From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Sat, 4 Feb 2023 01:23:43 -0500
Subject: initial commit

---
 roles/sudo/defaults/main.yml        |  2 ++
 roles/sudo/tasks/main.yml           |  5 ++++
 roles/sudo/templates/etc/sudoers.j2 | 48 +++++++++++++++++++++++++++++++++++++
 3 files changed, 55 insertions(+)
 create mode 100644 roles/sudo/defaults/main.yml
 create mode 100644 roles/sudo/tasks/main.yml
 create mode 100644 roles/sudo/templates/etc/sudoers.j2

(limited to 'roles/sudo')

diff --git a/roles/sudo/defaults/main.yml b/roles/sudo/defaults/main.yml
new file mode 100644
index 0000000..623e42b
--- /dev/null
+++ b/roles/sudo/defaults/main.yml
@@ -0,0 +1,2 @@
+sudo_mailto: root
+sudo_send_emails: yes
diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml
new file mode 100644
index 0000000..7419bf0
--- /dev/null
+++ b/roles/sudo/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: generate sudoers file
+  template:
+    src: etc/sudoers.j2
+    dest: /etc/sudoers
+    mode: 0440
diff --git a/roles/sudo/templates/etc/sudoers.j2 b/roles/sudo/templates/etc/sudoers.j2
new file mode 100644
index 0000000..2ee55be
--- /dev/null
+++ b/roles/sudo/templates/etc/sudoers.j2
@@ -0,0 +1,48 @@
+#
+# Refuse to run if unable to disable echo on the tty.
+#
+Defaults   !visiblepw
+
+#
+# Preserving HOME has security implications since many programs
+# use it when searching for configuration files. Note that HOME
+# is already set when the the env_reset option is enabled, so
+# this option is only effective for configurations where either
+# env_reset is disabled or HOME is present in the env_keep list.
+#
+Defaults    always_set_home
+Defaults    match_group_by_gid
+
+{% if sudo_send_emails %}
+Defaults    mailto = "{{ sudo_mailto }}"
+Defaults    mail_badpass
+Defaults    mail_no_host
+Defaults    mail_no_perms
+Defaults    mail_no_user
+{% endif %}
+
+# Prior to version 1.8.15, groups listed in sudoers that were not
+# found in the system group database were passed to the group
+# plugin, if any. Starting with 1.8.15, only groups of the form
+# %:group are resolved via the group plugin by default.
+# We enable always_query_group_plugin to restore old behavior.
+# Disable this option for new behavior.
+Defaults    always_query_group_plugin
+
+Defaults    env_reset
+Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
+Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
+Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
+Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
+Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
+
+Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
+
+## Allow root to run any commands anywhere
+root	ALL=(ALL) 	ALL
+
+## Allows people in group wheel to run all commands
+%wheel	ALL=(ALL)	ALL
+
+## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
+#includedir /etc/sudoers.d
-- 
cgit