Skip to content

Commit

Permalink
feat: import code
Browse files Browse the repository at this point in the history
Signed-off-by: Radovan Sroka <[email protected]>
  • Loading branch information
radosroka committed May 17, 2024
1 parent 667cde3 commit fc993fc
Show file tree
Hide file tree
Showing 26 changed files with 840 additions and 181 deletions.
2 changes: 1 addition & 1 deletion .ansible-lint
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,4 @@ exclude_paths:
- .markdownlint.yaml
- examples/roles/
mock_roles:
- linux-system-roles.template
- linux-system-roles.sudo
336 changes: 271 additions & 65 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,105 +1,311 @@
# Role Name
# Sudo

[![ansible-lint.yml](https://github.com/linux-system-roles/template/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/template/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/ansible-test.yml) [![markdownlint.yml](https://github.com/linux-system-roles/template/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/markdownlint.yml) [![shellcheck.yml](https://github.com/linux-system-roles/template/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/shellcheck.yml) [![woke.yml](https://github.com/linux-system-roles/template/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/woke.yml)

![template](https://github.com/linux-system-roles/template/workflows/tox/badge.svg)

A template for an ansible role that configures some GNU/Linux subsystem or
service. A brief description of the role goes here.
Sudo System Role

## Requirements

Any prerequisites that may not be covered by Ansible itself or the role should
be mentioned here. This includes platform dependencies not managed by the
role, hardware requirements, external collections, etc. There should be a
distinction between *control node* requirements (like collections) and
*managed node* requirements (like special hardware, platform provisioning).
This role is only supported on RHEL8+ and Fedora distributions. Consider reading sudo documentation before setting it up.

### Collection requirements

For instance, if the role depends on some collections and has a
`meta/collection-requirements.yml` file for installing those dependencies, and
in order to manage `rpm-ostree` systems, it should be mentioned here that the
user should run
None.

```bash
ansible-galaxy collection install -vv -r meta/collection-requirements.yml
```
## Role Variables

on the *control node* before using the role.
The defaults defined for this role are based on a default RHEL8.4 `/etc/sudoers` configuration. Please check the defaults in [`defaults/main.yml`](defaults/main.yml) prior to running for OS compatibility.

## Role Variables
### sudo_rewrite_default_sudoers_file

A description of all input variables (i.e. variables that are defined in
`defaults/main.yml`) for the role should go here as these form an API of the
role. Each variable should have its own section e.g.
Use role default or user defined `sudoers_files` definition, replacing your distribution supplied `/etc/sudoers` file. Useful when attempting to deploy new configuration files to the `include_directories` and you do not wish to modify the `/etc/sudoers` file. | True | boolean |

### template_foo
### sudo_remove_unauthorized_included_files

This variable is required. It is a string that lists the foo of the role.
There is no default value.
***Dangerous!*** Each existing sudoers file found in the `include_directories` dictionary which have not been defined in `sudoers_files` will be removed. This allows for enforcing a desired state. | False | boolean |

### template_bar
### sudo_visudo_path

This variable is optional. It is a boolean that tells the role to disable bar.
The default value is `true`.
Fully-qualified path to the `visudo` binary required for validation of sudoers configuration changes. Added for Operating System compatibility. | /usr/sbin/visudo | string |

Variables that are not intended as input, like variables defined in
`vars/main.yml`, variables that are read from other roles and/or the global
scope (ie. hostvars, group vars, etc.) can be also mentioned here but keep in
mind that as these are probably not part of the role API they may change during
the lifetime.
### sudo_sudoers_files

Example of setting the variables:
Definition of all your sudoers configurations | see [defaults/main.yml](defaults/main.yml)| list of dictionaries |

```yaml
template_foo: "oof"
template_bar: false
```
#### path

Where to deploy the configuration file to on the filesystem. | string |

#### aliases

Optional definition of `cmnd_alias`, `host_alias`, `runas_alias`, or `user_alias` items. | dictionary |

#### defaults

This allows you to define the defaults of your sudoers configuration. Default overrides can be perfomed via the [`user_specifications`](#default-override-user_specifications) key.| list |

#### include_files

Optional specific files that you would like your configuration to include. This is a list of fully-qualified paths to include via the `#include` option of a sudoers configuration. | list |

#### include_directories

Optional specific directories that you would like your configurations to include. This is a list of fully-qualified paths to directories to include via the `#includedir` option of a sudoers configuration. | list |

#### user_specifications

List of user specifications and default overrides to apply to a sudoers file configuration. | list |

### sudo_sudoers_files aliases

This dictionary can be used to assign either user specifications or default overrides.

#### cmnd_alias

## Variables Exported by the Role
`name` Name of the command alias and commands. | string |
`commands` List of commands to apply to the alias | list |

This section is optional. Some roles may export variables for playbooks to
use later. These are analogous to "return values" in Ansible modules. For
example, if a role performs some action that will require a system reboot, but
the user wants to defer the reboot, the role might set a variable like
`template_reboot_needed: true` that the playbook can use to reboot at a more
convenient time.
#### host_alias

Example:
`name` Name of the host alias. | string |
`hosts` List of hosts to apply to the alias | list |

### template_reboot_needed
#### runas_alias

Default `false` - if `true`, this means a reboot is needed to apply the changes
made by the role
`name` Name of the runas alias | string |
`users` List of users to apply to the alias | list |

#### user_alias

`name` Name of the user_alias | string |
`users` List of users to apply to the alias | list |

