From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 8 Sep 2019 14:01:57 +0000 (+0200)
Subject: Split out jenkins sudoers entries
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=927981be74657fc57d0e23237179565aa87acd91;p=mirror%2Fdsa-puppet.git

Split out jenkins sudoers entries
---

diff --git a/modules/roles/files/jenkins/sudoers b/modules/roles/files/jenkins/sudoers
new file mode 100644
index 000000000..7db7c4419
--- /dev/null
+++ b/modules/roles/files/jenkins/sudoers
@@ -0,0 +1,5 @@
+# edit with visudo!
+
+%jenkins-adm	ALL=(jenkins-adm)	ALL
+%jenkins-adm	ALL=(jenkins)		ALL
+%jenkins-adm	ALL=(root)		/usr/sbin/service jenkins restart, /usr/sbin/service jenkins reload, /usr/sbin/service jenkins stop, /usr/sbin/service jenkins start
diff --git a/modules/roles/manifests/jenkins.pp b/modules/roles/manifests/jenkins.pp
index e38b0239d..34038e3c3 100644
--- a/modules/roles/manifests/jenkins.pp
+++ b/modules/roles/manifests/jenkins.pp
@@ -13,4 +13,9 @@ class roles::jenkins {
   }
 
   dsa_systemd::linger { 'jenkins': }
+
+  file { '/etc/sudoers.d/jenkins':
+    mode   => '0440',
+    source => 'puppet:///modules/roles/jenkins/sudoers',
+  }
 }
diff --git a/modules/sudo/files/sudoers b/modules/sudo/files/sudoers
index 8c882cbe3..e779375d6 100644
--- a/modules/sudo/files/sudoers
+++ b/modules/sudo/files/sudoers
@@ -39,7 +39,6 @@ Host_Alias	BUILDD_MASTER	= wuiet
 Host_Alias	PORTERBOXES	= abel, amdahl, barriere, eller, harris, minkus, plummer, zelenka
 Host_Alias	PIUPARTS_SLAVE_HOSTS	= piu-slave-bm-a, piu-slave-ubc-01
 Host_Alias	MQ_HOSTS	= rainier, rapoport
-Host_Alias	JENKINSHOSTS	= jerea
 
 # Cmnd alias specification
 
@@ -151,7 +150,6 @@ git		godard=(salsa-webhook)	NOPASSWD: ALL
 git		godard=(salsa-pages)	NOPASSWD: ALL
 %keyring	ALL=(keyring)	ALL
 %keyring	kaufmann=(root)		NOPASSWD: /usr/sbin/service bind9 reload
-%jenkins-adm	ALL=(jenkins-adm)	ALL
 %lintian	ALL=(lintian)	ALL
 %listweb	ALL=(listweb)	ALL
 %list		LISTHOSTS=(list)	ALL
@@ -300,9 +298,6 @@ nagiosadm	tchaikovsky=(root)		NOPASSWD: /usr/sbin/service icinga reload
 # voip stuff
 %debvoip	VOIPHOSTS=(root)	/usr/sbin/service resiprocate-turn-server restart, /usr/sbin/service repro restart
 %debvoip	VOIPHOSTS=(root)	/usr/sbin/service prosody restart, /usr/sbin/service prosody reload, /usr/sbin/service prosody stop, /usr/sbin/service prosody start
-# jenkins
-%jenkins-adm	JENKINSHOSTS=(jenkins)	ALL
-%jenkins-adm	JENKINSHOSTS=(root)	/usr/sbin/service jenkins restart, /usr/sbin/service jenkins reload, /usr/sbin/service jenkins stop, /usr/sbin/service jenkins start
 # snapshot can reload apache to get the wsgi reloaded
 snapshot	lw07,sallinen=(root)	NOPASSWD: /usr/sbin/service apache2 reload
 
diff --git a/modules/sudoers b/modules/sudoers
new file mode 100644
index 000000000..e69de29bb