summaryrefslogtreecommitdiff
path: root/roles/sudo/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/sudo/tasks')
-rw-r--r--roles/sudo/tasks/main.yml31
1 files changed, 31 insertions, 0 deletions
diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml
new file mode 100644
index 0000000..e2d4861
--- /dev/null
+++ b/roles/sudo/tasks/main.yml
@@ -0,0 +1,31 @@
+- name: Install sudo
+ ansible.builtin.package:
+ name:
+ - sudo
+ state: present
+
+- name: Allow wheel group to use sudo
+ ansible.builtin.lineinfile:
+ dest: /etc/sudoers
+ state: present
+ regexp: '^(# )?%wheel ALL=\(ALL:ALL\) NOPASSWD: ALL'
+ line: '%wheel ALL=(ALL:ALL) NOPASSWD: ALL'
+ validate: "visudo -cf %s"
+ owner: root
+ group: root
+ mode: u+r,g+r,o-rwx
+
+- name: Use hard-coded PATH instead of the user's to find commands
+ ansible.builtin.lineinfile:
+ dest: /etc/sudoers
+ state: present
+ # Double quotes are important here if we want to break the line on multiple
+ # lines, as escaping doesn't work with single quotes.
+ regexp: "^(# )?Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\
+ /usr/sbin:/usr/bin:/sbin:/bin\""
+ line: "Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\
+ /usr/sbin:/usr/bin:/sbin:/bin\""
+ validate: "visudo -cf %s"
+ owner: root
+ group: root
+ mode: u+r,g+r,o-rwx
generated by cgit v1.2.3-70-g09d2 (git 2.49.0) at 2025-04-28 18:10:10 +0000