### Other user_specifications

#### Standard user_specifications

`users` List of users to apply the specification to. You can use a `user_alias` name as well as user names. | list |
`hosts` List of hosts to apply the specification to. You can use a defined `host_alias` name as well as host names. | list |
`operators` List of operators to apply the specification to. You can use a defined `runas_alias` name as well as user names. | list |
`selinux_role` Optional selinux role to apply to the specification | list |
`selinux_type` Optional selinux type to apply to the specification | list |
`solaris_privs` Optional Solaris privset to apply to the specification | list |
`solaris_limitprivs` Optional Solaris privset to apply to the specification | list |
`tags` Optional list of tags to apply to the specification. | list |
`commands` List of commands to apply the specification to. You can use a defined `cmnd_alias` name as well as commands. | list |

#### Default Override user_specifications

`defaults` List of defaults to override from the main configuration | list |
`type` Type of default to override, this affects the operator in the configuration ( host -> `@`, user -> `:`, command -> `!`, and runas -> `>`). The type field can be one of the following values: `command`, `host`, `runas`, or `user`. | string |
`commands` Use when `type: command`. List of `cmnd_alias` names as well as commands to override specific default values.| list |
`hosts` Use when `type: host`. List of `host_alias` names as well as individual host names to override specific default values. | list |
`operators` Use when `type: runas`. List of `runas_alias` names as well as individual user names to override specific default values. | list |
`users` Use when `type: user`. List of `user_alias` names as well as individual user names to override specific default values. | list |

## Example Playbook

Including an example of how to use your role (for instance, with variables
passed in as parameters) is always nice for users too:
```yaml
---
- name: Apply a RHEL Default /etc/sudoers configuration
hosts: all
roles:
- role: linux-system-roles.sudo
```
```yaml
- name: Manage the template subsystem
---
- name: Apply custom /etc/sudoers configuration
hosts: all
vars:
template_foo: "foo foo!"
template_bar: false
sudoers_files:
- path: /etc/sudoers
user_specifications:
- users:
- root
hosts:
- x
commands:
- /usr/bin/ls
roles:
- linux-system-roles.template
- role: linux-system-roles.sudo
```
More examples can be provided in the [`examples/`](examples) directory. These
can be useful, especially for documentation.

## rpm-ostree
```yaml
---
- name: Apply a RHEL Default /etc/sudoers configuration
hosts: all
vars:
sudoers_files:
- path: /etc/sudoers
defaults:
- "!visiblepw"
- always_set_home
- match_group_by_gid
- always_query_group_plugin
- env_reset
- secure_path:
- /sbin
- /bin
- /usr/sbin
- /usr/bin
- env_keep:
- COLORS
- DISPLAY
- HOSTNAME
- HISTSIZE
- KDEDIR
- LS_COLORS
- MAIL
- PS1
- PS2
- QTDIR
- USERNAME
- LANG
- LC_ADDRESS
- LC_CTYPE
- LC_COLLATE
- LC_IDENTIFICATION
- LC_MEASUREMENT
- LC_MESSAGES
- LC_MONETARY
- LC_NAME
- LC_NUMERIC
- LC_PAPER
- LC_TELEPHONE
- LC_TIME
- LC_ALL
- LANGUAGE
- LINGUAS
- _XKB_CHARSET
- XAUTHORITY
user_specifications:
- users:
- root
hosts:
- ALL
operators:
- ALL
commands:
- ALL
- users:
- "%wheel"
hosts:
- ALL
operators:
- ALL
commands:
- ALL
include_directories:
- /etc/sudoers.d
roles:
- role: linux-system-roles.sudo
```
See README-ostree.md
```yaml
---
- name: Apply a multi-file sudoers configuration
hosts: all
tasks:
- name: Configure /etc/sudoers and included files
include_role:
name: linux-system-roles.sudo
vars:
sudoers_rewrite_default_sudoers_file: True
sudoers_remove_unauthorized_included_files: True
sudoers_backup: True
sudoers_backup_path: sudoers-backups
sudoers_files:
- path: /etc/sudoers
defaults:
- "!visiblepw"
- always_set_home
- match_group_by_gid
- always_query_group_plugin
- env_reset
- secure_path:
- /sbin
- /bin
- /usr/sbin
- /usr/bin
- env_keep:
- COLORS
- DISPLAY
- HOSTNAME
- HISTSIZE
- KDEDIR
- LS_COLORS
- MAIL
- PS1
- PS2
- QTDIR
- USERNAME
- LANG
- LC_ADDRESS
- LC_CTYPE
- LC_COLLATE
- LC_IDENTIFICATION
- LC_MEASUREMENT
- LC_MESSAGES
- LC_MONETARY
- LC_NAME
- LC_NUMERIC
- LC_PAPER
- LC_TELEPHONE
- LC_TIME
- LC_ALL
- LANGUAGE
- LINGUAS
- _XKB_CHARSET
- XAUTHORITY
user_specifications:
- users:
- root
hosts:
- ALL
operators:
- ALL
commands:
- ALL
- users:
- "%wheel"
hosts:
- ALL
operators:
- ALL
commands:
- ALL
include_directories:
- /etc/sudoers.d
aliases:
cmnd_alias:
- name: PING
commands:
- /bin/ping
user_alias:
- name: PINGERS
users:
- ahuffman
- path: /etc/sudoers.d/pingers
user_specifications:
- type: user
defaults:
- "!requiretty"
users:
- PINGERS
- path: /etc/sudoers.d/root
defaults:
- syslog=auth
user_specifications:
- type: runas
defaults:
- "!set_logname"
operators:
- root
```
## License
Whenever possible, please prefer MIT.
MIT
## Author Information
An optional section for the role authors to include contact information, or a
website (HTML is not allowed).
Radovan Sroka @rsroka
Loading

0 comments on commit fc993fc

Please sign in to comment.