell prompt for Git
   copy:
     src: git-ps1.bash
     dest: ~/.bashrc.d/git-ps1.bash
     mode: 0644
-  become: yes
-  become_user: "{{ ansible_env.SUDO_USER }}"
 
 - name: Supply default configuration entries in ~/.gitconfig
   git_config:
@@ -31,6 +30,4 @@
     alias.slog: log --pretty=oneline --abbrev-commit
     alias.graph: log --all --oneline --graph --decorate
     alias.stash-all: stash save --include-untracked
-    alias.prune: fetch --prune
-  become: yes
-  become_user: "{{ ansible_env.SUDO_USER }}"
+    alias.prune: fetch --prune
diff --git a/roles/readme/handlers/main.yml b/roles/readme/handlers/main.yml
@@ -3,4 +3,5 @@
 - name: restart display-manager
   systemd:
     name: display-manager
-    state: restarted
+    state: restarted
+  become: yes
diff --git a/roles/readme/tasks/main.yml b/roles/readme/tasks/main.yml
@@ -5,19 +5,16 @@
     state: present
   notify:
     - restart display-manager
+  become: yes
 
 - name: Ensure the ~/Desktop directory exists
   file:
     path: ~/Desktop
     state: directory
     mode: 0755
-  become: yes
-  become_user: "{{ ansible_env.SUDO_USER }}"
 
 - name: Create the README file on the Desktop
   copy:
     src: README.md
     dest: ~/Desktop/README.md
     mode: 0644
-  become: yes
-  become_user: "{{ ansible_env.SUDO_USER }}"
diff --git a/roles/testinfra/tasks/main.yml b/roles/testinfra/tasks/main.yml
@@ -5,9 +5,11 @@
     name: pytest-testinfra
     version: 6.3.0
     state: present
+  become: yes
 
 - name: Install pytest-spec formatter at version 3.2.0
   pip:
     name: pytest-spec
     version: 3.2.0
-    state: present
+    state: present
+  become: yes
diff --git a/roles/vscode/tasks/main.yml b/roles/vscode/tasks/main.yml
@@ -11,19 +11,16 @@
   apt:
     deb: "{{ download_cache_dir }}/vscode-{{ vscode_version }}.deb"
     state: present
+  become: yes
 
 - name: List VSCode Extensions
   command:
     cmd: code --list-extensions
   register: vscode_installed_extensions
   changed_when: false
-  become: yes
-  become_user: "{{ ansible_env.SUDO_USER }}"
 
 - name: Install VSCode Extensions
   command:
     cmd: code --install-extension "{{ item }}"
   with_items: "{{ vscode_extensions }}"
   when: not vscode_installed_extensions is search(item)
-  become: yes
-  become_user: "{{ ansible_env.SUDO_USER }}"
diff --git a/scripts/update-vm.sh b/scripts/update-vm.sh
@@ -61,7 +61,7 @@ update_vm() {
   local extra_vars=$([[ -f "site.local.yml" ]] && echo "--extra-vars @site.local.yml" || echo "")
 
   step "trigger the Ansible run with $role_tags and $extra_vars"
-  /usr/local/bin/ansible-playbook -i "localhost," -b -c local site.yml -vv $role_tags $extra_vars
+  /usr/local/bin/ansible-playbook -i "localhost," -c local site.yml -vv $role_tags $extra_vars
 }
 
 verify_vm() {
diff --git a/site.yml b/site.yml
@@ -6,6 +6,7 @@
       apt:
         update_cache: yes
         cache_valid_time: 3600
+      become: yes
 
 - hosts: localhost
   roles:

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ update_vm() {`
`61`	`61`	`local extra_vars=$([[ -f "site.local.yml" ]] && echo "--extra-vars @site.local.yml" \|\| echo "")`
`62`	`62`
`63`	`63`	`step "trigger the Ansible run with $role_tags and $extra_vars"`
`64`		`- /usr/local/bin/ansible-playbook -i "localhost," -b -c local site.yml -vv $role_tags $extra_vars`
	`64`	`+ /usr/local/bin/ansible-playbook -i "localhost," -c local site.yml -vv $role_tags $extra_vars`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`verify_vm() {`