Import code

Signed-off-by: Radovan Sroka <[email protected]>

.ansible-lint

@@ -21,4 +21,4 @@ exclude_paths:
   - .markdownlint.yaml
   - examples/roles/
 mock_roles:
-  - linux-system-roles.template
+  - linux-system-roles.sudo

README.md

@@ -1,105 +1,308 @@
-# Role Name
+# Sudo
 
-[![ansible-lint.yml](https://github.com/linux-system-roles/template/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/template/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/ansible-test.yml) [![markdownlint.yml](https://github.com/linux-system-roles/template/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/markdownlint.yml) [![shellcheck.yml](https://github.com/linux-system-roles/template/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/shellcheck.yml) [![woke.yml](https://github.com/linux-system-roles/template/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/woke.yml)
-
-![template](https://github.com/linux-system-roles/template/workflows/tox/badge.svg)
-
-A template for an ansible role that configures some GNU/Linux subsystem or
-service. A brief description of the role goes here.
+Sudo System Role
 
 ## Requirements
 
-Any prerequisites that may not be covered by Ansible itself or the role should
-be mentioned here.  This includes platform dependencies not managed by the
-role, hardware requirements, external collections, etc.  There should be a
-distinction between *control node* requirements (like collections) and
-*managed node* requirements (like special hardware, platform provisioning).
+This role is only supported on RHEL8.1+/CentOS8.1+ and Fedora distributions. Consider reading fapolicyd documentation before setting it up.
 
 ### Collection requirements
 
-For instance, if the role depends on some collections and has a
-`meta/collection-requirements.yml` file for installing those dependencies, and
-in order to manage `rpm-ostree` systems, it should be mentioned here that the
- user should run
+None.
 
-```bash
-ansible-galaxy collection install -vv -r meta/collection-requirements.yml
-```
+## Role Variables
 
-on the *control node* before using the role.
+The defaults defined for this role are based on a default RHEL8.4 `/etc/sudoers` configuration.  Please check the defaults in [`defaults/main.yml`](defaults/main.yml) prior to running for OS compatibility.
 
-## Role Variables
+| Variable Name | Description | Default Value | Variable Type |
+| --- | --- | :---: | :---: |
+| sudo_rewrite_default_sudoers_file | Use role default or user defined `sudoers_files` definition, replacing your distribution supplied `/etc/sudoers` file.  Useful when attempting to deploy new configuration files to the `include_directories` and you do not wish to modify the `/etc/sudoers` file. | True | boolean |
+| sudo_remove_unauthorized_included_files | ***Very Dangerous!*** Each existing sudoer file found in the `include_directories` dictionary which have not been defined in `sudoers_files` will be removed. This allows for enforcing a desired state. | False | boolean |
+| sudo_visudo_path | Fully-qualified path to the `visudo` binary required for validation of sudoers configuration changes. Added for Operating System compatibility. | /usr/sbin/visudo | string |
+| sudo_sudoers_files | Definition of all your sudoers configurations | see [defaults/main.yml](defaults/main.yml)| list of dictionaries |
 
-A description of all input variables (i.e. variables that are defined in
-`defaults/main.yml`) for the role should go here as these form an API of the
-role.  Each variable should have its own section e.g.
+## sudo_sudoers_files Dictionary Fields
 
-### template_foo
+| Variable Name | Description | Variable Type |
+| --- | --- | :---: |
+| path | Where to deploy the configuration file to on the filesystem. | string |
+| aliases | Optional definition of `cmnd_alias`, `host_alias`, `runas_alias`, or `user_alias` items. | dictionary |
+| defaults | This allows you to define the defaults of your sudoers configuration. Default overrides can be perfomed via the [`user_specifications`](#default-override-user_specifications) key.| list |
+| include_files | Optional specific files that you would like your configuration to include.  This is a list of fully-qualified paths to include via the `#include` option of a sudoers configuration. | list |
+| include_directories | Optional specific directories that you would like your configurations to include.  This is a list of fully-qualified paths to directories to include via the `#includedir` option of a sudoers configuration. | list |
+| user_specifications | List of user specifications and default overrides to apply to a sudoers file configuration. | list |
 
-This variable is required.  It is a string that lists the foo of the role.
-There is no default value.
+### sudo_sudoers_files.aliases Dictionary Fields
 
-### template_bar
+| Variable Name | Description | Variable Type |
+| --- | --- | :---: |
+| cmnd_alias | List of command alias definitions. | list of dictionaries |
+| host_alias | List of host alias definitions | list of dictionaries |
+| runas_alias | List of runas alias definitions | list of dictionaries |
+| user_alias | List of user alias definitions | list of dictionaries |
 
-This variable is optional.  It is a boolean that tells the role to disable bar.
-The default value is `true`.
+#### cmnd_alias Dictionary Fields
 
