We wanted to give some of our customers the ability to restart some of their own services on their development environment. To be able to do this we made a puppet module. Augeas can also alter the /etc/sudoers file, but it didn’t fit into our way of working with puppet.
The module is called gen_sudo, as per our puppet module naming conventions and works on Debian (and should be easily hacked to suit your needs). You can add a rule as follows:
class web::dev_sites {
include gen_sudo
[..........]
gen_sudo::rule { "Devs can semi-control apache":
entity => "%devs",
as_user => "root",
password_required => false,
command => ["/etc/init.d/apache2 restart",
"/etc/init.d/apache2 reload",
"/etc/init.d/apache2 start"]
[..........]
}
Depending on the Debian version it either uses puppet-concat to create fragment for /etc/sudoers (Lenny and older) or it puts a file in /etc/sudoers.d/ (Squeeze and newer) containing:
# Devs can semi-control apache
%devs ALL=(root) NOPASSWD: /etc/init.d/apache2 restart
%devs ALL=(root) NOPASSWD: /etc/init.d/apache2 reload
%devs ALL=(root) NOPASSWD: /etc/init.d/apache2 start
This module has 2 features which make life easy, namely: removal of a gen_sudo::rule from a manifest implies ensure => absent, so the rule will be removed after the next puppet run. The second is that the command parameter accepts a string or an array of strings, that way you can give the same entity a set of commands it can run.
As you can see the host statement is ALL. This is done on purpose, because the rules are deployed only on the nodes that have included the web::dev_sites and won’t show up on production systems.
The code is available on GitHub.