From ab08969cfb1097595c7519a6aab600023d180ff9 Mon Sep 17 00:00:00 2001
From: Gregory Colpart <gcolpart+git@evolix.fr>
Date: Tue, 22 Aug 2017 00:29:29 +0200
Subject: [PATCH] We decided a new policy for sudo in stretch because our
 previous stretch policy is buggy

---
 admin-users/tasks/user.yml               | 11 +++++++++--
 admin-users/templates/sudoers_stretch.j2 |  3 ++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/admin-users/tasks/user.yml b/admin-users/tasks/user.yml
index ba72b388..604af57c 100644
--- a/admin-users/tasks/user.yml
+++ b/admin-users/tasks/user.yml
@@ -35,14 +35,21 @@
    update_password: on_create
   when: loginisbusy.rc != 0 and uidisbusy.rc == 0
 
-- name: "Create {{ admin_users_group }}"
+- name: "Create evolinux-sudo group"
+  group:
+    name: evolinux-sudo
+    system: yes
+  when: ansible_distribution_major_version | version_compare('9', '>=')
+
+- name: "Create {{ admin_users_group }} group"
   group:
     name: "{{ admin_users_group }}"
+  when: ansible_distribution_major_version | version_compare('9', '>=')
 
 - name: "Add user to sudo group (Debian 9 or later)"
   user:
     name: '{{ user.name }}'
-    groups: 'sudo,{{ admin_users_group }}'
+    groups: 'evolinux-sudo,{{ admin_users_group }}'
     append: yes
   when: ansible_distribution_major_version | version_compare('9', '>=')
 
diff --git a/admin-users/templates/sudoers_stretch.j2 b/admin-users/templates/sudoers_stretch.j2
index 5332395c..8de1bbc6 100644
--- a/admin-users/templates/sudoers_stretch.j2
+++ b/admin-users/templates/sudoers_stretch.j2
@@ -5,4 +5,5 @@ Cmnd_Alias      MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts
 nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
 nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
 
-%sudo           ALL = NOPASSWD: MAINT
+%evolinux-sudo  ALL=(ALL:ALL) ALL
+%evolinux-sudo  ALL = NOPASSWD: MAINT