Configure sudoers

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

plays/base.yml

@@ -6,6 +6,10 @@
 - import_playbook: ldap-client.yml
 - import_playbook: home.yml
 
+- hosts: debian
+  roles:
+    - sudo
+
 - hosts: all
   roles:
     - cli-utils
@@ -20,7 +24,7 @@
 
 - hosts: perso
   roles:
-    - sudo
+  # - sudo
     - systemd
     - pacman
     - ntp-client-arch

roles/sudo/tasks/main.yml

@@ -1,13 +1,10 @@
 ---
-
+- name: Configure sudoers
-- name: Deploy sudoers configuration files
   template:
-    src: '{{ item.src }}.j2'
+    src: "{{ item }}.j2"
-    dest: '/etc/{{ item.src }}'
+    dest: "/etc/{{ item }}"
-    owner: root
+    mode: 0440
-    group: root
+  loop:
-    mode: '{{ item.mode }}'
+    - sudoers.d/custom_passprompt
-  with_items:
+    - sudoers.d/group_privilege
-    - { src: 'sudoers', mode: '0440' }
+    - sudoers
-    - { src: 'sudoers.lecture', mode: '0644' }
-

roles/sudo/templates/sudoers.d/custom_passprompt.j2

@@ -0,0 +1,4 @@
+{{ ansible_header | comment }}
+# Change prompt
+Defaults        passprompt_override
+Defaults        passprompt="[sudo] mot de passe pour %p sur %h: "

roles/sudo/templates/sudoers.d/group_privilege.j2

@@ -0,0 +1,3 @@
+{{ ansible_header | comment }}
+# Group privilege specification
+ADMINS    ALL=(ALL:ALL) ALL

roles/sudo/templates/sudoers.j2

@@ -1,103 +1,27 @@
 {{ ansible_header | comment }}
+#
+# See the man page for details on how to write a sudoers file.
+#
+Defaults	env_reset
+Defaults	mail_badpass
+Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 
-## sudoers file.
+# Host alias specification
-##
+User_Alias    USERS= %user
-## This file MUST be edited with the 'visudo' command as root.
+User_Alias    ADMINS= %admin
-## Failure to use 'visudo' may result in syntax or file permission errors
-## that prevent sudo from running.
-##
-## See the sudoers man page for the details on how to write a sudoers file.
-##
 
-##
+# User alias specification
-## Host alias specification
-##
-## Groups of machines. These may include host names (optionally with wildcards),
-## IP addresses, network numbers or netgroups.
-# Host_Alias	WEBSERVERS = www1, www2, www3
 
-##
+# Cmnd alias specification
-## User alias specification
-##
-## Groups of users.  These may consist of user names, uids, Unix groups,
-## or netgroups.
-# User_Alias	ADMINS = millert, dowdy, mikef
 
-##
+# User privilege specification
-## Cmnd alias specification
+root	ALL=(ALL:ALL) ALL
-##
-## Groups of commands.  Often used to group related commands together.
-# Cmnd_Alias	PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
-# 			    /usr/bin/pkill, /usr/bin/top
-# Cmnd_Alias	REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
 
-##
+{% if 'virtu' in group_names %}
-## Defaults specification
+# Pour vérifier quels vms sont sur quels virtus
-##
+USERS ALL=(root:ALL) NOPASSWD:/usr/sbin/qm list
-## You may wish to keep some of the following environment variables
-## when running commands via sudo.
-##
-## Locale settings
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
-##
-## Run X applications through sudo; HOME is used to find the
-## .Xauthority file.  Note that other programs use HOME to find
-## configuration files and this may lead to privilege escalation!
-# Defaults env_keep += "HOME"
-##
-## X11 resource path settings
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
-##
-## Desktop path settings
-# Defaults env_keep += "QTDIR KDEDIR"
-##
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
-# Defaults env_keep += "XDG_SESSION_COOKIE"
-##
-## Uncomment to enable special input methods.  Care should be taken as
-## this may allow users to subvert the command being run via sudo.
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
-##
-## Uncomment to use a hard-coded PATH instead of the user's to find commands
-# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-##
-## Uncomment to send mail if the user does not enter the correct password.
-# Defaults mail_badpass
-##
-## Uncomment to enable logging of a command's output, except for
-## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
-# Defaults log_output
-# Defaults!/usr/bin/sudoreplay !log_output
-# Defaults!/usr/local/bin/sudoreplay !log_output
-# Defaults!REBOOT !log_output
 
-##
+{% endif %}
-## Runas alias specification
+# See sudoers(5) for more information on "#include" directives:
-##
 
-##
-## User privilege specification
-##
-root ALL=(ALL) ALL
-
-## Uncomment to allow members of group wheel to execute any command
-%wheel ALL=(ALL) ALL
-
-## Same thing without a password
-# %wheel ALL=(ALL) NOPASSWD: ALL
-
-## Uncomment to allow members of group sudo to execute any command
-# %sudo	ALL=(ALL) ALL
-
-## Uncomment to allow any user to run sudo if they know the password
-## of the user they are running the command as (root by default).
-# Defaults targetpw  # Ask for the password of the target user
-# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
-
-Defaults lecture=always
-Defaults lecture_file=/etc/sudoers.lecture
-# toilet -f future --rainbow 'BE NICE' > sudoers.lecture.j2
-
-## Read drop-in files from /etc/sudoers.d
-## (the '#' here does not indicate a comment)
 #includedir /etc/sudoers.d

roles/sudo/templates/sudoers.lecture.j2

@@ -1,3 +0,0 @@
-┏┓ ┏━╸   ┏┓╻╻┏━╸┏━╸
-┣┻┓┣╸    ┃┗┫┃┃  ┣╸ 
-┗━┛┗━╸   ╹ ╹╹┗━╸┗━╸