ghost-automation/ds_sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3 Commits 1 Branch 0 Tags
main
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
DeadSwitch 2777993975
All checks were successful
Test the role / test-the-role (push) Successful in 7s
Details
Linting and CI.
2026-02-20 12:15:01 +01:00
.gitea/workflows
Linting and CI.
2026-02-20 12:15:01 +01:00
defaults
Rewriting the sudo role.
2026-02-20 11:19:05 +01:00
tasks
Rewriting the sudo role.
2026-02-20 11:19:05 +01:00
templates
Rewriting the sudo role.
2026-02-20 11:19:05 +01:00
README.org
Readme update.
2026-02-20 11:21:14 +01:00

README.org

SUDO Role

ds_sudo

This role manages sudo installation and configuration on Debian-based systems. It ensures a minimal, safe /etc/sudoers baseline, while delegating all privilege management into /etc/sudoers.d/ files.

Validation is enforced with visudo -cf to prevent lockouts.

User and group definitions are collected from ds_users:

  • Users may have a sudo branch in user_data.
  • Groups may have a sudo branch in group_data.
  • Groups referenced in user_data.groups are created by ds_users and can then be granted sudo privileges here.

Features

  • Installs the sudo package if missing.
  • Configures per-user sudo access.
  • Configures per-group sudo access.
  • Supports NOPASSWD:ALL (use with care).
  • Supports NOPASSWD for restricted command lists.
  • Ensures all generated files are validated with visudo -cf.

Variables

user_data

Consumed from ds_users. Only the sudo branch is used here.

user_data:
  user1:
    ssh_key: "ssh-rsa ..."
    groups:
      - ansible
    sudo:               # This branch is used
      type: nopasswd    # for per-user sudo config
      commands: all

group_data

Consumed from ds_users. Only the sudo branch is used here.

group_data:
  ansible:
    sudo:               # This branch is used
      type: nopasswd    # for per-group sudo config
      commands: all

Examples

Restricted sudo for a user 

user_data:
  admin:
    ssh_key: "ssh-rsa ..."
    groups:
      - wheel
    sudo:
      type: nopasswd
      commands:
        - /usr/bin/systemctl
        - /usr/sbin/adduser
        - /usr/sbin/addgroup

Full sudo for a group 

group_data:
  ansible:
    sudo:
      type: nopasswd
      commands: all

Safety

  • All files are placed under /etc/sudoers.d/ with mode 0440.
  • Every change is validated with visudo -cf %s.
  • The main /etc/sudoers remains minimal and untouched.

License

MIT.

[Fear the Silence. Fear the Switch.]

Reference in New Issue View Git Blame Copy Permalink
Description
This Ansible role sets up the sudo permissions of users and groups.
Readme 34 KiB
Languages
Jinja 100%