roles/sudo: Configure sudo and policy

The *sudo* role installs `sudo` and configures policy for it. By default, users who are members of the *sudo* group can run any command as root.
2018-03-11 18:08:21 -05:00 · 2018-03-11 18:08:21 -05:00 · f16b7557cd
parent 0fa0c2f66e
commit f16b7557cd
3 changed files with 27 additions and 0 deletions
--- a/roles/sudo/defaults/main.yml
+++ b/roles/sudo/defaults/main.yml
@ -0,0 +1 @@
+admin_users: []
--- a/roles/sudo/files/sudo.sudoers
+++ b/roles/sudo/files/sudo.sudoers
@ -0,0 +1 @@
+%sudo ALL=(ALL) ALL
--- a/roles/sudo/tasks/main.yml
+++ b/roles/sudo/tasks/main.yml
@ -0,0 +1,25 @@
+- name: ensure sudo is installed
+  package:
+    name=sudo
+    state=present
+
+- name: ensure sudo group exists
+  group:
+    name=sudo
+    state=present
+- name: ensure admin users members of sudo group
+  user:
+    name={{ item }}
+    groups=sudo
+    append=yes
+  with_items: '{{ admin_users }}'
+- name: ensure members of sudo group can use sudo
+  copy:
+    src: sudo.sudoers
+    dest: /etc/sudoers.d/10_sudo
+    mode: '0440'
+    validate: visudo -cf %s
+- name: ensure legacy sudo group configuration is removed
+  file:
+    path=/etc/sudoers.d/sudo
+    state=absent