adding dom0 sudo prompt

2025-02-28 12:11:20 +01:00 · 2025-02-28 12:11:20 +01:00 · d00ff8da7d
commit d00ff8da7d
parent 97fdf67c56
3 changed files with 61 additions and 0 deletions
--- a/roles/qubes-f41-gnome/tasks/main.yaml
+++ b/roles/qubes-f41-gnome/tasks/main.yaml
@ -226,3 +226,40 @@
       regexp: '^(metalink=.*)$'
       line: '\1&protocol=https'
     loop: '{{ found_files.files }}'
+
+   - name: Create authselect profile
+     shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam
+
+   - name: Copy authselect file
+     ansible.builtin.copy:
+      src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
+      dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside'
+      mode: '0644'
+
+   - name: Copy authselect folder
+     ansible.builtin.copy:
+      src: '/etc/authselect/system-auth'
+      dest: '/etc/authselect/custom/sudo-dom0-prompt'
+      mode: '0755'
+
+   - name: Copy authselect file
+     ansible.builtin.copy:
+      src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth'
+      dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
+      mode: '0644'
+
+
+   - name: Select authselect profile
+     shell: authselect authselect select custom/sudo-dom0-prompt
+
+   - name: Fix sudoers.d
+     ansible.builtin.copy:
+      src: 'etc/sudoers.d/qubes'
+      dest: '/etc/sudoers.d/qubes'
+      mode: '0440'
+
+   - name: Delete allow all rule
+     ansible.builtin.file:
+      path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
+      state: 'absent'
+