From 6ea4d5b563c4cd542a4e2bf786bdd3a952d4e79e Mon Sep 17 00:00:00 2001
From: Pig Monkey <pm@pig-monkey.com>
Date: Mon, 24 Oct 2022 21:33:58 -0700
Subject: [PATCH] configure sudo with sudoers.d/ files

Existing users should first run tasks with tagged with `sudo` to apply
these changes, and then install the latest `/etc/sudoers` file from the
sudo package (probably already on your system as `/etc/sudoers.pacnew`).

Reversing those two steps probably prevents you from sudoing.
---
 group_vars/all                                     |  3 ---
 playbook.yml                                       |  2 ++
 roles/base/templates/sudoers.j2                    | 10 ----------
 roles/nettools/tasks/main.yml                      |  3 ---
 roles/openvpn/tasks/main.yml                       |  8 ++++++++
 roles/openvpn/templates/sudo_openvpn.j2            |  1 +
 roles/{base/tasks/sudo.yml => sudo/tasks/main.yml} |  9 ++-------
 roles/sudo/templates/sudo_wheel.j2                 |  1 +
 8 files changed, 14 insertions(+), 23 deletions(-)
 delete mode 100644 roles/base/templates/sudoers.j2
 create mode 100644 roles/openvpn/tasks/main.yml
 create mode 100644 roles/openvpn/templates/sudo_openvpn.j2
 rename roles/{base/tasks/sudo.yml => sudo/tasks/main.yml} (50%)
 create mode 100644 roles/sudo/templates/sudo_wheel.j2

diff --git a/group_vars/all b/group_vars/all
index f10374d..1b445ba 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -110,9 +110,6 @@ browser_choices:
     - qcode
     - "| xclip -selection c"
 
-passwordless_sudo:
-    - /usr/bin/openvpn*
-
 tarsnapper:
   deltas: 1h 1d 7d 30d 365d
   period: DAILY
diff --git a/playbook.yml b/playbook.yml
index 04ed40f..4eb2b3c 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -3,6 +3,7 @@
   become: yes
   roles:
     - { role: base, tags: ['base'] }
+    - { role: sudo, tags: ['sudo'] }
     - { role: gnupg, tags: ['gnupg'] }
     - { role: sysmon, tags: ['sysmon'] }
     - { role: cron, tags: ['cron'] }
@@ -22,6 +23,7 @@
     - { role: pass, tags: ['pass'] }
     - { role: iptables, tags: ['iptables'] }
     - { role: nettools, tags: ['nettools'] }
+    - { role: openvpn, tags: ['openvpn'] }
     - { role: nmtrust, tags: ['nmtrust'] }
     - { role: unbound, tags: ['unbound'] }
     - { role: openresolv, tags: ['openresolv'] }
diff --git a/roles/base/templates/sudoers.j2 b/roles/base/templates/sudoers.j2
deleted file mode 100644
index e256e7b..0000000
--- a/roles/base/templates/sudoers.j2
+++ /dev/null
@@ -1,10 +0,0 @@
-## {{ ansible_managed }}
-##
-## User privilege specification
-##
-root ALL=(ALL) ALL
-
-%wheel ALL=(ALL) ALL
-{% for entry in passwordless_sudo %}
-%wheel ALL=(ALL) NOPASSWD:{{ entry }}
-{% endfor %}
diff --git a/roles/nettools/tasks/main.yml b/roles/nettools/tasks/main.yml
index 32827f7..c86be2b 100644
--- a/roles/nettools/tasks/main.yml
+++ b/roles/nettools/tasks/main.yml
@@ -1,7 +1,4 @@
 ---
-- name: Install OpenVPN
-  pacman: name=openvpn state=present
-
 - name: Install MTR
   pacman: name=mtr state=present
 
diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml
new file mode 100644
index 0000000..4220ea7
--- /dev/null
+++ b/roles/openvpn/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+- name: Install OpenVPN
+  pacman: name=openvpn state=present
+
+- name: Allow passwordless OpenVPN for wheel group
+  template: src=sudo_openvpn.j2 dest=/etc/sudoers.d/02_openvpn mode=440 validate='visudo -cf %s'
+  tags:
+    - sudo
diff --git a/roles/openvpn/templates/sudo_openvpn.j2 b/roles/openvpn/templates/sudo_openvpn.j2
new file mode 100644
index 0000000..ea5128f
--- /dev/null
+++ b/roles/openvpn/templates/sudo_openvpn.j2
@@ -0,0 +1 @@
+%wheel ALL=(ALL) NOPASSWD:/usr/bin/openvpn*
diff --git a/roles/base/tasks/sudo.yml b/roles/sudo/tasks/main.yml
similarity index 50%
rename from roles/base/tasks/sudo.yml
rename to roles/sudo/tasks/main.yml
index 9d515fa..9ee1537 100644
--- a/roles/base/tasks/sudo.yml
+++ b/roles/sudo/tasks/main.yml
@@ -1,16 +1,11 @@
 ---
 - name: Install sudo
   pacman: name=sudo state=present
-  tags:
-    - sudo
 
 - name: Add user to wheel group
   user: name={{ user.name }} groups=wheel append=yes
   tags:
-    - sudo
     - user
 
-- name: Copy sudo configuration
-  template: src=sudoers.j2 dest=/etc/sudoers mode=440 validate='visudo -cf %s'
-  tags:
-    - sudo
+- name: Copy sudo wheel group configuration
+  template: src=sudo_wheel.j2 dest=/etc/sudoers.d/01_wheel mode=440 validate='visudo -cf %s'
diff --git a/roles/sudo/templates/sudo_wheel.j2 b/roles/sudo/templates/sudo_wheel.j2
new file mode 100644
index 0000000..7c7dbb8
--- /dev/null
+++ b/roles/sudo/templates/sudo_wheel.j2
@@ -0,0 +1 @@
+%wheel ALL=(ALL) ALL