diff --git a/CHANGELOG b/CHANGELOG index 6e8949a..331f534 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -38,6 +38,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - base: loop over fstab entries instead of copying the same task for each entries - etc-git: do not erase custom entries of servers in .gitignore files - nagios-nrpe: check_disk1 returns only alerts +- base: do not erase custom configuration of servers in doas.conf ### Fixed diff --git a/roles/base/tasks/doas.yml b/roles/base/tasks/doas.yml index 134a568..64df900 100644 --- a/roles/base/tasks/doas.yml +++ b/roles/base/tasks/doas.yml @@ -1,11 +1,29 @@ --- - name: "Configure doas" - template: - src: doas.conf.j2 + blockinfile: dest: /etc/doas.conf owner: root group: wheel mode: "0640" - backup: false + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK FROM EVOBSD" + block: | + permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_sudo_group }} + permit nopass root + permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_ssh_group }} as root cmd /usr/share/scripts/evomaintenance.sh + permit nopass _collectd as root cmd /bin/cat + permit nopass _collectd as root cmd /usr/sbin/bgpctl + permit nopass _nrpe as root cmd /sbin/bioctl args sd2 + permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_mailq.pl + permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh + permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple + permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd + permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d + permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openbgpd + permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states + permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh + permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh + permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl_critiques.sh + permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh tags: - doas diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 deleted file mode 100644 index 4683d0f..0000000 --- a/roles/base/templates/doas.conf.j2 +++ /dev/null @@ -1,19 +0,0 @@ -# {{ ansible_managed }} -permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_sudo_group }} -permit nopass root -permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_ssh_group }} as root cmd /usr/share/scripts/evomaintenance.sh -permit nopass _collectd as root cmd /bin/cat -permit nopass _collectd as root cmd /usr/sbin/bgpctl -permit nopass _nrpe as root cmd /sbin/bioctl args sd0 -permit nopass _nrpe as root cmd /sbin/bioctl args sd2 -permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_mailq.pl -permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh -permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple -permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd -permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d -permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openbgpd -permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states -permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh -permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh -permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl_critiques.sh -permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh