From d62a1b4234f8d54b680bd2ff4999d7d5892d6c1c Mon Sep 17 00:00:00 2001
From: Oleg Broytman <phd@phdru.name>
Date: Tue, 23 Dec 2025 01:16:32 +0300
Subject: [PATCH] Feat(playbooks/openvpn): Allow passwordless sudo for up/down
 scripts

---
 playbooks/roles/openvpn/tasks/main.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/playbooks/roles/openvpn/tasks/main.yaml b/playbooks/roles/openvpn/tasks/main.yaml
index de6301a..7185cb5 100644
--- a/playbooks/roles/openvpn/tasks/main.yaml
+++ b/playbooks/roles/openvpn/tasks/main.yaml
@@ -44,3 +44,14 @@
     line: 'AUTOSTART="none"'
     insertafter: '^#AUTOSTART="home office"$'
   when: ansible_facts.os_family == 'Debian'
+
+- name: Allow passwordless sudo for up/down scripts
+  become: true
+  copy:
+    content: |
+      Defaults !admin_flag
+      openvpn	ALL=(root:root) NOPASSWD: /etc/openvpn/up, NOPASSWD: /etc/openvpn/down
+    dest: /etc/sudoers.d/openvpn
+    owner: root
+    group: "{% if ansible_facts.os_family == 'Debian' %}sudo{% elif ansible_facts.os_family == 'RedHat' %}root{% endif %}"
+    mode: 0640
-- 
2.47.3