From 2179be09d167c024126b6e1449c7f6fa7c9ab88b Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 27 Jul 2017 22:05:44 -0400
Subject: [PATCH] admin-users: passwordless sudo for come commands

---
 admin-users/tasks/debian/main.yml                        | 6 +-----
 admin-users/tasks/debian/{sudo_jessie.yml => sudo.yml}   | 9 ++++++---
 admin-users/tasks/debian/sudo_stretch.yml                | 7 -------
 .../templates/{sudoers_debian.j2 => sudoers_jessie.j2}   | 0
 admin-users/templates/sudoers_stretch.j2                 | 8 ++++++++
 5 files changed, 15 insertions(+), 15 deletions(-)
 rename admin-users/tasks/debian/{sudo_jessie.yml => sudo.yml} (71%)
 delete mode 100644 admin-users/tasks/debian/sudo_stretch.yml
 rename admin-users/templates/{sudoers_debian.j2 => sudoers_jessie.j2} (100%)
 create mode 100644 admin-users/templates/sudoers_stretch.j2

diff --git a/admin-users/tasks/debian/main.yml b/admin-users/tasks/debian/main.yml
index db737b42..329ce50e 100644
--- a/admin-users/tasks/debian/main.yml
+++ b/admin-users/tasks/debian/main.yml
@@ -6,10 +6,6 @@
 
 - include: ssh.yml
 
-- include: sudo_jessie.yml
-  when: ansible_distribution_release == 'jessie'
-
-- include: sudo_stretch.yml
-  when: ansible_distribution_release == 'stretch'
+- include: sudo.yml
 
 - meta: flush_handlers
diff --git a/admin-users/tasks/debian/sudo_jessie.yml b/admin-users/tasks/debian/sudo.yml
similarity index 71%
rename from admin-users/tasks/debian/sudo_jessie.yml
rename to admin-users/tasks/debian/sudo.yml
index 1d7d3a69..793e67d5 100644
--- a/admin-users/tasks/debian/sudo_jessie.yml
+++ b/admin-users/tasks/debian/sudo.yml
@@ -2,9 +2,9 @@
 
 - name: Verify Evolinux sudoers file presence
   template:
-    src: sudoers_debian.j2
+    src: sudoers_{{ ansible_distribution_release }}.j2
     dest: /etc/sudoers.d/evolinux
-    force: false
+    force: no
     validate: '/usr/sbin/visudo -cf %s'
   register: copy_sudoers_evolinux
 
@@ -20,4 +20,7 @@
     regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$'
     replace: '\1,{{ user.name }}'
     validate: '/usr/sbin/visudo -cf %s'
-  when: not copy_sudoers_evolinux.changed
+  when:
+  - ansible_distribution == "Debian"
+  - ansible_distribution_major_version | version_compare('9', '<')
+  - not copy_sudoers_evolinux.changed
diff --git a/admin-users/tasks/debian/sudo_stretch.yml b/admin-users/tasks/debian/sudo_stretch.yml
deleted file mode 100644
index 899ac6ae..00000000
--- a/admin-users/tasks/debian/sudo_stretch.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-
-- name: "'{{ user.name }}' is in the sudo group"
-  user:
-    name: "{{ user.name }}"
-    groups: sudo
-    append: yes
diff --git a/admin-users/templates/sudoers_debian.j2 b/admin-users/templates/sudoers_jessie.j2
similarity index 100%
rename from admin-users/templates/sudoers_debian.j2
rename to admin-users/templates/sudoers_jessie.j2
diff --git a/admin-users/templates/sudoers_stretch.j2 b/admin-users/templates/sudoers_stretch.j2
new file mode 100644
index 00000000..5332395c
--- /dev/null
+++ b/admin-users/templates/sudoers_stretch.j2
@@ -0,0 +1,8 @@
+Defaults        umask=0077
+
+Cmnd_Alias      MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount
+
+nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
+nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
+
+%sudo           ALL = NOPASSWD: MAINT