mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
38 lines
1.1 KiB
YAML
38 lines
1.1 KiB
YAML
- name: Install sudo
|
|
pacman: name=sudo state=present
|
|
|
|
# https://github.com/ansible/ansible/issues/11024
|
|
- name: Remove all users from wheel group
|
|
command: groupmems -g wheel --purge
|
|
register: groupmems
|
|
changed_when: "groupmems.rc == 0"
|
|
|
|
- name: Add sudo users to wheel
|
|
user: name="{{ item }}" append=yes groups=wheel
|
|
with_items: "{{ sudo_users }}"
|
|
tags: ['archusers']
|
|
|
|
- name: Allow wheel group to use sudo
|
|
lineinfile:
|
|
dest: /etc/sudoers
|
|
state: present
|
|
regexp: '^%wheel ALL=\(ALL:ALL\) ALL'
|
|
insertafter: '^# %wheel ALL=\(ALL:ALL\) ALL'
|
|
line: '%wheel ALL=(ALL:ALL) ALL'
|
|
validate: 'visudo -cf %s'
|
|
mode: '0440'
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Secure path to protect against attacks
|
|
lineinfile:
|
|
dest: /etc/sudoers
|
|
state: present
|
|
regexp: '^Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
|
|
insertafter: '^# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
|
|
line: 'Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
|
|
validate: 'visudo -cf %s'
|
|
mode: '0440'
|
|
owner: root
|
|
group: root
|