line: "%sudo ALL=(ALL:ALL) NOPASSWD:ALL"
Pretty sure you’re creating a massive security vulnerability with this but please correct me if I’m wrong.
That’s exactly what the /etc/sudoers file does; it grants root privileges as an exception, so that a specific user may execute a specific, benign command e.g. service php8.0-fpm start/stop/reload without requiring a password, otherwise the system is locked down to root.
What Ansible is doing with roles/users/tasks/main.yml between lines 42-50 is:
- name: Add web user sudoers items for services
template:
src: sudoers.d.j2
dest: "/etc/sudoers.d/{{ web_user }}-services"
mode: '0440'
owner: root
group: root
validate: "/usr/sbin/visudo -cf %s"
when: web_sudoers[0] is defined
If the web_sudoers variable has an item in the array, take that as a string and create a file on the server at /etc/sudoers.d/web-services with a single line of text that is determined by the variables interpreted by the Jinja2 templating engine at roles/users/templates/sudoers.d.j2. It uses visudo command to validate the input, so that you don’t accidentally bork your server. You can read more about this here.
# {{ ansible_managed }}
{% for service in web_sudoers %}
{{ web_user }} ALL=(root) NOPASSWD: {{ service }}
{% endfor %}
And since the web_sudoers array does have a value at key 0 at group_vars/all/users.yml as:
- "/usr/sbin/service php{{ php_version }}-fpm *"
We end up with the following at /etc/sudoers.d/web-services:
# Ansible managed
web ALL=(root) NOPASSWD: /usr/sbin/service php8.0-fpm *
You’ll need to log into your server as root to read the file but please do and let me know if you get the same output.