Merge pull request #362 from lsst-it/IT-1555/sudoers

rm sudo wheel rule

hieradata/cluster/auxtel-ccs.yaml

@@ -44,6 +44,7 @@ postfix::configs:
   smtp_sasl_mechanism_filter:
     value: "plain, login"
 
+sudo::purge: false  # FIXME
 sudo::configs:
   auxtel_ccs_cmd:
     content: "%auxtel-ccs-cmd ALL=(ccs) NOPASSWD: ALL"

hieradata/cluster/comcam-ccs.yaml

@@ -42,6 +42,7 @@ postfix::configs:
     value: "hash:/etc/postfix/sasl_passwd"
   smtp_sasl_mechanism_filter:
     value: "plain, login"
+sudo::purge: false  # FIXME
 sudo::configs:
   comcam_ccs_cmd:
     content: "%comcam-ccs-cmd ALL=(ccs) NOPASSWD: ALL"

hieradata/org/lsst.yaml

@@ -110,12 +110,30 @@ ssh::client_options:
   GSSAPIAuthentication: "yes"
   GSSAPIDelegateCredentials: "yes"
 
-sudo::config_file_replace: false
-sudo::purge: false
+sudo::config_file_replace: true
+sudo::content: "profile/sudo/sudoers.epp"
+sudo::purge: true
 sudo::configs:
   wheel_b:  # backup wheel group in case of LDAP failure.
     content: "%wheel_b ALL=(ALL) NOPASSWD: ALL"
+  defaults:
+    priority: "00"
+    content: |
+      Defaults   !visiblepw
+      Defaults    always_set_home
+      Defaults    match_group_by_gid
+      Defaults    always_query_group_plugin
 
+      Defaults    env_reset
+      Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
+      Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
+      Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
+      Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
+      Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
+
+      Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
+
+      root	ALL=(ALL) 	ALL
 accounts::group_list:
   wheel_b: {}
 accounts::user_defaults:

site/profile/templates/sudo/sudoers.epp

@@ -0,0 +1,2 @@
+## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
+#includedir /etc/sudoers.d