Allow members of mga-sysadmin to run sudo on all servers

This is try #2 after e0230ba1 was reverted. This time, the sudoers file
is given a name that will cause it to be sorted before any other rules,
allowing those other rules to override it. This is on the assumption
that the revert was needed because a NOPASSWD: rule wasn't taking effect
because this one (which requires a password) took precedence.

3 files changed, 9 insertions, 0 deletions

diff --git a/deployment/common/manifests/init.pp b/deployment/common/manifests/init.pp
index 2a82cd1c..c7b7486d 100644
--- a/deployment/common/manifests/init.pp
+++ b/deployment/common/manifests/init.pp
@@ -8,6 +8,7 @@ class common {
         include common::export_ssh_keys
         include common::import_ssh_keys
         include common::i18n
+        include common::sudo_sysadmin
         include ntp
         include common::urpmi_update
         include puppet::client
diff --git a/deployment/common/manifests/sudo_sysadmin.pp b/deployment/common/manifests/sudo_sysadmin.pp
new file mode 100644
index 00000000..1247c02c
--- /dev/null
+++ b/deployment/common/manifests/sudo_sysadmin.pp
@@ -0,0 +1,7 @@
+class common::sudo_sysadmin {
+    include sudo
+
+    sudo::sudoers_config { '00-sysadmin':
+        content => template('common/sudoers.sysadmin')
+    }
+}
diff --git a/deployment/common/templates/sudoers.sysadmin b/deployment/common/templates/sudoers.sysadmin
new file mode 100644
index 00000000..874b1858
--- /dev/null
+++ b/deployment/common/templates/sudoers.sysadmin
@@ -0,0 +1 @@
+%mga-sysadmin        ALL=(ALL) ALL