roles/sudo/tasks/main.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

- name: Install sudo
  ansible.builtin.package:
    name:
      - sudo
    state: present

- name: Allow wheel group to use sudo
  ansible.builtin.lineinfile:
    dest: /etc/sudoers
    state: present
    regexp: '^(# )?%wheel ALL=\(ALL:ALL\) NOPASSWD: ALL'
    line: '%wheel ALL=(ALL:ALL) NOPASSWD: ALL'
    validate: "visudo -cf %s"
    owner: root
    group: root
    mode: u+r,g+r,o-rwx

- name: Use hard-coded PATH instead of the user's to find commands
  ansible.builtin.lineinfile:
    dest: /etc/sudoers
    state: present
    # Double quotes are important here if we want to break the line on multiple
    # lines, as escaping doesn't work with single quotes.
    regexp: "^(# )?Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\
            /usr/sbin:/usr/bin:/sbin:/bin\""
    line: "Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\
           /usr/sbin:/usr/bin:/sbin:/bin\""
    validate: "visudo -cf %s"
    owner: root
    group: root
    mode: u+r,g+r,o-rwx