From f16b7557cdd4fa2aa825ab5f8f7373ee8a3a38f4 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 11 Mar 2018 18:08:21 -0500
Subject: [PATCH] roles/sudo: Configure sudo and policy

The *sudo* role installs `sudo` and configures policy for it. By
default, users who are members of the *sudo* group can run any command
as root.
---
 roles/sudo/defaults/main.yml  |  1 +
 roles/sudo/files/sudo.sudoers |  1 +
 roles/sudo/tasks/main.yml     | 25 +++++++++++++++++++++++++
 3 files changed, 27 insertions(+)
 create mode 100644 roles/sudo/defaults/main.yml
 create mode 100644 roles/sudo/files/sudo.sudoers
 create mode 100644 roles/sudo/tasks/main.yml

diff --git a/roles/sudo/defaults/main.yml b/roles/sudo/defaults/main.yml
new file mode 100644
index 0000000..11f2f29
--- /dev/null
+++ b/roles/sudo/defaults/main.yml
@@ -0,0 +1 @@
+admin_users: []
diff --git a/roles/sudo/files/sudo.sudoers b/roles/sudo/files/sudo.sudoers
new file mode 100644
index 0000000..5e3c1bb
--- /dev/null
+++ b/roles/sudo/files/sudo.sudoers
@@ -0,0 +1 @@
+%sudo ALL=(ALL) ALL
diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml
new file mode 100644
index 0000000..1021a6c
--- /dev/null
+++ b/roles/sudo/tasks/main.yml
@@ -0,0 +1,25 @@
+- name: ensure sudo is installed
+  package:
+    name=sudo
+    state=present
+
+- name: ensure sudo group exists
+  group:
+    name=sudo
+    state=present
+- name: ensure admin users members of sudo group
+  user:
+    name={{ item }}
+    groups=sudo
+    append=yes
+  with_items: '{{ admin_users }}'
+- name: ensure members of sudo group can use sudo
+  copy:
+    src: sudo.sudoers
+    dest: /etc/sudoers.d/10_sudo
+    mode: '0440'
+    validate: visudo -cf %s
+- name: ensure legacy sudo group configuration is removed
+  file:
+    path=/etc/sudoers.d/sudo
+    state=absent