From 8a4c9b540d6b15bc98fb4e9af631e3d8a78ff351 Mon Sep 17 00:00:00 2001
From: Johannes Christ <jc@jchri.st>
Date: Sun, 12 May 2024 08:52:05 +0200
Subject: [PATCH] Configure sudo in separate file

---
 ansible/roles/common/tasks/main.yml       | 15 +++++++++++++--
 ansible/roles/common/templates/sudoers.j2 |  4 ++++
 2 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 ansible/roles/common/templates/sudoers.j2

diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml
index d23c6e07..af2d0104 100644
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@@ -84,12 +84,23 @@
   tags:
     - role::common
 
-- name: Add sudoers lecture path
+- name: Configure sudo
+  template:
+    src: sudoers.j2
+    dest: /etc/sudoers.d/pydis
+    owner: root
+    group: root
+    mode: '0440'
+    validate: /usr/sbin/visudo -cf %s
+  tags:
+    - role::common
+
+- name: Remove sudoers lecture path
   lineinfile:
     dest: /etc/sudoers
     regexp: '^Defaults +?lecture_file ?= ?".+?"$'
     line: 'Defaults    lecture_file = "/etc/sudo_lecture"'
-    state: present
+    state: absent
     validate: /usr/sbin/visudo -cf %s
   tags:
     - role::common
diff --git a/ansible/roles/common/templates/sudoers.j2 b/ansible/roles/common/templates/sudoers.j2
new file mode 100644
index 00000000..91d24cc4
--- /dev/null
+++ b/ansible/roles/common/templates/sudoers.j2
@@ -0,0 +1,4 @@
+Defaults lecture_file="/etc/sudo_lecture"
+Defaults insults
+
+# vim: ft=sudoers.j2: