configpolicy/roles/sudo/tasks/main.yml

- name: ensure sudo packages are installed
  package:
    name: '{{ sudo_packages|reject("eq", "") }}'
    state: present
  tags:
  - install

- name: ensure sudo group exists
  group:
    name=sudo
    state=present
- name: ensure admin users members of sudo group
  user:
    name={{ item }}
    groups=sudo
    append=yes
  with_items: '{{ admin_users }}'
- name: ensure members of sudo group can use sudo
  copy:
    src: sudo.sudoers
    dest: /etc/sudoers.d/10_sudo
    mode: '0440'
    validate: visudo -cf %s
- name: ensure legacy sudo group configuration is removed
  file:
    path=/etc/sudoers.d/sudo
    state=absent

- name: ensure pam is configured for sudo
  template:
    src: sudo.pam.conf
    dest: /etc/pam.d/sudo
    mode: u=rw,go=r
    owner: root
    group: root
  tags:
  - pam-ssh-agent

- name: ensure sudo authorized ssh_keys are configured
  copy:
    dest: /etc/security/sudo.authorized_keys
    content: '{{ sudo_authorized_ssh_keys }}'
    mode: u=rw,go=r
    owner: root
    group: root
  when: sudo_use_pam_ssh_agent
  tags:
  - pam-ssh-agent
  - pam-ssh-agent-keys
- name: ensure sudo authorized ssh_keys are not configured
  file:
    path: /etc/security/sudo.sshkeys
    state: absent
  when: not sudo_use_pam_ssh_agent
  tags:
  - pam-ssh-agent
  - pam-ssh-agent-keys

# Upstream documentation says this is only required for "old" versions
# of sudo, however without it, SSH key authentication always fails.  I
# suspect it is only unnecessary when users originally authenticated to
# the SSH daemon using a public key, but required for other forms of
# authentication, such as GSSAPI.
- name: ensure sudo is configured for pam_ssh_agent_auth
  copy:
    dest: /etc/sudoers.d/ssh-auth-sock
    content: |+
      {% if sudo_use_pam_ssh_agent %}
      Defaults   env_keep += "SSH_AUTH_SOCK"
      {% endif %}
    mode: u=rw,g=r,o=
    owner: root
    group: root
    validate: visudo -cf %s
  tags:
  - pam-ssh-agent