From 8f75ef911163b6ce1f7a71ae765aa7f11ea402e3 Mon Sep 17 00:00:00 2001
From: Jonas Forsberg <jonas.forsberg@suse.com>
Date: Mon, 10 Aug 2020 14:04:35 +0200
Subject: [PATCH] added sudo

---
 salt/states/files/sudoers | 88 +++++++++++++++++++++++++++++++++++++++
 salt/states/sudo.sls      | 22 ++++++++++
 salt/states/top.sls       |  1 +
 3 files changed, 111 insertions(+)
 create mode 100644 salt/states/files/sudoers
 create mode 100644 salt/states/sudo.sls

diff --git a/salt/states/files/sudoers b/salt/states/files/sudoers
new file mode 100644
index 0000000..1bed358
--- /dev/null
+++ b/salt/states/files/sudoers
@@ -0,0 +1,88 @@
+## sudoers file.
+##
+## This file MUST be edited with the 'visudo' command as root.
+## Failure to use 'visudo' may result in syntax or file permission errors
+## that prevent sudo from running.
+##
+## See the sudoers man page for the details on how to write a sudoers file.
+##
+
+##
+## Host alias specification
+##
+## Groups of machines. These may include host names (optionally with wildcards),
+## IP addresses, network numbers or netgroups.
+# Host_Alias	WEBSERVERS = www1, www2, www3
+
+##
+## User alias specification
+##
+## Groups of users.  These may consist of user names, uids, Unix groups,
+## or netgroups.
+# User_Alias	ADMINS = millert, dowdy, mikef
+
+##
+## Cmnd alias specification
+##
+## Groups of commands.  Often used to group related commands together.
+# Cmnd_Alias	PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
+# 			    /usr/bin/pkill, /usr/bin/top
+# Cmnd_Alias	REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
+
+##
+## Defaults specification
+##
+## Prevent environment variables from influencing programs in an
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
+Defaults always_set_home
+## Path that will be used for every command run from sudo
+Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
+Defaults env_reset
+## Change env_reset to !env_reset in previous line to keep all environment variables
+## Following list will no longer be nevessary after this change
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+## Comment out the preceding line and uncomment the following one if you need
+## to use special input methods. This may allow users to compromise the root
+## account if they are allowed to run commands without authentication.
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+
+## Do not insult users when they enter an incorrect password.
+Defaults !insults
+
+## Uncomment to use a hard-coded PATH instead of the user's to find commands
+# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+##
+## Uncomment to send mail if the user does not enter the correct password.
+# Defaults mail_badpass
+##
+## Uncomment to enable logging of a command's output, except for
+## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
+# Defaults log_output
+# Defaults!/usr/bin/sudoreplay !log_output
+# Defaults!REBOOT !log_output
+
+## In the default (unconfigured) configuration, sudo asks for the root password.
+## This allows use of an ordinary user account for administration of a freshly
+## installed system. When configuring sudo, delete the two
+## following lines:
+#Defaults targetpw   # ask for the password of the target user i.e. root
+#ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!
+
+##
+## Runas alias specification
+##
+
+##
+## User privilege specification
+##
+root ALL=(ALL) ALL
+
+## Uncomment to allow members of group wheel to execute any command
+# %wheel ALL=(ALL) ALL
+
+## Same thing without a password
+# %wheel ALL=(ALL) NOPASSWD: ALL
+
+## Read drop-in files from /etc/sudoers.d
+## (the '#' here does not indicate a comment)
+#includedir /etc/sudoers.d
diff --git a/salt/states/sudo.sls b/salt/states/sudo.sls
new file mode 100644
index 0000000..3e961dd
--- /dev/null
+++ b/salt/states/sudo.sls
@@ -0,0 +1,22 @@
+Configure sudoers:
+  file.managed:
+    - name: /etc/sudoers
+    - source: salt://files/sudoers
+    - user: root
+    - group: root
+    - mode: "0440"
+
+add sudoers.d file for {{ pillar['username'] }}:
+  file.managed:
+    - name: /etc/sudoers.d/{{ pillar['username'] }}
+    - source: salt://files/user_sudo
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 0640
+
+remove root password:
+  cmd.run:
+    - name: usermod -p '!' root
+    - unless: '[[ $(grep root /etc/shadow | cut -f2 -d":") == "!" ]]'
+
diff --git a/salt/states/top.sls b/salt/states/top.sls
index 01207b4..1fdd93e 100644
--- a/salt/states/top.sls
+++ b/salt/states/top.sls
@@ -6,3 +6,4 @@ base:
     - vim
     - firefox
     - borgbackup
+    - sudo