From 4e595b4fa76b55a5fdaaf257f1362ce981ebb67c Mon Sep 17 00:00:00 2001
From: jakub <jakub@zacekj.cz>
Date: Thu, 11 Sep 2025 16:54:57 +0000
Subject: [PATCH] Update users-ssh.yml

---
 users-ssh.yml | 45 +++++++++++++++++++++++++++++++--------------
 1 file changed, 31 insertions(+), 14 deletions(-)

diff --git a/users-ssh.yml b/users-ssh.yml
index 24c5897..28b00c6 100644
--- a/users-ssh.yml
+++ b/users-ssh.yml
@@ -1,4 +1,5 @@
-- name: Ensure users exist and have SSH keys
+# users-ssh-nopasswd.yml
+- name: Ensure users, SSH keys, and passwordless sudo
   hosts: all
   become: true
   become_user: root
@@ -6,27 +7,32 @@
 
   vars:
     users:
-      - name: automation
+      - name: jakub
         shell: /bin/bash
-        groups: [sudo]      # optional
-        password_lock: true # optional: no local password login
+        # optional extra groups you want besides sudo/wheel
+        groups: []
+        sudo_nopasswd: true
         keys:
           - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEx+ltCKNIEM7F4PzGLv22cIu7N0Fpn5gxwV02xq0GS9 automation@im.cz"
 
-      # add more users like:
-      # - name: deploy
-      #   keys:
-      #     - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ... deploy@example"
-
   tasks:
-    - name: Ensure user exists (creates home if missing)
+    - name: Pick sudo group per distro
+      ansible.builtin.set_fact:
+        sudo_group: "{{ 'wheel' if ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse'] else 'sudo' }}"
+
+    - name: Ensure user exists (creates home)
       ansible.builtin.user:
         name: "{{ item.name }}"
         shell: "{{ item.shell | default('/bin/bash') }}"
-        groups: "{{ (item.groups | default([])) | join(',') if (item.groups | default([])) else omit }}"
+        groups: >-
+          {{ (
+                (item.groups | default([]))
+                + ([sudo_group] if item.sudo_nopasswd | default(false) else [])
+              ) | unique | join(',') if
+              ((item.groups | default([])) | length > 0) or (item.sudo_nopasswd | default(false))
+              else omit }}
         append: true
         create_home: true
-        password_lock: "{{ item.password_lock | default(omit) }}"
         state: present
       loop: "{{ users }}"
 
@@ -35,5 +41,16 @@
         user: "{{ item.0.name }}"
         key: "{{ item.1 }}"
         state: present
-        manage_dir: true   # ensures ~/.ssh exists with correct perms
-      loop: "{{ users | subelements('keys', skip_missing=True) }}"
\ No newline at end of file
+        manage_dir: true
+      loop: "{{ users | subelements('keys', skip_missing=True) }}"
+
+    - name: Grant passwordless sudo via sudoers.d
+      ansible.builtin.copy:
+        dest: "/etc/sudoers.d/{{ item.name }}"
+        owner: root
+        group: root
+        mode: '0440'
+        content: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
+        validate: 'visudo -cf %s'
+      when: item.sudo_nopasswd | default(false)
+      loop: "{{ users }}"