Add new role, 'debops.sudo'

parent f76fd269
......@@ -1207,6 +1207,14 @@ stages:
JANE_DIFF_PATTERN: '.*/debops.stunnel/.*'
JANE_LOG_PATTERN: '\[debops\.stunnel\]'
'sudo role':
<<: *test_role_no_deps
variables:
JANE_TEST_PLAY: '${DEBOPS_PLAYBOOKS}/service/sudo.yml'
JANE_INVENTORY_GROUPS: 'debops_service_sudo'
JANE_DIFF_PATTERN: '.*/debops.sudo/.*'
JANE_LOG_PATTERN: '\[debops\.sudo\]'
'swapfile role':
<<: *test_role_no_deps
variables:
......
......@@ -18,6 +18,14 @@ You can read information about required changes between releases in the
.. _debops master: https://github.com/debops/debops/compare/v0.7.2...master
Added
~~~~~
- New DebOps roles:
- :ref:`debops.sudo`: install and manage :command:`sudo` configuration on
a host.
`debops v0.7.2`_ - 2018-03-28
-----------------------------
......
---
- name: Configure sudo service
hosts: [ 'debops_all_hosts', 'debops_service_sudo' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: debops.sudo
tags: [ 'role::sudo' ]
debops.sudo - Configure 'sudo' support using Ansible
Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
Copyright (C) 2018 DebOps https://debops.org/
This Ansible role is part of DebOps.
DebOps is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 3, as
published by the Free Software Foundation.
DebOps is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with DebOps. If not, see https://www.gnu.org/licenses/.
---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
# debops.sudo default variables
# =============================
# .. contents:: Sections
# :local:
# General configuration [[[
# -------------------------
# .. envvar:: sudo__enabled [[[
#
# Enable or disable support for :command:`sudo` management on a host.
sudo__enabled: True
# ]]]
# .. envvar:: sudo__base_packages [[[
#
# List of base APT packages to install for :command:`sudo` support.
sudo__base_packages: '{{ [ "sudo-ldap" ]
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.enabled|d())|bool)
else [ "sudo" ] }}'
# ]]]
# .. envvar:: sudo__packages [[[
#
# List of additional APT packages to install with :command:`sudo` command.
sudo__packages: []
# ]]]
# .. envvar:: sudo__logind_session [[[
#
# Enable or disable a workaround for :command:`sudo` login session not having
# a ``$XDG_RUNTIME_DIR`` environment variable set. This allows control over
# another user's :command:`systemd` instance.
sudo__logind_session: True
# ]]]
# ]]]
---
dependencies: []
galaxy_info:
author: 'Maciej Delmanowski'
description: 'Configure sudo support on a host'
company: 'DebOps'
license: 'GPL-3.0'
min_ansible_version: '2.4.0'
platforms:
- name: Ubuntu
versions:
- xenial
- bionic
- name: Debian
versions:
- jessie
- stretch
- buster
galaxy_tags:
- sudo
- authentication
- authorization
- security
---
- name: Install required packages
package:
name: '{{ item }}'
state: 'present'
with_flattened:
- '{{ sudo__base_packages }}'
- '{{ sudo__packages }}'
when: sudo__enabled|bool
- name: Configure workaround for logind sessions via sudo
template:
src: 'etc/profile.d/sudo_logind_session.sh.j2'
dest: '/etc/profile.d/sudo_logind_session.sh'
owner: 'root'
group: 'root'
mode: '0644'
when: sudo__enabled|bool and sudo__logind_session|bool
- name: Make sure that Ansible local facts directory exists
file:
path: '/etc/ansible/facts.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
- name: Save sudo local facts
template:
src: 'etc/ansible/facts.d/sudo.fact.j2'
dest: '/etc/ansible/facts.d/sudo.fact'
owner: 'root'
group: 'root'
mode: '0755'
register: sudo__register_facts
- name: Update Ansible facts if they were modified
action: setup
when: sudo__register_facts is changed
#!/usr/bin/env python
# {{ ansible_managed }}
from __future__ import print_function
from json import dumps
from sys import exit
output = {'installed': True}
print(dumps(output, sort_keys=True, indent=2))
# {{ ansible_managed }}
# Workaround for missing XDG_RUNTIME_DIR environment variable in interactive
# login sessions. This assumes that an existing user session is present, for
# example when a given UNIX account is configured to "linger" in logind.
#
# This workaround allows control over another user's 'systemd' instance, when
# accessed via 'sudo' login session, for example:
#
# sudo -u <user> -l
#
# The 'pam_systemd.so' PAM module will not help in this case because an
# existing login session is present and the module refuses to create a new one.
# More details: https://bugs.debian.org/825949, https://github.com/systemd/systemd/issues/7451
if [ "${EUID}" -ne 0 ] && [ -n "${SUDO_USER}" ] && [ -z "${XDG_RUNTIME_DIR}" ] ; then
XDG_RUNTIME_DIR="/run/user/${UID}"
export XDG_RUNTIME_DIR
fi
......@@ -229,6 +229,7 @@ Security
- :ref:`debops.ferm`
- :ref:`debops.proc_hidepid`
- :ref:`debops.sshd`
- :ref:`debops.sudo`
- :ref:`debops.tcpwrappers`
- ``debops-contrib.apparmor``
- ``debops-contrib.firejail``
......
Getting started
===============
.. contents::
:local:
Example inventory
-----------------
The ``debops.sudo`` role is included by default in the ``common.yml`` DebOps
playbook; you don't need to add hosts to any Ansible groups to enable it.
Example playbook
----------------
If you are using this role without DebOps, here's an example Ansible playbook
that uses the ``debops.sudo`` role:
.. literalinclude:: ../../../../ansible/playbooks/service/sudo.yml
:language: yaml
Ansible tags
------------
You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
tasks are performed during Ansible run. This can be used after a host was first
configured to speed up playbook execution, when you are sure that most of the
configuration is already in the desired state.
Available role tags:
``role::sudo``
Main role tag, should be used in the playbook to execute all of the role
tasks as well as role dependencies.
Other resources
---------------
List of other useful resources related to the ``debops.sudo`` Ansible role:
- Manual pages: :man:`sudo(8)`, :man:`sudoers(5)`
.. _debops.sudo:
debops.sudo
===========
The ``debops.sudo`` role can be used to ensure that :command:`sudo` is
supported on a host. The role will automatically install ``sudo-ldap`` APT
package if LDAP support is detected on a host, otherwise a normal ``sudo`` APT
package will be installed.
.. toctree::
:maxdepth: 2
getting-started
defaults
Copyright
---------
.. literalinclude:: ../../../../ansible/roles/debops.sudo/COPYRIGHT
..
Local Variables:
mode: rst
ispell-local-dictionary: "american"
End:
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment