From ff1f728102ab0f2f68cf02c33217fcb509363ddc Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 14 Oct 2020 16:37:22 +0200 Subject: [PATCH] Doas authorization for collectd We put the doas authorization for collectd in the global file and we let it if collectd is not there, because otherwise the authorization would be removed if the base role was run without the collectd role, even if collectd was still running. Collectd would have been broken. --- roles/base/templates/doas.conf.j2 | 1 + roles/collectd/tasks/main.yml | 9 --------- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index e3945ec..2b83565 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -2,6 +2,7 @@ permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }} permit nopass root permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh +permit nopass _collectd as root cmd /bin/cat permit nopass _collectd as root cmd /usr/sbin/bgpctl permit nopass _nrpe as root cmd /sbin/bioctl args sd2 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq diff --git a/roles/collectd/tasks/main.yml b/roles/collectd/tasks/main.yml index 4ff066b..28a2c46 100644 --- a/roles/collectd/tasks/main.yml +++ b/roles/collectd/tasks/main.yml @@ -95,12 +95,3 @@ when: collectd_plugin_exec_dns_stats tags: - collectd - -- name: Delete doas configuration for dns_stats.sh execution - lineinfile: - path: /etc/doas.conf - line: 'permit nopass _collectd as root cmd /bin/cat' - state: absent - when: not collectd_plugin_exec_dns_stats - tags: - - collectd