-Variables that are not intended as input, like variables defined in
-`vars/main.yml`, variables that are read from other roles and/or the global
-scope (ie. hostvars, group vars, etc.) can be also mentioned here but keep in
-mind that as these are probably not part of the role API they may change during
-the lifetime.
+| Variable Name | Description | Variable Type |
+| --- | --- | :---: |
+| name | Name of the command alias. | string |
+| commands | List of commands to apply to the alias | list |
 
-Example of setting the variables:
+#### host_alias Dictionary Fields
 
-```yaml
-template_foo: "oof"
-template_bar: false
-```
+| Variable Name | Description | Variable Type |
+| --- | --- | :---: |
+| name | Name of the host alias. | string |
+| hosts | List of hosts to apply to the alias | list |
 
-## Variables Exported by the Role
+#### runas_alias Dictionary Fields
 
-This section is optional.  Some roles may export variables for playbooks to
-use later.  These are analogous to "return values" in Ansible modules.  For
-example, if a role performs some action that will require a system reboot, but
-the user wants to defer the reboot, the role might set a variable like
-`template_reboot_needed: true` that the playbook can use to reboot at a more
-convenient time.
+| Variable Name | Description | Variable Type |
+| --- | --- | :---: |
+| name | Name of the runas alias | string |
+| users | List of users to apply to the alias | list |
 
-Example:
+#### user_alias Dictionary Fields
 
-### template_reboot_needed
+| Variable Name | Description | Variable Type |
+| --- | --- | :---: |
+| name | Name of the user_alias | string |
+| users | List of users to apply to the alias | list |
 
-Default `false` - if `true`, this means a reboot is needed to apply the changes
-made by the role
+### user_specifications Dictionary Fields
+
+This dictionary can be used to assign either user specifications or default overrides.
+
+#### Standard user_specifications
+
+| Variable Name | Description | Variable Type |
+| --- | --- | :---: |
+| users | List of users to apply the specification to. You can use a `user_alias` name as well as user names. | list |
+| hosts | List of hosts to apply the specification to.  You can use a defined `host_alias` name as well as host names. | list |
+| operators | List of operators to apply the specification to. You can use a defined `runas_alias` name as well as user names. | list |
+| selinux_role | Optional selinux role to apply to the specification | list |
+| selinux_type | Optional selinux type to apply to the specification | list |
+| solaris_privs | Optional Solaris privset to apply to the specification | list |
+| solaris_limitprivs | Optional Solaris privset to apply to the specification | list |
+| tags | Optional list of tags to apply to the specification. | list |
+| commands | List of commands to apply the specification to.  You can use a defined `cmnd_alias` name as well as commands. | list |
+
+#### Default Override user_specifications
+
+| Variable Name | Description | Variable Type |
+| --- | --- | :---: |
+| defaults | List of defaults to override from the main configuration | list |
+| type | Type of default to override, this affects the operator in the configuration ( host -> `@`, user -> `:`, command -> `!`, and runas -> `>`).  The type field can be one of the following values: `command`, `host`, `runas`, or `user`. | string |
+| commands | Use when `type: command`.  List of `cmnd_alias` names as well as commands to override specific default values.| list |
+| hosts | Use when `type: host`.  List of `host_alias` names as well as individual host names to override specific default values. | list |
+| operators | Use when `type: runas`. List of `runas_alias` names as well as individual user names to override specific default values. | list |
+| users | Use when `type: user`.  List of `user_alias` names as well as individual user names to override specific default values. | list |
 
 ## Example Playbook
 
-Including an example of how to use your role (for instance, with variables
-passed in as parameters) is always nice for users too:
+```yaml
+---
+- name: Apply a RHEL Default /etc/sudoers configuration
+  hosts: all
+  roles:
+    - role: linux-system-roles.sudo
+```
 
 ```yaml
-- name: Manage the template subsystem
+---
+- name: Apply custom /etc/sudoers configuration
   hosts: all
   vars:
-    template_foo: "foo foo!"
-    template_bar: false
+    sudoers_files:
+      - path: /etc/sudoers
+        user_specifications:
+          - users:
+            - root
+            hosts:
+              - x
+            commands:
+              - /usr/bin/ls
   roles:
-    - linux-system-roles.template
+    - role: linux-system-roles.sudo
 ```
 
