From b4fa54f1aeda82458a77a25c3b68ad9baa55c25e Mon Sep 17 00:00:00 2001
From: Dan Fandrich <dan@coneharvesters.com>
Date: Sat, 16 Dec 2023 16:36:05 -0800
Subject: Allow members of mga-sysadmin to run sudo on all servers

This is try #2 after e0230ba1 was reverted. This time, the sudoers file
is given a name that will cause it to be sorted before any other rules,
allowing those other rules to override it. This is on the assumption
that the revert was needed because a NOPASSWD: rule wasn't taking effect
because this one (which requires a password) took precedence.
---
 deployment/common/manifests/init.pp          | 1 +
 deployment/common/manifests/sudo_sysadmin.pp | 7 +++++++
 deployment/common/templates/sudoers.sysadmin | 1 +
 3 files changed, 9 insertions(+)
 create mode 100644 deployment/common/manifests/sudo_sysadmin.pp
 create mode 100644 deployment/common/templates/sudoers.sysadmin

(limited to 'deployment')

diff --git a/deployment/common/manifests/init.pp b/deployment/common/manifests/init.pp
index 2a82cd1c..c7b7486d 100644
--- a/deployment/common/manifests/init.pp
+++ b/deployment/common/manifests/init.pp
@@ -8,6 +8,7 @@ class common {
         include common::export_ssh_keys
         include common::import_ssh_keys
         include common::i18n
+        include common::sudo_sysadmin
         include ntp
         include common::urpmi_update
         include puppet::client
diff --git a/deployment/common/manifests/sudo_sysadmin.pp b/deployment/common/manifests/sudo_sysadmin.pp
new file mode 100644
index 00000000..1247c02c
--- /dev/null
+++ b/deployment/common/manifests/sudo_sysadmin.pp
@@ -0,0 +1,7 @@
+class common::sudo_sysadmin {
+    include sudo
+
+    sudo::sudoers_config { '00-sysadmin':
+        content => template('common/sudoers.sysadmin')
+    }
+}
diff --git a/deployment/common/templates/sudoers.sysadmin b/deployment/common/templates/sudoers.sysadmin
new file mode 100644
index 00000000..874b1858
--- /dev/null
+++ b/deployment/common/templates/sudoers.sysadmin
@@ -0,0 +1 @@
+%mga-sysadmin        ALL=(ALL) ALL
-- 
cgit v1.2.1