debops.sudo default variables

General configuration

sudo__enabled

Enable or disable support for sudo management on a host.

sudo__enabled: True
sudo__base_packages

List of base APT packages to install for sudo support.

sudo__base_packages: '{{ ["sudo-ldap"]
                         if sudo__ldap_enabled | bool
                         else ["sudo"] }}'
sudo__packages

List of additional APT packages to install with sudo command.

sudo__packages: []
sudo__logind_session

Enable or disable a workaround for sudo login session not having a $XDG_RUNTIME_DIR environment variable set. This allows control over another user's systemd instance.

sudo__logind_session: '{{ True if (ansible_service_mgr == "systemd") else False }}'

LDAP environment

sudo__ldap_base_dn

The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects, defined as a YAML list.

sudo__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
sudo__ldap_device_dn

The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the sudo service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.

sudo__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
sudo__ldap_self_rdn

The Relative Distinguished Name of the account LDAP object used by the sudo service to access the LDAP directory.

sudo__ldap_self_rdn: 'uid=sudo'
sudo__ldap_self_object_classes

List of the LDAP object classes which will be used to create the LDAP object used by the sudo service to access the LDAP directory.

sudo__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
sudo__ldap_self_attributes

YAML dictionary that defines the attributes of the LDAP object used by the sudo service to access the LDAP directory.

sudo__ldap_self_attributes:
  uid: '{{ sudo__ldap_self_rdn.split("=")[1] }}'
  userPassword: '{{ sudo__ldap_bindpw }}'
  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
  description: 'Account used by the "sudo" service to access the LDAP directory'
sudo__ldap_binddn

The Distinguished Name of the account LDAP object used by the sudo service to bind to the LDAP directory.

sudo__ldap_binddn: '{{ ([sudo__ldap_self_rdn] + sudo__ldap_device_dn) | join(",") }}'
sudo__ldap_bindpw

The password stored in the account LDAP object used by the sudo service to bind to the LDAP directory.

sudo__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
                               + sudo__ldap_binddn | to_uuid + ".password length=32"))
                       if sudo__ldap_enabled | bool
                       else "" }}'

Local sudoers configuration

These lists define what sudo configuration will be present in the /etc/sudoers.d/ directory. See sudo__sudoers for more details.

sudo__sudoers

Configuration which should be present on all hosts in the Ansible inventory.

sudo__sudoers: []
sudo__group_sudoers

Configuration which should be present on hosts in a specific Ansible inventory group.

sudo__group_sudoers: []
sudo__host_sudoers

Configuration which should be present on specific hosts in the Ansible inventory.

sudo__host_sudoers: []
sudo__dependent_sudoers

List of sudoers configurations defined in other Ansible roles

sudo__dependent_sudoers: []
sudo__combined_sudoers

The variable which combines all other sudoers configuration variables and is used in the role tasks.

sudo__combined_sudoers: '{{ sudo__sudoers
                            + sudo__group_sudoers
                            + sudo__host_sudoers
                            + sudo__dependent_sudoers }}'

LDAP sudoers configuration

The variables below define the contents of the /etc/sudo-ldap.conf configuration file which is used by sudo service to access the LDAP directory and retrieve sudoers configuration stored in the directory.

The syntax of the sudo__ldap_*_configuration variables is the same as the ldap__configuration variable syntax. Refer to its documentation for more details. The configuration options supported by sudo can be found in the sudoers.ldap(5) manual page.

sudo__ldap_enabled

Enable or disable support for the /etc/sudo-ldap.conf configuration file management. If the support is disabled, existing configuration file will not be changed or removed.

sudo__ldap_enabled: '{{ True
                        if (ansible_local | d() and ansible_local.ldap | d() and
                            (ansible_local.ldap.posix_enabled | d()) | bool and not
                            (ansible_local.sssd | d() and ansible_local.sssd.installed | d()) | bool)
                        else False }}'
sudo__ldap_default_configuration

The contents of the /etc/sudo-ldap.conf configuration file defined by default in the role.

sudo__ldap_default_configuration:

  - name: 'sudoers_base'
    comment: 'The base DN to use when performing "sudo" LDAP queries.'
    value: '{{ (["ou=SUDOers"] + sudo__ldap_base_dn) | join(",") }}'

  - name: 'uri'
    comment: 'The location at which the LDAP server(s) should be reachable.'
    value: '{{ ansible_local.ldap.uri | d("") }}'

  - name: 'ssl'
    comment: 'SSL options'
    value: '{{ "start_tls"
               if (ansible_local | d() and ansible_local.ldap | d() and
                   (ansible_local.ldap.start_tls | d()) | bool)
               else "on" }}'

  - name: 'tls_reqcert'
    value: 'demand'

  - name: 'tls_cacert'
    value: '/etc/ssl/certs/ca-certificates.crt'

  - name: 'binddn'
    comment: 'The "sudo" service LDAP credentials used to bind to the directory.'
    value: '{{ sudo__ldap_binddn }}'

  - name: 'bindpw'
    value: '{{ sudo__ldap_bindpw }}'
sudo__ldap_configuration

The contents of the /etc/sudo-ldap.conf configuration file defined on all hosts in the Ansible inventory.

sudo__ldap_configuration: []
sudo__ldap_group_configuration

The contents of the /etc/sudo-ldap.conf configuration file defined on hosts in a specific Ansible inventory group.

sudo__ldap_group_configuration: []
sudo__ldap_host_configuration

The contents of the /etc/sudo-ldap.conf configuration file defined on specific hosts in the Ansible inventory.

sudo__ldap_host_configuration: []
sudo__ldap_combined_configuration

Variable which combines sudo LDAP configuration from other variables and is used in the role templates.

sudo__ldap_combined_configuration: '{{ sudo__ldap_default_configuration
                                       + sudo__ldap_configuration
                                       + sudo__ldap_group_configuration
                                       + sudo__ldap_host_configuration }}'

Configuration for other Ansible roles

sudo__ldap__dependent_tasks

Configuration for the debops.ldap Ansible role.

sudo__ldap__dependent_tasks:

  - name: 'Create sudo account for {{ sudo__ldap_device_dn | join(",") }}'
    dn: '{{ sudo__ldap_binddn }}'
    objectClass: '{{ sudo__ldap_self_object_classes }}'
    attributes: '{{ sudo__ldap_self_attributes }}'
    no_log: '{{ debops__no_log | d(True) }}'
    state: '{{ "present"
               if sudo__ldap_enabled | bool
               else "ignore" }}'