-More examples can be provided in the [`examples/`](examples) directory. These
-can be useful, especially for documentation.
-
-## rpm-ostree
+```yaml
+---
+- name: Apply a RHEL Default /etc/sudoers configuration
+  hosts: all
+  vars:
+    sudoers_files:
+      - path: /etc/sudoers
+        defaults:
+          - "!visiblepw"
+          - always_set_home
+          - match_group_by_gid
+          - always_query_group_plugin
+          - env_reset
+          - secure_path:
+            - /sbin
+            - /bin
+            - /usr/sbin
+            - /usr/bin
+          - env_keep:
+            - COLORS
+            - DISPLAY
+            - HOSTNAME
+            - HISTSIZE
+            - KDEDIR
+            - LS_COLORS
+            - MAIL
+            - PS1
+            - PS2
+            - QTDIR
+            - USERNAME
+            - LANG
+            - LC_ADDRESS
+            - LC_CTYPE
+            - LC_COLLATE
+            - LC_IDENTIFICATION
+            - LC_MEASUREMENT
+            - LC_MESSAGES
+            - LC_MONETARY
+            - LC_NAME
+            - LC_NUMERIC
+            - LC_PAPER
+            - LC_TELEPHONE
+            - LC_TIME
+            - LC_ALL
+            - LANGUAGE
+            - LINGUAS
+            - _XKB_CHARSET
+            - XAUTHORITY
+    user_specifications:
+      - users:
+          - root
+        hosts:
+          - ALL
+        operators:
+          - ALL
+        commands:
+          - ALL
+      - users:
+          - "%wheel"
+        hosts:
+          - ALL
+        operators:
+          - ALL
+        commands:
+          - ALL
+    include_directories:
+      - /etc/sudoers.d
+  roles:
+    - role: linux-system-roles.sudo
+```
 
-See README-ostree.md
+```yaml
+---
+- name: Apply a multi-file sudoers configuration
+  hosts: all
+  tasks:
+    - name: Configure /etc/sudoers and included files
+      include_role:
+        name: linux-system-roles.sudo
+      vars:
+        sudoers_rewrite_default_sudoers_file: True
+        sudoers_remove_unauthorized_included_files: True
+        sudoers_backup: True
+        sudoers_backup_path: sudoers-backups
+        sudoers_files:
+          - path: /etc/sudoers
+            defaults:
+              - "!visiblepw"
+              - always_set_home
+              - match_group_by_gid
+              - always_query_group_plugin
+              - env_reset
+              - secure_path:
+                  - /sbin
+                  - /bin
+                  - /usr/sbin
+                  - /usr/bin
+              - env_keep:
+                  - COLORS
+                  - DISPLAY
+                  - HOSTNAME
+                  - HISTSIZE
+                  - KDEDIR
+                  - LS_COLORS
+                  - MAIL
+                  - PS1
+                  - PS2
+                  - QTDIR
+                  - USERNAME
+                  - LANG
+                  - LC_ADDRESS
+                  - LC_CTYPE
+                  - LC_COLLATE
+                  - LC_IDENTIFICATION
+                  - LC_MEASUREMENT
+                  - LC_MESSAGES
+                  - LC_MONETARY
+                  - LC_NAME
+                  - LC_NUMERIC
+                  - LC_PAPER
+                  - LC_TELEPHONE
+                  - LC_TIME
+                  - LC_ALL
+                  - LANGUAGE
+                  - LINGUAS
+                  - _XKB_CHARSET
+                  - XAUTHORITY
+            user_specifications:
+              - users:
+                  - root
+                hosts:
+                  - ALL
+                operators:
+                  - ALL
+                commands:
+                  - ALL
+              - users:
+                  - "%wheel"
+                hosts:
+                  - ALL
+                operators:
+                  - ALL
+                commands:
+                  - ALL
+            include_directories:
+              - /etc/sudoers.d
+            aliases:
+              cmnd_alias:
+                - name: PING
+                  commands:
+                    - /bin/ping
+              user_alias:
+                - name: PINGERS
+                  users:
+                    - ahuffman
+          - path: /etc/sudoers.d/pingers
+            user_specifications:
+              - type: user
+                defaults:
+                  - !requiretty
+                users:
+                  - PINGERS
+          - path: /etc/sudoers.d/root
+            defaults:
+              - syslog=auth
+            user_specifications:
+              - type: runas
+                defaults:
+                  - !set_logname
+                operators:
+                  - root
+```
 
 ## License
 
-Whenever possible, please prefer MIT.
+MIT
 
 ## Author Information
 
-An optional section for the role authors to include contact information, or a
-website (HTML is not allowed).
+Radovan Sroka @rsroka

contributing.md

@@ -1,4 +1,4 @@
-# Contributing to the template Linux System Role
+# Contributing to the Sudo Linux System Role
 
 ## Where to start
 
@@ -12,10 +12,10 @@ This has all of the common information that all role developers need:
 * How to create git commits and submit pull requests
 
 **Bugs and needed implementations** are listed on
-[Github Issues](https://github.com/linux-system-roles/template/issues).
+[Github Issues](https://github.com/linux-system-roles/sudo/issues).
 Issues labeled with
-[**help wanted**](https://github.com/linux-system-roles/template/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
+[**help wanted**](https://github.com/linux-system-roles/sudo/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
 are likely to be suitable for new contributors!
 
-**Code** is managed on [Github](https://github.com/linux-system-roles/template), using
+**Code** is managed on [Github](https://github.com/linux-system-roles/sudo), using
 [Pull Requests](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests).