Add new role, 'debops.sudo'

parent f76fd269
......@@ -1207,6 +1207,14 @@ stages:
JANE_DIFF_PATTERN: '.*/debops.stunnel/.*'
JANE_LOG_PATTERN: '\[debops\.stunnel\]'
'sudo role':
<<: *test_role_no_deps
JANE_TEST_PLAY: '${DEBOPS_PLAYBOOKS}/service/sudo.yml'
JANE_INVENTORY_GROUPS: 'debops_service_sudo'
JANE_DIFF_PATTERN: '.*/debops.sudo/.*'
JANE_LOG_PATTERN: '\[debops\.sudo\]'
'swapfile role':
<<: *test_role_no_deps
......@@ -18,6 +18,14 @@ You can read information about required changes between releases in the
.. _debops master:
- New DebOps roles:
- :ref:`debops.sudo`: install and manage :command:`sudo` configuration on
a host.
`debops v0.7.2`_ - 2018-03-28
- name: Configure sudo service
hosts: [ 'debops_all_hosts', 'debops_service_sudo' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
- role: debops.sudo
tags: [ 'role::sudo' ]
debops.sudo - Configure 'sudo' support using Ansible
Copyright (C) 2018 Maciej Delmanowski <>
Copyright (C) 2018 DebOps
This Ansible role is part of DebOps.
DebOps is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 3, as
published by the Free Software Foundation.
DebOps is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with DebOps. If not, see
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
# debops.sudo default variables
# =============================
# .. contents:: Sections
# :local:
# General configuration [[[
# -------------------------
# .. envvar:: sudo__enabled [[[
# Enable or disable support for :command:`sudo` management on a host.
sudo__enabled: True
# ]]]
# .. envvar:: sudo__base_packages [[[
# List of base APT packages to install for :command:`sudo` support.
sudo__base_packages: '{{ [ "sudo-ldap" ]
if (ansible_local|d() and ansible_local.ldap|d() and
else [ "sudo" ] }}'
# ]]]
# .. envvar:: sudo__packages [[[
# List of additional APT packages to install with :command:`sudo` command.
sudo__packages: []
# ]]]
# .. envvar:: sudo__logind_session [[[
# Enable or disable a workaround for :command:`sudo` login session not having
# a ``$XDG_RUNTIME_DIR`` environment variable set. This allows control over
# another user's :command:`systemd` instance.
sudo__logind_session: True
# ]]]
# ]]]
dependencies: []
author: 'Maciej Delmanowski'
description: 'Configure sudo support on a host'
company: 'DebOps'
license: 'GPL-3.0'
min_ansible_version: '2.4.0'
- name: Ubuntu
- xenial
- bionic
- name: Debian
- jessie
- stretch
- buster
- sudo
- authentication
- authorization
- security
- name: Install required packages
name: '{{ item }}'
state: 'present'
- '{{ sudo__base_packages }}'
- '{{ sudo__packages }}'
when: sudo__enabled|bool
- name: Configure workaround for logind sessions via sudo
src: 'etc/profile.d/'
dest: '/etc/profile.d/'
owner: 'root'
group: 'root'
mode: '0644'
when: sudo__enabled|bool and sudo__logind_session|bool
- name: Make sure that Ansible local facts directory exists
path: '/etc/ansible/facts.d'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
- name: Save sudo local facts
src: 'etc/ansible/facts.d/sudo.fact.j2'
dest: '/etc/ansible/facts.d/sudo.fact'
owner: 'root'
group: 'root'
mode: '0755'
register: sudo__register_facts
- name: Update Ansible facts if they were modified
action: setup
when: sudo__register_facts is changed
#!/usr/bin/env python
# {{ ansible_managed }}
from __future__ import print_function
from json import dumps
from sys import exit
output = {'installed': True}
print(dumps(output, sort_keys=True, indent=2))
# {{ ansible_managed }}
# Workaround for missing XDG_RUNTIME_DIR environment variable in interactive
# login sessions. This assumes that an existing user session is present, for
# example when a given UNIX account is configured to "linger" in logind.
# This workaround allows control over another user's 'systemd' instance, when
# accessed via 'sudo' login session, for example:
# sudo -u <user> -l
# The '' PAM module will not help in this case because an
# existing login session is present and the module refuses to create a new one.
# More details:,
if [ "${EUID}" -ne 0 ] && [ -n "${SUDO_USER}" ] && [ -z "${XDG_RUNTIME_DIR}" ] ; then
......@@ -229,6 +229,7 @@ Security
- :ref:`debops.ferm`
- :ref:`debops.proc_hidepid`
- :ref:`debops.sshd`
- :ref:`debops.sudo`
- :ref:`debops.tcpwrappers`
- ``debops-contrib.apparmor``
- ``debops-contrib.firejail``
Getting started
.. contents::
Example inventory
The ``debops.sudo`` role is included by default in the ``common.yml`` DebOps
playbook; you don't need to add hosts to any Ansible groups to enable it.
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the ``debops.sudo`` role:
.. literalinclude:: ../../../../ansible/playbooks/service/sudo.yml
:language: yaml
Ansible tags
You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
tasks are performed during Ansible run. This can be used after a host was first
configured to speed up playbook execution, when you are sure that most of the
configuration is already in the desired state.
Available role tags:
Main role tag, should be used in the playbook to execute all of the role
tasks as well as role dependencies.
Other resources
List of other useful resources related to the ``debops.sudo`` Ansible role:
- Manual pages: :man:`sudo(8)`, :man:`sudoers(5)`
.. _debops.sudo:
The ``debops.sudo`` role can be used to ensure that :command:`sudo` is
supported on a host. The role will automatically install ``sudo-ldap`` APT
package if LDAP support is detected on a host, otherwise a normal ``sudo`` APT
package will be installed.
.. toctree::
:maxdepth: 2
.. literalinclude:: ../../../../ansible/roles/debops.sudo/COPYRIGHT
Local Variables:
mode: rst
ispell-local-dictionary: "american"
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment