debops.sudo default variables
Sections
General configuration
- sudo__enabled
Enable or disable support for sudo management on a host.
sudo__enabled: True
- sudo__base_packages
List of base APT packages to install for sudo support.
sudo__base_packages: '{{ ["sudo-ldap"]
if sudo__ldap_enabled | bool
else ["sudo"] }}'
- sudo__packages
List of additional APT packages to install with sudo command.
sudo__packages: []
- sudo__logind_session
Enable or disable a workaround for sudo login session not having
a $XDG_RUNTIME_DIR
environment variable set. This allows control over
another user's systemd instance.
sudo__logind_session: '{{ True if (ansible_service_mgr == "systemd") else False }}'
LDAP environment
- sudo__ldap_base_dn
The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects, defined as a YAML list.
sudo__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
- sudo__ldap_device_dn
The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the sudo service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.
sudo__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
- sudo__ldap_self_rdn
The Relative Distinguished Name of the account LDAP object used by the sudo service to access the LDAP directory.
sudo__ldap_self_rdn: 'uid=sudo'
- sudo__ldap_self_object_classes
List of the LDAP object classes which will be used to create the LDAP object used by the sudo service to access the LDAP directory.
sudo__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
- sudo__ldap_self_attributes
YAML dictionary that defines the attributes of the LDAP object used by the sudo service to access the LDAP directory.
sudo__ldap_self_attributes:
uid: '{{ sudo__ldap_self_rdn.split("=")[1] }}'
userPassword: '{{ sudo__ldap_bindpw }}'
host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
description: 'Account used by the "sudo" service to access the LDAP directory'
- sudo__ldap_binddn
The Distinguished Name of the account LDAP object used by the sudo service to bind to the LDAP directory.
sudo__ldap_binddn: '{{ ([sudo__ldap_self_rdn] + sudo__ldap_device_dn) | join(",") }}'
- sudo__ldap_bindpw
The password stored in the account LDAP object used by the sudo service to bind to the LDAP directory.
sudo__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+ sudo__ldap_binddn | to_uuid + ".password length=32"))
if sudo__ldap_enabled | bool
else "" }}'
Local sudoers configuration
These lists define what sudo configuration will be present in the
/etc/sudoers.d/
directory. See sudo__sudoers for more
details.
- sudo__sudoers
Configuration which should be present on all hosts in the Ansible inventory.
sudo__sudoers: []
- sudo__group_sudoers
Configuration which should be present on hosts in a specific Ansible inventory group.
sudo__group_sudoers: []
- sudo__host_sudoers
Configuration which should be present on specific hosts in the Ansible inventory.
sudo__host_sudoers: []
- sudo__dependent_sudoers
List of sudoers configurations defined in other Ansible roles
sudo__dependent_sudoers: []
- sudo__combined_sudoers
The variable which combines all other sudoers
configuration variables and
is used in the role tasks.
sudo__combined_sudoers: '{{ sudo__sudoers
+ sudo__group_sudoers
+ sudo__host_sudoers
+ sudo__dependent_sudoers }}'
LDAP sudoers configuration
The variables below define the contents of the /etc/sudo-ldap.conf
configuration file which is used by sudo service to access the
LDAP directory and retrieve sudoers configuration stored in the directory.
The syntax of the sudo__ldap_*_configuration
variables is the same as the
ldap__configuration variable syntax. Refer to its documentation
for more details. The configuration options supported by sudo can
be found in the sudoers.ldap(5) manual page.
- sudo__ldap_enabled
Enable or disable support for the /etc/sudo-ldap.conf
configuration
file management. If the support is disabled, existing configuration file will
not be changed or removed.
sudo__ldap_enabled: '{{ True
if (ansible_local | d() and ansible_local.ldap | d() and
(ansible_local.ldap.posix_enabled | d()) | bool and not
(ansible_local.sssd | d() and ansible_local.sssd.installed | d()) | bool)
else False }}'
- sudo__ldap_default_configuration
The contents of the /etc/sudo-ldap.conf
configuration file defined by
default in the role.
sudo__ldap_default_configuration:
- name: 'sudoers_base'
comment: 'The base DN to use when performing "sudo" LDAP queries.'
value: '{{ (["ou=SUDOers"] + sudo__ldap_base_dn) | join(",") }}'
- name: 'uri'
comment: 'The location at which the LDAP server(s) should be reachable.'
value: '{{ ansible_local.ldap.uri | d("") }}'
- name: 'ssl'
comment: 'SSL options'
value: '{{ "start_tls"
if (ansible_local | d() and ansible_local.ldap | d() and
(ansible_local.ldap.start_tls | d()) | bool)
else "on" }}'
- name: 'tls_reqcert'
value: 'demand'
- name: 'tls_cacert'
value: '/etc/ssl/certs/ca-certificates.crt'
- name: 'binddn'
comment: 'The "sudo" service LDAP credentials used to bind to the directory.'
value: '{{ sudo__ldap_binddn }}'
- name: 'bindpw'
value: '{{ sudo__ldap_bindpw }}'
- sudo__ldap_configuration
The contents of the /etc/sudo-ldap.conf
configuration file defined on
all hosts in the Ansible inventory.
sudo__ldap_configuration: []
- sudo__ldap_group_configuration
The contents of the /etc/sudo-ldap.conf
configuration file defined on
hosts in a specific Ansible inventory group.
sudo__ldap_group_configuration: []
- sudo__ldap_host_configuration
The contents of the /etc/sudo-ldap.conf
configuration file defined on
specific hosts in the Ansible inventory.
sudo__ldap_host_configuration: []
- sudo__ldap_combined_configuration
Variable which combines sudo LDAP configuration from other variables and is used in the role templates.
sudo__ldap_combined_configuration: '{{ sudo__ldap_default_configuration
+ sudo__ldap_configuration
+ sudo__ldap_group_configuration
+ sudo__ldap_host_configuration }}'
Configuration for other Ansible roles
- sudo__ldap__dependent_tasks
Configuration for the debops.ldap Ansible role.
sudo__ldap__dependent_tasks:
- name: 'Create sudo account for {{ sudo__ldap_device_dn | join(",") }}'
dn: '{{ sudo__ldap_binddn }}'
objectClass: '{{ sudo__ldap_self_object_classes }}'
attributes: '{{ sudo__ldap_self_attributes }}'
no_log: '{{ debops__no_log | d(True) }}'
state: '{{ "present"
if sudo__ldap_enabled | bool
else "ignore" }}'