From 4b971b19fbae05fca0d3486d73b5f3ce36c5d6cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= <jdubois@evolix.fr>
Date: Thu, 9 Feb 2023 15:18:53 +0100
Subject: [PATCH] base: doas is used for evomaintenance, not sudo ; wheel group
 mustn't be sudo because we use the evolinux-sudo group

---
 CHANGELOG                 |  1 +
 roles/base/tasks/sudo.yml | 22 ----------------------
 2 files changed, 1 insertion(+), 22 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index a2a712c..e8137b5 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -69,6 +69,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Removed
 
 * openvpn: deleted this deprecated role ; use the one provided in the ansible-roles repo
+* base: doas is used for evomaintenance, not sudo ; wheel group mustn't be sudo because we use the evolinux-sudo group
 
 ## [21.12] - 2021-12-17
 
diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml
index 698aa00..81cdfce 100644
--- a/roles/base/tasks/sudo.yml
+++ b/roles/base/tasks/sudo.yml
@@ -8,34 +8,12 @@
   tags:
     - sudo
 
-- name: "Allow wheel group to run command as root in sudo"
-  lineinfile:
-    dest: /etc/sudoers
-    insertafter: '# and set environment variables.'
-    line: "%wheel\tALL=(ALL) SETENV: ALL"
-    validate: 'visudo -cf %s'
-    backup: false
-  tags:
-    - sudo
-
-- name: "Delete line with space instead of tab"
-  lineinfile:
-    dest: /etc/sudoers
-    line: "%wheel   ALL=(ALL) SETENV: ALL"
-    validate: 'visudo -cf %s'
-    backup: false
-    state: absent
-  tags:
-    - sudo
-
 - name: "Configure sudoers for evomaintenance and monitoring"
   blockinfile:
     state: present
     dest: /etc/sudoers
     insertafter: EOF
     block: |
-      Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh
-      %wheel ALL=NOPASSWD: MAINT
       %evolinux-sudo ALL=(ALL) SETENV: ALL
     validate: 'visudo -cf %s'
     backup: false