From ae33fefaafd01c57391768de546040ae69004c3d Mon Sep 17 00:00:00 2001
From: Ricard Illa <ricard@trkkn.com>
Date: Tue, 30 Aug 2022 18:26:16 +0200
Subject: [PATCH] adjusted users to match caladan

---
 deploy.yml                       |  5 +++++
 hosts.yml                        |  2 +-
 roles/users/tasks/ansible.yml    |  1 -
 roles/users/tasks/main.yml       |  9 +++++++++
 roles/users/tasks/rilla.yml      | 11 ++++++++++-
 roles/users/tasks/woodpecker.yml | 11 ++++++++++-
 6 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/deploy.yml b/deploy.yml
index 2b142c0..b2c2f42 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -22,5 +22,10 @@
   become_method: doas
   roles:
     - basic
+    - users
   vars:
+    users:
+      - rilla
+      - ansible
+      - woodpecker
     use_lbu: false
diff --git a/hosts.yml b/hosts.yml
index 577d846..dd6878e 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -9,6 +9,6 @@ all:
 
     caladan:
       ansible_host: caladan
-      ansible_user: rilla
+      ansible_user: ansible
       ansible_port: 22
       ansible_python_interpreter: /usr/bin/python3
diff --git a/roles/users/tasks/ansible.yml b/roles/users/tasks/ansible.yml
index ef9deaf..f76c1d6 100644
--- a/roles/users/tasks/ansible.yml
+++ b/roles/users/tasks/ansible.yml
@@ -11,7 +11,6 @@
     home: /var/lib/ansible
     password: "*"  # disabled password but can be accessed with SSH
     groups:
-      - ansible
       - wheel
 
 - name: make sure ansible owns its home
diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
index 174d952..c634162 100644
--- a/roles/users/tasks/main.yml
+++ b/roles/users/tasks/main.yml
@@ -1,3 +1,12 @@
+- name: create group 'deploy'
+  group:
+    name: deploy
+    gid: 700
+
+- name: determine available groups
+  getent:
+    database: group
+
 - name: create users
   include_tasks: "{{ username }}.yml"
   loop: "{{ users }}"
diff --git a/roles/users/tasks/rilla.yml b/roles/users/tasks/rilla.yml
index e4d15fe..0efc188 100644
--- a/roles/users/tasks/rilla.yml
+++ b/roles/users/tasks/rilla.yml
@@ -10,9 +10,18 @@
     group: rilla
     home: /home/rilla
     groups:
-      - rilla
+      - deploy
       - wheel
 
+- name: additional groups to rilla
+  user:
+    name: rilla
+    groups: "{{item}}"
+    append: yes
+  when: item in ansible_facts.getent_group
+  with_items:
+    - docker
+
 - name: make sure rilla owns its home
   file:
     state: directory
diff --git a/roles/users/tasks/woodpecker.yml b/roles/users/tasks/woodpecker.yml
index 9fe26a3..c237f2d 100644
--- a/roles/users/tasks/woodpecker.yml
+++ b/roles/users/tasks/woodpecker.yml
@@ -11,7 +11,16 @@
     home: /var/lib/woodpecker
     password: "*"  # disabled password but can be accessed with SSH
     groups:
-      - woodpecker
+      - deploy
+
+- name: additional groups to woodpecker
+  user:
+    name: woodpecker
+    groups: "{{item}}"
+    append: yes
+  when: item in ansible_facts.getent_group
+  with_items:
+    - docker
 
 - name: make sure woodpecker owns its home
   file: