formula-sudoers/pillar.example

# -*- coding: utf-8 -*-
# vim: ft=yaml
---
sudoers:
  # By default the main sudoers file is managed by this formula (False to skip)
  manage_main_config: true
  # By default the included directory is not purged from unwanted files
  purge_includedir: false
  users:
    johndoe:
      - 'ALL=(ALL) ALL'
      - 'ALL=(root) NOPASSWD: /etc/init.d/httpd'
  groups:
    sudo:
      - 'ALL=(ALL) ALL'
      - 'ALL=(nodejs) NOPASSWD: ALL'
  netgroups:
    sysadmins:
      - 'ALL=(ALL) ALL'
  defaults:
    generic:
      - env_reset
      - mail_badpass
      - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    user_list:
      johndoe: '!requiretty'
      ADMINS: '!lecture'
    host_list:
      www1: 'log_year, logfile=/var/log/sudo.log'
    command_list:
      PROCESSES: 'noexec'
    runas_list:
      root: '!set_logname'
  aliases:
    hosts:
      WEBSERVERS:
        - www1
        - www2
        - www3
    users:
      ADMINS:
        - millert
        - dowdy
        - mikef
    commands:
      PROCESSES:
        - /usr/bin/nice
        - /bin/kill
        - /usr/bin/renice
        - /usr/bin/pkill
        - /usr/bin/top
  includedir: /etc/sudoers.d
  included_files:
    /etc/sudoers.d/extra-file:
      users:
        foo:
          - 'ALL=(ALL) ALL'
    extra-file-2:
      groups:
        bargroup:
          - 'ALL=(ALL) NOPASSWD: ALL'
    extra-file-3:
      netgroups:
        other_netgroup:
          - 'ALL=(ALL) ALL'
  # ordering is important. The sudoers manpage says when multiple
  # entries match, the last match is used. However, if we do not
  # manage the main config, our included files may not match last.
  # To guarantee included files match last, set 'true' below to append
  # each '#include <includefile>' to sudoers file.
  append_included_files_to_endof_main_config: true
docs: fix `CONTRIBUTING` and `README` * Finalises comments from #51 2019-05-29 14:50:49 -04:00			`# -- coding: utf-8 --`
			`# vim: ft=yaml`
			`---`
start of sudoers formula 2013-08-20 17:32:58 -04:00			`sudoers:`
Make management of the main sudoers config optional It should be possible to not overwrite the main sudoers configuration file and only provide files to be included. This introduces a new Pillar variable to achieve that. If it's not set we default to the old behaviour of managing that file. 2018-08-22 06:14:02 -04:00			`# By default the main sudoers file is managed by this formula (False to skip)`
feat(yamllint): include for this repo and apply rules throughout * Semi-automated using `ssf-formula` (v0.5.0) * Fix errors shown below: ```bash sudoers-formula$ $(grep "\- yamllint" .travis.yml \| sed -e "s:^\s\+-\s\(.*\):\1:") pillar.example 6:23 warning truthy value should be one of [false, true] (truthy) test/salt/pillar/kitchen.sls 3:1 warning missing document start "---" (document-start) 7:1 error too many blank lines (1 > 0) (empty-lines) test/salt/pillar/default.sls 1:1 warning missing document start "---" (document-start) 3:23 warning truthy value should be one of [false, true] (truthy) ``` 2019-08-06 15:56:57 -04:00			`manage_main_config: true`
feat: implement option to purge included files directory 2020-08-24 11:58:35 -04:00			`# By default the included directory is not purged from unwanted files`
			`purge_includedir: false`
start of sudoers formula 2013-08-20 17:32:58 -04:00			`users:`
Pillar whitespace 2014-10-02 03:22:49 -04:00			`johndoe:`
allow for multiple lines for the same user or group 2014-08-19 10:26:47 -04:00			`- 'ALL=(ALL) ALL'`
			`- 'ALL=(root) NOPASSWD: /etc/init.d/httpd'`
start of sudoers formula 2013-08-20 17:32:58 -04:00			`groups:`
Pillar whitespace 2014-10-02 03:22:49 -04:00			`sudo:`
allow for multiple lines for the same user or group 2014-08-19 10:26:47 -04:00			`- 'ALL=(ALL) ALL'`
			`- 'ALL=(nodejs) NOPASSWD: ALL'`
Add support for netgroups 2018-08-13 15:33:05 -04:00			`netgroups:`
			`sysadmins:`
			`- 'ALL=(ALL) ALL'`
start of sudoers formula 2013-08-20 17:32:58 -04:00			`defaults:`
Extend defaults section of sudoers to permit the following: Default_Type ::= 'Defaults' \| 'Defaults' '@' Host_List \| 'Defaults' ':' User_List \| 'Defaults' '!' Cmnd_List \| 'Defaults' '>' Runas_List 2014-07-09 13:21:58 -04:00			`generic:`
pillar.example: fix a small typo 2014-10-04 15:29:39 -04:00			`- env_reset`
Extend defaults section of sudoers to permit the following: Default_Type ::= 'Defaults' \| 'Defaults' '@' Host_List \| 'Defaults' ':' User_List \| 'Defaults' '!' Cmnd_List \| 'Defaults' '>' Runas_List 2014-07-09 13:21:58 -04:00			`- mail_badpass`
			`- secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"`
			`user_list:`
			`johndoe: '!requiretty'`
			`ADMINS: '!lecture'`
			`host_list:`
			`www1: 'log_year, logfile=/var/log/sudo.log'`
			`command_list:`
			`PROCESSES: 'noexec'`
			`runas_list:`
			`root: '!set_logname'`
start of sudoers formula 2013-08-20 17:32:58 -04:00			`aliases:`
			`hosts:`
fleshed out template 2013-08-20 17:51:13 -04:00			`WEBSERVERS:`
start of sudoers formula 2013-08-20 17:32:58 -04:00			`- www1`
			`- www2`
			`- www3`
			`users:`
fleshed out template 2013-08-20 17:51:13 -04:00			`ADMINS:`
start of sudoers formula 2013-08-20 17:32:58 -04:00			`- millert`
			`- dowdy`
			`- mikef`
			`commands:`
fleshed out template 2013-08-20 17:51:13 -04:00			`PROCESSES:`
start of sudoers formula 2013-08-20 17:32:58 -04:00			`- /usr/bin/nice`
			`- /bin/kill`
			`- /usr/bin/renice`
			`- /usr/bin/pkill`
			`- /usr/bin/top`
includedir fix 2013-08-20 17:35:57 -04:00			`includedir: /etc/sudoers.d`
Added sudoers.included formula to manage included sudoers files 2014-02-09 12:32:22 -05:00			`included_files:`
			`/etc/sudoers.d/extra-file:`
			`users:`
Pillar whitespace 2014-10-02 03:22:49 -04:00			`foo:`
allow for multiple lines for the same user or group 2014-08-19 10:26:47 -04:00			`- 'ALL=(ALL) ALL'`
added includedir as variable (mostly for FreeBSD) include files can now be specified with the filename only. 2018-02-04 14:04:11 -05:00			`extra-file-2:`
Added sudoers.included formula to manage included sudoers files 2014-02-09 12:32:22 -05:00			`groups:`
Pillar whitespace 2014-10-02 03:22:49 -04:00			`bargroup:`
allow for multiple lines for the same user or group 2014-08-19 10:26:47 -04:00			`- 'ALL=(ALL) NOPASSWD: ALL'`
Add support for netgroups 2018-08-13 15:33:05 -04:00			`extra-file-3:`
			`netgroups:`
			`other_netgroup:`
			`- 'ALL=(ALL) ALL'`
feat(ordering): optionally append includefiles to main config 2021-08-18 19:05:27 -04:00			`# ordering is important. The sudoers manpage says when multiple`
			`# entries match, the last match is used. However, if we do not`
			`# manage the main config, our included files may not match last.`
			`# To guarantee included files match last, set 'true' below to append`
			`# each '#include <includefile>' to sudoers file.`
			`append_included_files_to_endof_main_config: true`