# yamllint disable rule:line-length
---
- name: "Configure doas"
  blockinfile:
    dest: /etc/doas.conf
    owner: root
    group: wheel
    mode: "0640"
    create: true
    marker: "# {mark} ANSIBLE MANAGED BLOCK FROM EVOBSD"
    block: |
      permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_sudo_group }}
      permit nopass root
      permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_ssh_group }} as root cmd /usr/share/scripts/evomaintenance.sh
      permit nopass _collectd as root cmd /bin/cat
      permit nopass _collectd as root cmd /usr/sbin/bgpctl
      permit nopass _nrpe as root cmd /sbin/bioctl args sd2
      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_mailq.pl
      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh
      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple
      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd
      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d
      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openbgpd
      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states
      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh
      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh
      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl_critiques.sh
      permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh
  tags:
    - doas