diff --git a/plays/base.yml b/plays/base.yml index fb0a281..6a0d6c3 100755 --- a/plays/base.yml +++ b/plays/base.yml @@ -6,6 +6,10 @@ - import_playbook: ldap-client.yml - import_playbook: home.yml +- hosts: debian + roles: + - sudo + - hosts: all roles: - cli-utils @@ -20,7 +24,7 @@ - hosts: perso roles: - - sudo + # - sudo - systemd - pacman - ntp-client-arch diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml index 7fabaa1..2701c68 100644 --- a/roles/sudo/tasks/main.yml +++ b/roles/sudo/tasks/main.yml @@ -1,13 +1,10 @@ --- - -- name: Deploy sudoers configuration files +- name: Configure sudoers template: - src: '{{ item.src }}.j2' - dest: '/etc/{{ item.src }}' - owner: root - group: root - mode: '{{ item.mode }}' - with_items: - - { src: 'sudoers', mode: '0440' } - - { src: 'sudoers.lecture', mode: '0644' } - + src: "{{ item }}.j2" + dest: "/etc/{{ item }}" + mode: 0440 + loop: + - sudoers.d/custom_passprompt + - sudoers.d/group_privilege + - sudoers diff --git a/roles/sudo/templates/sudoers.d/custom_passprompt.j2 b/roles/sudo/templates/sudoers.d/custom_passprompt.j2 new file mode 100644 index 0000000..add19a4 --- /dev/null +++ b/roles/sudo/templates/sudoers.d/custom_passprompt.j2 @@ -0,0 +1,4 @@ +{{ ansible_header | comment }} +# Change prompt +Defaults passprompt_override +Defaults passprompt="[sudo] mot de passe pour %p sur %h: " diff --git a/roles/sudo/templates/sudoers.d/group_privilege.j2 b/roles/sudo/templates/sudoers.d/group_privilege.j2 new file mode 100644 index 0000000..5e0f399 --- /dev/null +++ b/roles/sudo/templates/sudoers.d/group_privilege.j2 @@ -0,0 +1,3 @@ +{{ ansible_header | comment }} +# Group privilege specification +ADMINS ALL=(ALL:ALL) ALL diff --git a/roles/sudo/templates/sudoers.j2 b/roles/sudo/templates/sudoers.j2 index 07f9e6b..82e086a 100644 --- a/roles/sudo/templates/sudoers.j2 +++ b/roles/sudo/templates/sudoers.j2 @@ -1,103 +1,27 @@ {{ ansible_header | comment }} +# +# See the man page for details on how to write a sudoers file. +# +Defaults env_reset +Defaults mail_badpass +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -## sudoers file. -## -## This file MUST be edited with the 'visudo' command as root. -## Failure to use 'visudo' may result in syntax or file permission errors -## that prevent sudo from running. -## -## See the sudoers man page for the details on how to write a sudoers file. -## +# Host alias specification +User_Alias USERS= %user +User_Alias ADMINS= %admin -## -## Host alias specification -## -## Groups of machines. These may include host names (optionally with wildcards), -## IP addresses, network numbers or netgroups. -# Host_Alias WEBSERVERS = www1, www2, www3 +# User alias specification -## -## User alias specification -## -## Groups of users. These may consist of user names, uids, Unix groups, -## or netgroups. -# User_Alias ADMINS = millert, dowdy, mikef +# Cmnd alias specification -## -## Cmnd alias specification -## -## Groups of commands. Often used to group related commands together. -# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ -# /usr/bin/pkill, /usr/bin/top -# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff +# User privilege specification +root ALL=(ALL:ALL) ALL -## -## Defaults specification -## -## You may wish to keep some of the following environment variables -## when running commands via sudo. -## -## Locale settings -# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" -## -## Run X applications through sudo; HOME is used to find the -## .Xauthority file. Note that other programs use HOME to find -## configuration files and this may lead to privilege escalation! -# Defaults env_keep += "HOME" -## -## X11 resource path settings -# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" -## -## Desktop path settings -# Defaults env_keep += "QTDIR KDEDIR" -## -## Allow sudo-run commands to inherit the callers' ConsoleKit session -# Defaults env_keep += "XDG_SESSION_COOKIE" -## -## Uncomment to enable special input methods. Care should be taken as -## this may allow users to subvert the command being run via sudo. -# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" -## -## Uncomment to use a hard-coded PATH instead of the user's to find commands -# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -## -## Uncomment to send mail if the user does not enter the correct password. -# Defaults mail_badpass -## -## Uncomment to enable logging of a command's output, except for -## sudoreplay and reboot. Use sudoreplay to play back logged sessions. -# Defaults log_output -# Defaults!/usr/bin/sudoreplay !log_output -# Defaults!/usr/local/bin/sudoreplay !log_output -# Defaults!REBOOT !log_output +{% if 'virtu' in group_names %} +# Pour vérifier quels vms sont sur quels virtus +USERS ALL=(root:ALL) NOPASSWD:/usr/sbin/qm list -## -## Runas alias specification -## +{% endif %} +# See sudoers(5) for more information on "#include" directives: -## -## User privilege specification -## -root ALL=(ALL) ALL - -## Uncomment to allow members of group wheel to execute any command -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Uncomment to allow members of group sudo to execute any command -# %sudo ALL=(ALL) ALL - -## Uncomment to allow any user to run sudo if they know the password -## of the user they are running the command as (root by default). -# Defaults targetpw # Ask for the password of the target user -# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' - -Defaults lecture=always -Defaults lecture_file=/etc/sudoers.lecture -# toilet -f future --rainbow 'BE NICE' > sudoers.lecture.j2 - -## Read drop-in files from /etc/sudoers.d -## (the '#' here does not indicate a comment) #includedir /etc/sudoers.d diff --git a/roles/sudo/templates/sudoers.lecture.j2 b/roles/sudo/templates/sudoers.lecture.j2 deleted file mode 100644 index 51cb23b..0000000 --- a/roles/sudo/templates/sudoers.lecture.j2 +++ /dev/null @@ -1,3 +0,0 @@ -┏┓ ┏━╸ ┏┓╻╻┏━╸┏━╸ -┣┻┓┣╸ ┃┗┫┃┃ ┣╸ -┗━┛┗━╸ ╹ ╹╹┗━╸┗━╸