Remove role lmn_teacherlaptop and extend role lmn_security

- Add variable to configure sudo-program permissions (`sudo_permissions`) - Add variable to configure polkit-rules (`polkit_rules`) - Migrate sudo and polkit permissions from lmn_teacherlaptop role to inventory
2025-03-24 12:14:48 +01:00 · 2025-03-24 12:14:48 +01:00 · c4e35584bc
commit c4e35584bc
parent c00d5566dd
8 changed files with 506 additions and 485 deletions
--- a/roles/lmn_security/handlers/main.yml
+++ b/roles/lmn_security/handlers/main.yml
@ -3,3 +3,8 @@
    name: sshd
    state: reloaded
  when: not run_in_installer|default(false)|bool
+
+- name: Restart polkit
+  ansible.builtin.systemd:
+    name: polkit
+    state: restarted
--- a/roles/lmn_security/tasks/main.yml
+++ b/roles/lmn_security/tasks/main.yml
@ -28,3 +28,21 @@
      PasswordAuthentication no
      AllowUsers ansible
  notify: Reload sshd
+
+- name: Deploy sudo configurations
+  ansible.builtin.copy:
+    dest: /etc/sudoers.d/90-lmn-security
+    owner: root
+    group: root
+    mode: '0700'
+    content: |
+      {% for user, programs in sudo_permissions.items() %}
+      {{ user }} ALL=(root) NOPASSWD: {% for program in programs %}{{ program }}{% if not loop.last %}, {% endif %}{% endfor %}
+      {% endfor %}
+
+- name: Deploy polkit configurations
+  ansible.builtin.template:
+    src: polkit_rules.j2
+    dest: /etc/polkit-1/rules.d/lmn-security.rules
+    mode: '0644'
+  notify: Restart polkit
--- a/roles/lmn_security/templates/polkit_rules.j2
+++ b/roles/lmn_security/templates/polkit_rules.j2
@ -0,0 +1,12 @@
+// /etc/polkit-1/rules.d/lmn-security.rules
+
+polkit.addRule(function(action, subject) {
+{% for group, privlist in polkit_rules.items() %}
+    if (subject.isInGroup("{{ group }}")){
+    {% for priv in privlist %}
+        if (action.id == "{{ priv }}") { return polkit.Result.YES; }
+    {% endfor %}
+    }
+{% endfor %}
+});
+
--- a/roles/lmn_teacherlaptop/files/lmn-networkmanager.rules
+++ b/roles/lmn_teacherlaptop/files/lmn-networkmanager.rules
@ -1,6 +0,0 @@
-polkit.addRule(function(action, subject) {
-    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
-        subject.isInGroup("role-teacher")) {
-            return polkit.Result.YES;
-    }
-});
--- a/roles/lmn_teacherlaptop/files/lmn-packagekit.rules
+++ b/roles/lmn_teacherlaptop/files/lmn-packagekit.rules
@ -1,9 +0,0 @@
-polkit.addRule(function(action, subject) {
-    if ((action.id == "org.freedesktop.packagekit.package-install" ||
-         action.id == "org.freedesktop.packagekit.package-reinstall" ||
-         action.id == "org.freedesktop.packagekit.system-update" ||
-         action.id == "org.freedesktop.packagekit.upgrade-system") &&
-         subject.isInGroup("role-teacher")) {
-            return polkit.Result.YES;
-    }
-});
--- a/roles/lmn_teacherlaptop/tasks/main.yml
+++ b/roles/lmn_teacherlaptop/tasks/main.yml
@ -1,19 +0,0 @@
---
- name: Copy polkit rule to allow install packages by role-teacher
-  ansible.builtin.copy:
-    src: "{{ item }}"
-    dest: /etc/polkit-1/rules.d/
-    mode: "0644"
-  loop:
-    - lmn-packagekit.rules
-    - lmn-networkmanager.rules
-
- name: Deploy sudo configurations (apt for role-teacher)
-  ansible.builtin.copy:
-    dest: /etc/sudoers.d/90-lmn-teacherlaptop
-    owner: root
-    group: root
-    mode: '0700'
-    content: |
-      %role-teacher ALL=(root) NOPASSWD: /usr/bin/apt
-      %role-teacher ALL=(root) NOPASSWD: /usr/sbin/cryptsetup