Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(work): add vpn_disconnect and provision sudo
This was a fantastic exercise in sudoers syntax, new ansible modules (blockinfile, copy, template) and general security considerations. The openfortivpn process must be run as root, and so it can only be killed by root. A simple pkill openfortivpn won't do: we need sudo. But what if we're in a context where we can't supply the password - i.e. clicking a polybar module? We'll have to add a script we can run with passwordless sudo. But how do we manage this script? The usual linking of an executable script to ~/.local/bin works, but... First I thought enabling passwordless sudo for a symlink would have security implications. What if the underlying script was changed? In the end, that would probably not have worked, because sudo would have evaluated the permissions for the target file and not the symlink. But nevertheless, I set out to write a non-modifiable script, executable by everyone and with passwordless sudo by members of the openfortivpn group. This is the result. In the process, I also moved the manual steps from the base/work README to topic.tasks.yml. The CLI will require some updates to pass the 'sudo_enabled' tag.
- Loading branch information