All checks were successful
Test the role / test-the-role (push) Successful in 7s
SUDO Role
ds_sudo
This role manages sudo installation and configuration on Debian-based systems.
It ensures a minimal, safe /etc/sudoers baseline, while delegating all privilege management into /etc/sudoers.d/ files.
Validation is enforced with visudo -cf to prevent lockouts.
User and group definitions are collected from ds_users:
- Users may have a
sudobranch inuser_data. - Groups may have a
sudobranch ingroup_data. - Groups referenced in
user_data.groupsare created byds_usersand can then be granted sudo privileges here.
Features
- Installs the
sudopackage if missing. - Configures per-user sudo access.
- Configures per-group sudo access.
- Supports
NOPASSWD:ALL(use with care). - Supports
NOPASSWDfor restricted command lists. - Ensures all generated files are validated with
visudo -cf.
Variables
user_data
Consumed from ds_users. Only the sudo branch is used here.
user_data:
user1:
ssh_key: "ssh-rsa ..."
groups:
- ansible
sudo: # This branch is used
type: nopasswd # for per-user sudo config
commands: all
group_data
Consumed from ds_users. Only the sudo branch is used here.
group_data:
ansible:
sudo: # This branch is used
type: nopasswd # for per-group sudo config
commands: all
Examples
Restricted sudo for a user
user_data:
admin:
ssh_key: "ssh-rsa ..."
groups:
- wheel
sudo:
type: nopasswd
commands:
- /usr/bin/systemctl
- /usr/sbin/adduser
- /usr/sbin/addgroup
Full sudo for a group
group_data:
ansible:
sudo:
type: nopasswd
commands: all
Safety
- All files are placed under
/etc/sudoers.d/with mode0440. - Every change is validated with
visudo -cf %s. - The main
/etc/sudoersremains minimal and untouched.
License
MIT.
[Fear the Silence. Fear the Switch.]
Description
Languages
Jinja
100%