configure sudo with sudoers.d/ files

Existing users should first run tasks with tagged with `sudo` to apply
these changes, and then install the latest `/etc/sudoers` file from the
sudo package (probably already on your system as `/etc/sudoers.pacnew`).

Reversing those two steps probably prevents you from sudoing.

group_vars/all

@@ -110,9 +110,6 @@ browser_choices:
     - qcode
     - "| xclip -selection c"
 
-passwordless_sudo:
-    - /usr/bin/openvpn*
-
 tarsnapper:
   deltas: 1h 1d 7d 30d 365d
   period: DAILY

playbook.yml

@@ -3,6 +3,7 @@
   become: yes
   roles:
     - { role: base, tags: ['base'] }
+    - { role: sudo, tags: ['sudo'] }
     - { role: gnupg, tags: ['gnupg'] }
     - { role: sysmon, tags: ['sysmon'] }
     - { role: cron, tags: ['cron'] }
@@ -22,6 +23,7 @@
     - { role: pass, tags: ['pass'] }
     - { role: iptables, tags: ['iptables'] }
     - { role: nettools, tags: ['nettools'] }
+    - { role: openvpn, tags: ['openvpn'] }
     - { role: nmtrust, tags: ['nmtrust'] }
     - { role: unbound, tags: ['unbound'] }
     - { role: openresolv, tags: ['openresolv'] }

roles/base/templates/sudoers.j2

@@ -1,10 +0,0 @@
-## {{ ansible_managed }}
-##
-## User privilege specification
-##
-root ALL=(ALL) ALL
-
-%wheel ALL=(ALL) ALL
-{% for entry in passwordless_sudo %}
-%wheel ALL=(ALL) NOPASSWD:{{ entry }}
-{% endfor %}

roles/nettools/tasks/main.yml

@@ -1,7 +1,4 @@
 ---
-- name: Install OpenVPN
-  pacman: name=openvpn state=present
-
 - name: Install MTR
   pacman: name=mtr state=present
 

roles/openvpn/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+- name: Install OpenVPN
+  pacman: name=openvpn state=present
+
+- name: Allow passwordless OpenVPN for wheel group
+  template: src=sudo_openvpn.j2 dest=/etc/sudoers.d/02_openvpn mode=440 validate='visudo -cf %s'
+  tags:
+    - sudo

roles/openvpn/templates/sudo_openvpn.j2

@@ -0,0 +1 @@
+%wheel ALL=(ALL) NOPASSWD:/usr/bin/openvpn*

roles/sudo/tasks/main.yml

@@ -1,16 +1,11 @@
 ---
 - name: Install sudo
   pacman: name=sudo state=present
-  tags:
-    - sudo
 
 - name: Add user to wheel group
   user: name={{ user.name }} groups=wheel append=yes
   tags:
-    - sudo
     - user
 
-- name: Copy sudo configuration
-  template: src=sudoers.j2 dest=/etc/sudoers mode=440 validate='visudo -cf %s'
-  tags:
-    - sudo
+- name: Copy sudo wheel group configuration
+  template: src=sudo_wheel.j2 dest=/etc/sudoers.d/01_wheel mode=440 validate='visudo -cf %s'

roles/sudo/templates/sudo_wheel.j2

@@ -0,0 +1 @@
+%wheel ALL=(ALL) ALL