From: Oleg Broytman <phd@phdru.name>
Date: Mon, 22 Dec 2025 22:16:32 +0000 (+0300)
Subject: Feat(playbooks/openvpn): Allow passwordless sudo for up/down scripts
X-Git-Url: https://git.phdru.name/?a=commitdiff_plain;h=d62a1b4234f8d54b680bd2ff4999d7d5892d6c1c;p=ansible.git

Feat(playbooks/openvpn): Allow passwordless sudo for up/down scripts
---

diff --git a/playbooks/roles/openvpn/tasks/main.yaml b/playbooks/roles/openvpn/tasks/main.yaml
index de6301a..7185cb5 100644
--- a/playbooks/roles/openvpn/tasks/main.yaml
+++ b/playbooks/roles/openvpn/tasks/main.yaml
@@ -44,3 +44,14 @@
     line: 'AUTOSTART="none"'
     insertafter: '^#AUTOSTART="home office"$'
   when: ansible_facts.os_family == 'Debian'
+
+- name: Allow passwordless sudo for up/down scripts
+  become: true
+  copy:
+    content: |
+      Defaults !admin_flag
+      openvpn	ALL=(root:root) NOPASSWD: /etc/openvpn/up, NOPASSWD: /etc/openvpn/down
+    dest: /etc/sudoers.d/openvpn
+    owner: root
+    group: "{% if ansible_facts.os_family == 'Debian' %}sudo{% elif ansible_facts.os_family == 'RedHat' %}root{% endif %}"
+    mode: 0640