Default variable details
Some of debops.sudo
default variables have more extensive configuration
than simple strings or lists, here you can find documentation and examples for
them.
sudo__sudoers
The sudo__*_sudoers
variables define sudo configuration located
in /etc/sudoers.d/
directory. Each variable is a list of YAML
dictionaries, with specific parameters:
name
Required. Name of the configuration section, used as a filename, and as a marker which merges multiple configuration entries together.
filename
Optional. Set custom filename for a given configuration file, located in
/etc/sudoers.d/
directory.comment
Optional. A string or YAML text block with comments added at the beginning of the configuration file.
state
Optional. If not defined or
present
(default), the configuration file will be generated. Ifabsent
, the configuration file will be removed.If
init
, the configuration for a given entry will be prepared but not actually present on the host. It can be activated conditionally in a later entry.If
ignore
, a given configuration entry will not be evaluated by the role.raw
Optional. A string or YAML text block with sudoers(5) configuration added at the end of the configuration file as-is.
options
Optional. A list of sudoers(5) configuration snippets specified as YAML dictionaries. Each dictionary can have specific parameters:
name
Required. Name of a configuration section, only used as a handle for merging options from multiple configuration entries.
value
Required. A string or YAML text block that contains the sudoers(5) configuration snippet. Values from different configuration entries will be merged into one list and present in the configuration file.
comment
Optional. A string or YAML text block with a comment about a given option.
weight
Optional. A positive or negative number which influences the order in which the entries will be present in the configuration file. The lower the number, the higher in the file a given option will be present.
state
Optional. If not defined or
present
, a given configuration option will be added in the configuration file. Ifabsent
, a given option will be removed from the configuration file.
Examples
Allow user ray
on host rushmore
to run specific commands with elevated
privileges without password confirmation:
sudo__sudoers:
- name: 'ray-nopasswd-commands'
raw: |
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
Override some of the built-in defaults conditionally:
sudo__sudoers:
- name: '00-defaults-override'
options:
- name: 'syslog-auth'
comment: 'Log events to syslog via "auth" facility'
value: 'Defaults syslog=auth'
- name: 'disable-lecture'
comment: "Don't show the default lecture on specific hosts"
value: |
Defaults !lecture
state: '{{ "present"
if (ansible_hostname == 'bastion')
else "absent" }}'
On the contrary, don't create the above defaults file when a host is in a specific Ansible inventory group:
sudo__group_sudoers:
- name: '00-defaults-override'
state: 'absent'