From 2179be09d167c024126b6e1449c7f6fa7c9ab88b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 22:05:44 -0400 Subject: [PATCH] admin-users: passwordless sudo for come commands --- admin-users/tasks/debian/main.yml | 6 +----- admin-users/tasks/debian/{sudo_jessie.yml => sudo.yml} | 9 ++++++--- admin-users/tasks/debian/sudo_stretch.yml | 7 ------- .../templates/{sudoers_debian.j2 => sudoers_jessie.j2} | 0 admin-users/templates/sudoers_stretch.j2 | 8 ++++++++ 5 files changed, 15 insertions(+), 15 deletions(-) rename admin-users/tasks/debian/{sudo_jessie.yml => sudo.yml} (71%) delete mode 100644 admin-users/tasks/debian/sudo_stretch.yml rename admin-users/templates/{sudoers_debian.j2 => sudoers_jessie.j2} (100%) create mode 100644 admin-users/templates/sudoers_stretch.j2 diff --git a/admin-users/tasks/debian/main.yml b/admin-users/tasks/debian/main.yml index db737b42..329ce50e 100644 --- a/admin-users/tasks/debian/main.yml +++ b/admin-users/tasks/debian/main.yml @@ -6,10 +6,6 @@ - include: ssh.yml -- include: sudo_jessie.yml - when: ansible_distribution_release == 'jessie' - -- include: sudo_stretch.yml - when: ansible_distribution_release == 'stretch' +- include: sudo.yml - meta: flush_handlers diff --git a/admin-users/tasks/debian/sudo_jessie.yml b/admin-users/tasks/debian/sudo.yml similarity index 71% rename from admin-users/tasks/debian/sudo_jessie.yml rename to admin-users/tasks/debian/sudo.yml index 1d7d3a69..793e67d5 100644 --- a/admin-users/tasks/debian/sudo_jessie.yml +++ b/admin-users/tasks/debian/sudo.yml @@ -2,9 +2,9 @@ - name: Verify Evolinux sudoers file presence template: - src: sudoers_debian.j2 + src: sudoers_{{ ansible_distribution_release }}.j2 dest: /etc/sudoers.d/evolinux - force: false + force: no validate: '/usr/sbin/visudo -cf %s' register: copy_sudoers_evolinux @@ -20,4 +20,7 @@ regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' replace: '\1,{{ user.name }}' validate: '/usr/sbin/visudo -cf %s' - when: not copy_sudoers_evolinux.changed + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('9', '<') + - not copy_sudoers_evolinux.changed diff --git a/admin-users/tasks/debian/sudo_stretch.yml b/admin-users/tasks/debian/sudo_stretch.yml deleted file mode 100644 index 899ac6ae..00000000 --- a/admin-users/tasks/debian/sudo_stretch.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: "'{{ user.name }}' is in the sudo group" - user: - name: "{{ user.name }}" - groups: sudo - append: yes diff --git a/admin-users/templates/sudoers_debian.j2 b/admin-users/templates/sudoers_jessie.j2 similarity index 100% rename from admin-users/templates/sudoers_debian.j2 rename to admin-users/templates/sudoers_jessie.j2 diff --git a/admin-users/templates/sudoers_stretch.j2 b/admin-users/templates/sudoers_stretch.j2 new file mode 100644 index 00000000..5332395c --- /dev/null +++ b/admin-users/templates/sudoers_stretch.j2 @@ -0,0 +1,8 @@ +Defaults umask=0077 + +Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount + +nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs +nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt + +%sudo ALL = NOPASSWD: MAINT