A role for managing sudo.
This role uses sudoers.d to manage the sudo capabilities of your users. Each user gets its own sudoers.d file. This means the role can be used from multiple roles to add and manage new users without interfering with the other users/roles.
The defaults and aliases however can only be managed from one location and should not be specified if you add this role as a dependency to your own role.
Following roles where designed to neatly work together with this role:
- user, for managing users.
- authorized-key, for managing authorized-keys.
The management-user role combines all these roles in one easy to use role.
- Hosts should be bootstrapped for ansible usage (have python,...)
- Root privileges, eg
become: yes
- Sudo should be available
Variable | Description | Default value |
---|---|---|
sudo_list |
List of users and their sudo settings (see details!) | [] |
sudo_list_host |
List of users and their sudo settings (see details!) | [] |
sudo_list_group |
List of users and their sudo settings (see details!) | [] |
sudo_default_sudoers |
Restore default sudoers file if altered? | no |
sudo_default_sudoers_src_path |
Path (local) to default sudoers file | path to included default file |
sudo_defaults |
List of defaults | [] |
sudo_host_aliases |
List of host aliases (see details!) | [] |
sudo_user_aliases |
List of user aliases (see details!) | [] |
sudo_runas_aliases |
List of run as aliases (see details!) | [] |
sudo_cmnd_aliases |
List of command aliases (see details!) | [] |
sudo_sudoersd_dir |
Sudoersd directory | '/etc/sudoers.d' |
sudo_list
, sudo_list_host
and sudo_list_group
are merged when managing
the sudo settings. You can use the host and group lists to specify users
settings per host or group off hosts.
The sudo list allows you to define which users sudo settings must be managed. Each item in the list can have following attributes:
Variable | Description | Required | Default |
---|---|---|---|
hosts |
Hosts | yes | / |
as |
Operators | yes | / |
commands |
Commands | yes | / |
nopasswd |
No password sudo? | no | no |
sudo_list:
- name: root
sudo:
hosts: ALL
as: ALL
commands: ALL
- name: user1
- name: user2
sudo:
hosts: ALL
as: ALL
commands: ALL
nopasswd: yes
The aliases lists allow you to specify multiple aliases. Each item in the list has a name and an alias.
Variable | Description | Required | Default |
---|---|---|---|
name |
Name of the alias | yes | / |
alias |
Alias | yes | / |
sudo_***_aliases:
- name: EXAMPLE1
alias: 'shutdown'
- name: EXPAMPLE2
alias: 'test, test1, test2'
None.
---
- hosts: servers
roles:
- { role: GROG.sudo, become: yes }
Inside group_vars/servers.yml
:
sudo_list_group:
- name: user
sudo:
hosts: ALL
as: ALL
commands: ALL
All assistance, changes or ideas welcome!
By G. Roggemans
MIT