diff --git a/roles/native-docker-volume-backup/meta/main.yml b/roles/native-docker-volume-backup/meta/main.yml index ec276173..9eff9c8f 100644 --- a/roles/native-docker-volume-backup/meta/main.yml +++ b/roles/native-docker-volume-backup/meta/main.yml @@ -1,3 +1,4 @@ dependencies: - native-docker - native-git + - native-user-administrator diff --git a/roles/native-docker-volume-backup/templates/docker-volume-backup.service b/roles/native-docker-volume-backup/templates/docker-volume-backup.service index 57b32fe2..2884a259 100644 --- a/roles/native-docker-volume-backup/templates/docker-volume-backup.service +++ b/roles/native-docker-volume-backup/templates/docker-volume-backup.service @@ -3,4 +3,4 @@ Description=docker volume update [Service] Type=oneshot -ExecStart=/usr/bin/bash /usr/local/bin/docker-volume-backup/docker-volume-backup.sh +ExecStart=/usr/bin/bash /usr/local/bin/docker-volume-backup/docker-volume-backup.sh administrator diff --git a/roles/native-sudo/tasks/main.yml b/roles/native-sudo/tasks/main.yml new file mode 100644 index 00000000..659b3779 --- /dev/null +++ b/roles/native-sudo/tasks/main.yml @@ -0,0 +1,17 @@ +- name: install sudo + pacman: name=sudo state=present + +- name: create sudoers + template: src=sudoers dest=/etc/sudoers + +- name: ensure group "sudo" exists + group: + name: sudo + state: present + +- name: set /etc/sudoers + file: + path: /etc/sudoers + owner: root + group: root + mode: 0440 diff --git a/roles/native-sudo/templates/sudoers b/roles/native-sudo/templates/sudoers new file mode 100755 index 00000000..2b5cf0a1 --- /dev/null +++ b/roles/native-sudo/templates/sudoers @@ -0,0 +1,96 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top +# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to use a hard-coded PATH instead of the user's to find commands +# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +## +## Uncomment to send mail if the user does not enter the correct password. +# Defaults mail_badpass +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!REBOOT !log_output + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +# %wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +%sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files from /etc/sudoers.d +@includedir /etc/sudoers.d diff --git a/roles/native-user-administrator/meta/main.yml b/roles/native-user-administrator/meta/main.yml new file mode 100644 index 00000000..fb092791 --- /dev/null +++ b/roles/native-user-administrator/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- native-sudo