Doas authorization for collectd

We put the doas authorization for collectd in the global file and we let it if collectd is not there, because otherwise the authorization would be removed if the base role was run without the collectd role, even if collectd was still running. Collectd would have been broken.
2020-10-14 16:37:22 +02:00 · 2020-10-14 16:37:22 +02:00 · ff1f728102
parent cc80aefac7
commit ff1f728102
2 changed files with 1 additions and 9 deletions
--- a/roles/base/templates/doas.conf.j2
+++ b/roles/base/templates/doas.conf.j2
@ -2,6 +2,7 @@
 permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }}
 permit nopass root
 permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh
+permit nopass _collectd as root cmd /bin/cat
 permit nopass _collectd as root cmd /usr/sbin/bgpctl
 permit nopass _nrpe as root cmd /sbin/bioctl args sd2
 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq
--- a/roles/collectd/tasks/main.yml
+++ b/roles/collectd/tasks/main.yml
@ -95,12 +95,3 @@
  when: collectd_plugin_exec_dns_stats
  tags:
    - collectd
-
- name: Delete doas configuration for dns_stats.sh execution
-  lineinfile:
-    path: /etc/doas.conf
-    line: 'permit nopass _collectd as root cmd /bin/cat'
-    state: absent
-  when: not collectd_plugin_exec_dns_stats
-  tags:
-    - collectd