Move sysadmins out of base role.

Don't run it by default, but make it a role.

roles/base.rb

@@ -1,17 +1,3 @@
 name 'base'
 description 'Base bootstrap for every box'
-run_list "recipe[sysadmins]", "recipe[sudo]", "recipe[apt]", "recipe[build-essential]"
-default_attributes(
-  "authorization" => {
-    "sudo" => {
-      "groups" => ["admin"],
-      "passwordless" => false,
-      "include_sudoers_d" => true,
-      "sudoers_default" => [
-        "env_reset",
-        "mail_badpass",
-        "secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
-      ],
-    }
-  }
-)
+run_list "recipe[apt]", "recipe[build-essential]"

roles/sysadmins.rb

@@ -0,0 +1,23 @@
+name "sysadmins"
+description "This role configures sysadmins, users with sudo-rights on your server"
+run_list(
+  "role[base]",
+  "recipe[packages]",
+  "recipe[sysadmins]",
+  "recipe[sudo]"
+)
+# Configure the sudo recipe so it mirrors Ubuntu's default behaviour
+default_attributes(
+  "authorization" => {
+    "sudo" => {
+      "groups" => ["admin"],
+      "passwordless" => false,
+      "include_sudoers_d" => true,
+      "sudoers_default" => [
+        "env_reset",
+        "mail_badpass",
+        "secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\""
+      ],
+    }
+  }
+)

vendor/cookbooks/sysadmins/README.md

@@ -39,3 +39,8 @@ Add sysadmins to your node configuration:
   }
 }
 ```
+
+* Create a hashed password with `openssl passwd -1 'plaintextpassword'`.
+  This password is needed for running `sudo`.
+* SSH-keys should be the **public** key. You can leave them out, in
+  which case you have to log in with the password.