Feat(playbooks/openvpn): Allow passwordless sudo for up/down scripts

author Oleg Broytman <phd@phdru.name>

Mon, 22 Dec 2025 22:16:32 +0000 (01:16 +0300)

committer Oleg Broytman <phd@phdru.name>

Mon, 22 Dec 2025 22:17:42 +0000 (01:17 +0300)
author Oleg Broytman <phd@phdru.name>
Mon, 22 Dec 2025 22:16:32 +0000 (01:16 +0300)
committer Oleg Broytman <phd@phdru.name>
Mon, 22 Dec 2025 22:17:42 +0000 (01:17 +0300)
diff --git a/playbooks/roles/openvpn/tasks/main.yaml b/playbooks/roles/openvpn/tasks/main.yaml

index de6301a0c3a2e370e2db43d60fe162817a4d1639..7185cb5c6567b53dad578ccc6c499b23748e3fca 100644 (file)
--- a/playbooks/roles/openvpn/tasks/main.yaml
+++ b/playbooks/roles/openvpn/tasks/main.yaml
@@ -44,3 +44,14 @@
      line: 'AUTOSTART="none"'
      insertafter: '^#AUTOSTART="home office"$'
    when: ansible_facts.os_family == 'Debian'
+
+- name: Allow passwordless sudo for up/down scripts
+  become: true
+  copy:
+    content: |
+      Defaults !admin_flag
+      openvpn  ALL=(root:root) NOPASSWD: /etc/openvpn/up, NOPASSWD: /etc/openvpn/down
+    dest: /etc/sudoers.d/openvpn
+    owner: root
+    group: "{% if ansible_facts.os_family == 'Debian' %}sudo{% elif ansible_facts.os_family == 'RedHat' %}root{% endif %}"
+    mode: 0640
author	Oleg Broytman <phd@phdru.name>
	Mon, 22 Dec 2025 22:16:32 +0000 (01:16 +0300)
committer	Oleg Broytman <phd@phdru.name>
	Mon, 22 Dec 2025 22:17:42 +0000 (01:17 +0300)