debops.sudo default variables¶
Sections
General configuration¶
-
sudo__enabled
¶
Enable or disable support for sudo management on a host.
sudo__enabled: True
-
sudo__base_packages
¶
List of base APT packages to install for sudo support.
sudo__base_packages: '{{ [ "sudo-ldap" ]
if sudo__ldap_enabled|bool
else [ "sudo" ] }}'
-
sudo__packages
¶
List of additional APT packages to install with sudo command.
sudo__packages: []
-
sudo__logind_session
¶
Enable or disable a workaround for sudo login session not having
a $XDG_RUNTIME_DIR
environment variable set. This allows control over
another user's systemd instance.
sudo__logind_session: '{{ True if (ansible_service_mgr == "systemd") else False }}'
LDAP environment¶
-
sudo__ldap_base_dn
¶
The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects, defined as a YAML list.
sudo__ldap_base_dn: '{{ ansible_local.ldap.base_dn|d([]) }}'
-
sudo__ldap_device_dn
¶
The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the sudo service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.
sudo__ldap_device_dn: '{{ ansible_local.ldap.device_dn|d([]) }}'
-
sudo__ldap_self_rdn
¶
The Relative Distinguished Name of the account LDAP object used by the sudo service to access the LDAP directory.
sudo__ldap_self_rdn: 'uid=sudo'
-
sudo__ldap_self_object_classes
¶
List of the LDAP object classes which will be used to create the LDAP object used by the sudo service to access the LDAP directory.
sudo__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
-
sudo__ldap_self_attributes
¶
YAML dictionary that defines the attributes of the LDAP object used by the sudo service to access the LDAP directory.
sudo__ldap_self_attributes:
uid: '{{ sudo__ldap_self_rdn.split("=")[1] }}'
userPassword: '{{ sudo__ldap_bindpw }}'
host: '{{ [ ansible_fqdn, ansible_hostname ] | unique }}'
description: 'Account used by the "sudo" service to access the LDAP directory'
-
sudo__ldap_binddn
¶
The Distinguished Name of the account LDAP object used by the sudo service to bind to the LDAP directory.
sudo__ldap_binddn: '{{ ([ sudo__ldap_self_rdn ] + sudo__ldap_device_dn) | join(",") }}'
-
sudo__ldap_bindpw
¶
The password stored in the account LDAP object used by the sudo service to bind to the LDAP directory.
sudo__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+ sudo__ldap_binddn | to_uuid + ".password length=32"))
if sudo__ldap_enabled|bool
else "" }}'
Local sudoers configuration¶
These lists define what sudo configuration will be present in the
/etc/sudoers.d/
directory. See sudo__sudoers for more
details.
-
sudo__sudoers
¶
Configuration which should be present on all hosts in the Ansible inventory.
sudo__sudoers: []
-
sudo__group_sudoers
¶
Configuration which should be present on hosts in a specific Ansible inventory group.
sudo__group_sudoers: []
-
sudo__host_sudoers
¶
Configuration which should be present on specific hosts in the Ansible inventory.
sudo__host_sudoers: []
-
sudo__dependent_sudoers
¶
List of sudoers configurations defined in other Ansible roles
sudo__dependent_sudoers: []
-
sudo__combined_sudoers
¶
The variable which combines all other sudoers
configuration variables and
is used in the role tasks.
sudo__combined_sudoers: '{{ sudo__sudoers
+ sudo__group_sudoers
+ sudo__host_sudoers
+ sudo__dependent_sudoers }}'
LDAP sudoers configuration¶
The variables below define the contents of the /etc/sudo-ldap.conf
configuration file which is used by sudo service to access the
LDAP directory and retrieve sudoers configuration stored in the directory.
The syntax of the sudo__ldap_*_configuration
variables is the same as the
ldap__configuration variable syntax. Refer to its documentation
for more details. The configuration options supported by sudo can
be found in the sudoers.ldap(5) manual page.
-
sudo__ldap_enabled
¶
Enable or disable support for the /etc/sudo-ldap.conf
configuration
file management. If the support is disabled, existing configuration file will
not be changed or removed.
sudo__ldap_enabled: '{{ True
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.posix_enabled|d())|bool and not
(ansible_local.sssd|d() and ansible_local.sssd.installed|d())|bool)
else False }}'
-
sudo__ldap_default_configuration
¶
The contents of the /etc/sudo-ldap.conf
configuration file defined by
default in the role.
sudo__ldap_default_configuration:
- name: 'sudoers_base'
comment: 'The base DN to use when performing "sudo" LDAP queries.'
value: '{{ ([ "ou=SUDOers" ] + sudo__ldap_base_dn) | join(",") }}'
- name: 'uri'
comment: 'The location at which the LDAP server(s) should be reachable.'
value: '{{ ansible_local.ldap.uri|d("") }}'
- name: 'ssl'
comment: 'SSL options'
value: '{{ "start_tls"
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.start_tls|d())|bool)
else "on" }}'
- name: 'tls_reqcert'
value: 'demand'
- name: 'tls_cacert'
value: '/etc/ssl/certs/ca-certificates.crt'
- name: 'binddn'
comment: 'The "sudo" service LDAP credentials used to bind to the directory.'
value: '{{ sudo__ldap_binddn }}'
- name: 'bindpw'
value: '{{ sudo__ldap_bindpw }}'
-
sudo__ldap_configuration
¶
The contents of the /etc/sudo-ldap.conf
configuration file defined on
all hosts in the Ansible inventory.
sudo__ldap_configuration: []
-
sudo__ldap_group_configuration
¶
The contents of the /etc/sudo-ldap.conf
configuration file defined on
hosts in a specific Ansible inventory group.
sudo__ldap_group_configuration: []
-
sudo__ldap_host_configuration
¶
The contents of the /etc/sudo-ldap.conf
configuration file defined on
specific hosts in the Ansible inventory.
sudo__ldap_host_configuration: []
-
sudo__ldap_combined_configuration
¶
Variable which combines sudo LDAP configuration from other variables and is used in the role templates.
sudo__ldap_combined_configuration: '{{ sudo__ldap_default_configuration
+ sudo__ldap_configuration
+ sudo__ldap_group_configuration
+ sudo__ldap_host_configuration }}'
Configuration for other Ansible roles¶
-
sudo__ldap__dependent_tasks
¶
Configuration for the debops.ldap Ansible role.
sudo__ldap__dependent_tasks:
- name: 'Create sudo account for {{ sudo__ldap_device_dn | join(",") }}'
dn: '{{ sudo__ldap_binddn }}'
objectClass: '{{ sudo__ldap_self_object_classes }}'
attributes: '{{ sudo__ldap_self_attributes }}'
no_log: '{{ debops__no_log | d(True) }}'
state: '{{ "present"
if sudo__ldap_enabled|bool
else "ignore" }}'