50 lines
1.1 KiB
YAML
50 lines
1.1 KiB
YAML
---
|
|
# This allows the validation below to pass
|
|
- name: user | Ensure /etc/please.ini exists
|
|
file:
|
|
path: /etc/please.ini
|
|
mode: '600'
|
|
owner: root
|
|
group: root
|
|
state: touch
|
|
|
|
- name: user | Configure please's privilege escalation rules
|
|
blockinfile:
|
|
path: /etc/please.ini
|
|
block: |
|
|
[wheel_run_as_anyone]
|
|
name=wheel
|
|
group=true
|
|
target=^.*$
|
|
regex=^.*$
|
|
require_pass=true
|
|
|
|
[wheel_edit_anything]
|
|
name=wheel
|
|
group=true
|
|
target=root
|
|
type=edit
|
|
regex=^.*$
|
|
require_pass=true
|
|
|
|
[wheel_list_rules]
|
|
name=wheel
|
|
group=true
|
|
target=^.*$
|
|
type=list
|
|
require_pass=false
|
|
{% if nopasswd_commands | length > 0 %}
|
|
|
|
[{{ username }}_run_nopasswd]
|
|
name={{ username }}
|
|
target=root
|
|
regex=^((/usr(/local)?)?/s?bin/)?{{ '(' ~ (nopasswd_commands | list | join('|')) ~ ')' }}(\s+.*)?$
|
|
require_pass=false
|
|
{% endif %}
|
|
marker: ; {mark} ANSIBLE MANAGED SETTINGS
|
|
validate: /usr/bin/please --check %s
|
|
mode: '600'
|
|
owner: root
|
|
group: root
|
|
state: present
|