From 33f315334e4bd3b387737c8f223dfeff81812d29 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 26 Jan 2025 07:33:16 -0600
Subject: [PATCH] users: Configure sudo on some machines

`doas` is not available on Alma Linux, so we still have to use `sudo` on
the VPS.
---
 group_vars/pyrocufflink/main.yml | 9 ---------
 group_vars/sudo.yml              | 9 +++++++++
 hosts                            | 7 +++++++
 users.yml                        | 8 +++++++-
 4 files changed, 23 insertions(+), 10 deletions(-)
 create mode 100644 group_vars/sudo.yml

diff --git a/group_vars/pyrocufflink/main.yml b/group_vars/pyrocufflink/main.yml
index 49db7d7..0ace68b 100644
--- a/group_vars/pyrocufflink/main.yml
+++ b/group_vars/pyrocufflink/main.yml
@@ -16,13 +16,4 @@ root_authorized_keys: |
   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBw1T18jnBfR5reKAACOs/LMcs+jbclj6Eh8z56kJE7+ dustin@luma
   {% endif %}
 
-sudo_use_pam_ssh_agent: true
-sudo_authorized_ssh_keys: |
-  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIF4yQAS0bAQ9Ymxgxv828MsX0z4ff/Fs//0PQOtPexRJAAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
-  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINal4+Gn/KuyP6YTsQuW4cphfDcjrS428osVIqnqMfagAAAABHNzaDo= dustin@luma.pyrocufflink.blue
-  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDD3Ebb7dyEyCylgEjmhFxvGqbPkT+0KSpI+xEGXLFnn jenkins
-# Default flags include -n, which makes Ansible complain about a "missing
-# become password," even though it would never actually prompt for one.
-ansible_become_flags: -H
-
 fileserver_sftp_only_match: 'Group !server?admins,*'
diff --git a/group_vars/sudo.yml b/group_vars/sudo.yml
new file mode 100644
index 0000000..672410b
--- /dev/null
+++ b/group_vars/sudo.yml
@@ -0,0 +1,9 @@
+ansible_become_method: sudo
+sudo_use_pam_ssh_agent: true
+sudo_authorized_ssh_keys: |
+  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIF4yQAS0bAQ9Ymxgxv828MsX0z4ff/Fs//0PQOtPexRJAAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
+  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINal4+Gn/KuyP6YTsQuW4cphfDcjrS428osVIqnqMfagAAAABHNzaDo= dustin@luma.pyrocufflink.blue
+  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDD3Ebb7dyEyCylgEjmhFxvGqbPkT+0KSpI+xEGXLFnn jenkins
+# Default flags include -n, which makes Ansible complain about a "missing
+# become password," even though it would never actually prompt for one.
+ansible_become_flags: -H
diff --git a/hosts b/hosts
index bf61b4a..ab46368 100644
--- a/hosts
+++ b/hosts
@@ -206,6 +206,10 @@ smtp1.pyrocufflink.blue
 
 [squid]
 
+[sudo:children]
+pyrocufflink
+vps
+
 [synapse]
 
 [unifi]
@@ -217,6 +221,9 @@ vmhost1.pyrocufflink.blue
 [vmagent:children]
 remote-blackbox
 
+[vps:children]
+hostvds
+
 [wheelhost]
 file0.pyrocufflink.blue
 
diff --git a/users.yml b/users.yml
index eef74fe..7c96f15 100644
--- a/users.yml
+++ b/users.yml
@@ -1,8 +1,14 @@
-- hosts: all
+- hosts: sudo
+  roles:
+  - role: sudo
+    tags:
+    - sudo
+- hosts: '!sudo'
   roles:
   - role: doas
     tags:
     - doas
+- hosts: all
   tasks:
   - name: ensure users exist
     user: