From a2f60b8691706d67c1b5446a78f8bebd541f554c Mon Sep 17 00:00:00 2001
From: Dmitry Ilvokhin <d@ilvokhin.com>
Date: Sat, 6 Jan 2024 18:31:09 +0000
Subject: Migrate essential role to playbook completely

---
 roles/sudo/tasks/main.yml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 roles/sudo/tasks/main.yml

(limited to 'roles/sudo/tasks/main.yml')

diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml
new file mode 100644
index 0000000..e2d4861
--- /dev/null
+++ b/roles/sudo/tasks/main.yml
@@ -0,0 +1,31 @@
+- name: Install sudo
+  ansible.builtin.package:
+    name:
+      - sudo
+    state: present
+
+- name: Allow wheel group to use sudo
+  ansible.builtin.lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: '^(# )?%wheel ALL=\(ALL:ALL\) NOPASSWD: ALL'
+    line: '%wheel ALL=(ALL:ALL) NOPASSWD: ALL'
+    validate: "visudo -cf %s"
+    owner: root
+    group: root
+    mode: u+r,g+r,o-rwx
+
+- name: Use hard-coded PATH instead of the user's to find commands
+  ansible.builtin.lineinfile:
+    dest: /etc/sudoers
+    state: present
+    # Double quotes are important here if we want to break the line on multiple
+    # lines, as escaping doesn't work with single quotes.
+    regexp: "^(# )?Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\
+            /usr/sbin:/usr/bin:/sbin:/bin\""
+    line: "Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\
+           /usr/sbin:/usr/bin:/sbin:/bin\""
+    validate: "visudo -cf %s"
+    owner: root
+    group: root
+    mode: u+r,g+r,o-rwx
-- 
cgit v1.2.3-70-g09d2