From 9a4a906b235c4024a8e21696c235f8e0934813ba Mon Sep 17 00:00:00 2001
From: Jeremy Dubois <jdubois@evolix.fr>
Date: Thu, 11 Aug 2022 16:12:48 +0200
Subject: [PATCH] base: do not erase custom configuration of servers in
 doas.conf

---
 CHANGELOG                         |  1 +
 roles/base/tasks/doas.yml         | 24 +++++++++++++++++++++---
 roles/base/templates/doas.conf.j2 | 19 -------------------
 3 files changed, 22 insertions(+), 22 deletions(-)
 delete mode 100644 roles/base/templates/doas.conf.j2

diff --git a/CHANGELOG b/CHANGELOG
index 6e8949a..331f534 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -38,6 +38,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - base: loop over fstab entries instead of copying the same task for each entries
 - etc-git: do not erase custom entries of servers in .gitignore files
 - nagios-nrpe: check_disk1 returns only alerts
+- base: do not erase custom configuration of servers in doas.conf
 
 ### Fixed
 
diff --git a/roles/base/tasks/doas.yml b/roles/base/tasks/doas.yml
index 134a568..64df900 100644
--- a/roles/base/tasks/doas.yml
+++ b/roles/base/tasks/doas.yml
@@ -1,11 +1,29 @@
 ---
 - name: "Configure doas"
-  template:
-    src: doas.conf.j2
+  blockinfile:
     dest: /etc/doas.conf
     owner: root
     group: wheel
     mode: "0640"
-    backup: false
+    create: yes
+    marker: "# {mark} ANSIBLE MANAGED BLOCK FROM EVOBSD"
+    block: |
+      permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_sudo_group }}
+      permit nopass root
+      permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_ssh_group }} as root cmd /usr/share/scripts/evomaintenance.sh
+      permit nopass _collectd as root cmd /bin/cat
+      permit nopass _collectd as root cmd /usr/sbin/bgpctl
+      permit nopass _nrpe as root cmd /sbin/bioctl args sd2
+      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_mailq.pl
+      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh
+      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple
+      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd
+      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d
+      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openbgpd
+      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states
+      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh
+      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh
+      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl_critiques.sh
+      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh
   tags:
     - doas
diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2
deleted file mode 100644
index 4683d0f..0000000
--- a/roles/base/templates/doas.conf.j2
+++ /dev/null
@@ -1,19 +0,0 @@
-# {{ ansible_managed }}
-permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_sudo_group }}
-permit nopass root
-permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_ssh_group }} as root cmd /usr/share/scripts/evomaintenance.sh
-permit nopass _collectd as root cmd /bin/cat
-permit nopass _collectd as root cmd /usr/sbin/bgpctl
-permit nopass _nrpe as root cmd /sbin/bioctl args sd0
-permit nopass _nrpe as root cmd /sbin/bioctl args sd2
-permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_mailq.pl
-permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh
-permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple
-permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd
-permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d
-permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openbgpd
-permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states
-permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh
-permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh
-permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl_critiques.sh
-permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh