From 7d5a2e7a1e27222c61f4bce2bd79877668b95540 Mon Sep 17 00:00:00 2001 From: Christian Erb Date: Mon, 10 Jan 2022 11:58:13 +0100 Subject: [PATCH 1/2] Added the possibility to define additional sudoers files. This is helpful as the option purge_other_sudoers_files would also delete our added configuration if we would run the role multiple times. --- README.md | 10 +++++++++- defaults/main.yml | 2 ++ tasks/config.yml | 19 +++++++++++++++++++ tests/main.yml | 5 +++++ 4 files changed, 35 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 583d044..ae51bd7 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,8 @@ sudo_users: [] sudo_defaults: [] # default sudoers file sudo_sudoers_file: ansible +# list for additional sudoers files +sudo_sudoers_additional_files: [] # path of the sudoers.d directory sudo_sudoers_d_path: /etc/sudoers.d # delete other files in `sudo_sudoers_d_path` @@ -114,8 +116,14 @@ This is an example playbook: groups: 'group1,group2' purge_other_sudoers_files: yes -``` + sudo_sudoers_additional_files: + - web + sudo_users_web: + - name: 'webuser1' +``` +If you are going to make use of sudo_sudoers_additional_files then all the other variables are available like before, but you have to suffix them with the filename. +This is like in the upper example the name `web`. ## Testing diff --git a/defaults/main.yml b/defaults/main.yml index 4c91c29..9ced603 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -24,6 +24,8 @@ sudo_users: [] sudo_defaults: [] # default sudoers file sudo_sudoers_file: ansible +# list for additional sudoers files +sudo_sudoers_additional_files: [] # path of the sudoers.d directory sudo_sudoers_d_path: /etc/sudoers.d # delete other files in `sudo_sudoers_d_path` diff --git a/tasks/config.yml b/tasks/config.yml index f54442f..7552bce 100644 --- a/tasks/config.yml +++ b/tasks/config.yml @@ -9,6 +9,24 @@ group: "{{ sudo_sudoers_group }}" mode: "0440" +- name: "Creating sudoers configuration in {{ sudo_sudoers_d_path }}/{{ item }}" + vars: + sudo_sudoers_user_aliases: "{{ lookup('vars', 'sudo_sudoers_user_aliases_' + item, default='') }}" + sudo_sudoers_runas_aliases: "{{ lookup('vars', 'sudo_sudoers_runas_aliases_' + item, default='') }}" + sudo_sudoers_cmnd_aliases: "{{ lookup('vars', 'sudo_sudoers_cmnd_aliases_' + item, default='') }}" + sudo_defaults: "{{ lookup('vars', 'sudo_defaults_' + item, default='') }}" + sudo_users: "{{ lookup('vars', 'sudo_users_' + item, default='') }}" + template: + src: "etc/sudoers.d/ansible.j2" + dest: "{{ sudo_sudoers_d_path }}/{{ item }}" + validate: "{{ sudo_visudo }} -cf %s" + owner: root + group: "{{ sudo_sudoers_group }}" + mode: "0440" + loop: "{{ sudo_sudoers_additional_files | list }}" + when: + - (sudo_sudoers_additional_files | length > 0) + - name: "List files in {{ sudo_sudoers_d_path }}" find: paths: "{{ sudo_sudoers_d_path }}" @@ -27,3 +45,4 @@ when: - purge_other_sudoers_files | bool - (item.path|basename) != sudo_sudoers_file + - (item.path|basename) not in sudo_sudoers_additional_files diff --git a/tests/main.yml b/tests/main.yml index b6fb0b4..f3a3fa3 100644 --- a/tests/main.yml +++ b/tests/main.yml @@ -29,3 +29,8 @@ users: 'user1,user2' groups: 'group1,group2' purge_other_sudoers_files: yes + + sudo_sudoers_additional_files: + - web + sudo_users_web: + - name: 'webuser1' From 92d657a316c030350599a96382e5439f9ea1da86 Mon Sep 17 00:00:00 2001 From: Christian Erb Date: Mon, 10 Jan 2022 14:13:01 +0100 Subject: [PATCH 2/2] Changed task output for additional sudoers configurations --- tasks/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/config.yml b/tasks/config.yml index 7552bce..c50f01d 100644 --- a/tasks/config.yml +++ b/tasks/config.yml @@ -9,7 +9,7 @@ group: "{{ sudo_sudoers_group }}" mode: "0440" -- name: "Creating sudoers configuration in {{ sudo_sudoers_d_path }}/{{ item }}" +- name: "Creating additional sudoers configurations" vars: sudo_sudoers_user_aliases: "{{ lookup('vars', 'sudo_sudoers_user_aliases_' + item, default='') }}" sudo_sudoers_runas_aliases: "{{ lookup('vars', 'sudo_sudoers_runas_aliases_' + item, default='') }}"