Stricter ssh and doas access - two separate groups actually needed

Fix #34 again

After some discussions, with actually need two separates groups :
- One group for ssh access (evobsd_ssh_group)
- One group for sudo/doas access (evobsd_sudo_group)

We won't need any client group. A client user will be added to the ssh group,
so that we won't have to think about what specific group a user need to be
added in.

roles/accounts/tasks/main.yml

@@ -1,7 +1,12 @@
 ---
-- name: "Create {{ evobsd_group }} group"
+- name: "Create {{ evobsd_ssh_group }} group"
   group:
-    name: "{{ evobsd_group }}"
+    name: "{{ evobsd_ssh_group }}"
+    system: true
+
+- name: "Create {{ evobsd_sudo_group }} group"
+  group:
+    name: "{{ evobsd_sudo_group }}"
     system: true
 
 - name: Create user accounts
@@ -35,10 +40,10 @@
     ssh_allowgroups:
       "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
 
-- name: "Add AllowGroups sshd directive with '{{ evobsd_group }}'"
+- name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'"
   lineinfile:
     dest: /etc/ssh/sshd_config
-    line: "\nAllowGroups {{ evobsd_group }}"
+    line: "\nAllowGroups {{ evobsd_ssh_group }}"
     insertafter: 'Subsystem'
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
@@ -46,11 +51,11 @@
     - ssh_allowgroups
     - grep_allowgroups_ssh.rc == 1
 
-- name: "Append '{{ evobsd_group }}' to AllowGroups sshd directive"
+- name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive"
   replace:
     dest: /etc/ssh/sshd_config
-    regexp: '^(AllowGroups ((?!\b{{ evobsd_group }}\b).)*)$'
-    replace: '\1 {{ evobsd_group }}'
+    regexp: '^(AllowGroups ((?!\b{{ evobsd_ssh_group }}\b).)*)$'
+    replace: '\1 {{ evobsd_ssh_group }}'
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
   when:
@@ -64,7 +69,7 @@
     block: |
       Match Address {{ evolix_trusted_ips | join(',') }}
           PasswordAuthentication yes
-      Match Group {{ evobsd_group }}
+      Match Group {{ evobsd_ssh_group }}
           PasswordAuthentication no
     insertafter: EOF
     validate: '/usr/sbin/sshd -t -f %s'

roles/accounts/tasks/user.yml

@@ -38,10 +38,18 @@
   tags:
     - admin
 
-- name: "Add {{ user.name }} to {{ evobsd_group }} group"
+- name: "Add {{ user.name }} to {{ evobsd_ssh_group }} group"
   user:
     name: "{{ user.name }}"
-    groups: "{{ evobsd_group }}"
+    groups: "{{ evobsd_ssh_group }}"
+    append: true
+  tags:
+    - admin
+
+- name: "Add {{ user.name }} to {{ evobsd_sudo_group }} group"
+  user:
+    name: "{{ user.name }}"
+    groups: "{{ evobsd_sudo_group }}"
     append: true
   tags:
     - admin

roles/base/templates/doas.conf.j2

@@ -1,7 +1,7 @@
 # {{ ansible_managed }}
-permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }}
+permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_sudo_group }}
 permit nopass root
-permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh
+permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh
 permit nopass _collectd as root cmd /bin/cat
 permit nopass _collectd as root cmd /usr/sbin/bgpctl
 permit nopass _nrpe as root cmd /sbin/bioctl args sd2

vars/main.yml

@@ -24,7 +24,8 @@
 # evomaintenance_urgency_from: mama.doe@example.com
 # evomaintenance_urgency_tel: "06.00.00.00.00"
 #
-evobsd_group: "evolix"
+# evobsd_ssh_group: "foo-ssh"
+# evobsd_sudo_group: "foo-sudo"
 #
 # evolix_users:
 #  foo: