bootstrap: all installation commands run with passwordless sudo

davidandreoletti · davidandreoletti · commit 95e33f2cea6e · 2025-12-07T10:44:54.000+08:00
diff --git a/install/bootstrap_archlinux.sh b/install/bootstrap_archlinux.sh
@@ -73,8 +73,9 @@ else
     exit 1
 fi
 if is_profile_dev_single; then
-    sudoers_add_user "$(whoami)"
+    sudoers_add_profile "dotfiles_dev" "$(whoami)"
 fi
+sudoers_add_profile "dotfiles_bootstrap" "$(whoami)" "bootstrap_permission"
 
 onexit() {
     # FIXME remove config file with passwords ...
@@ -84,6 +85,7 @@ onexit() {
     unset SUDO_OPTIONS
 
     ramdisk_umount_and_destroy_storage "secrets"
+    sudoers_remove_profile "dotfiles_bootstrap" "$(whoami)"
 }
 
 trap onexit EXIT
diff --git a/install/bootstrap_fedora.sh b/install/bootstrap_fedora.sh
@@ -74,8 +74,9 @@ else
     exit 1
 fi
 if is_profile_dev_single; then
-    sudoers_add_user "$(whoami)"
+    sudoers_add_profile "dotfiles_dev" "$(whoami)"
 fi
+sudoers_add_profile "dotfiles_bootstrap" "$(whoami)" "bootstrap_permission"
 
 onexit() {
     # FIXME remove config file with passwords ...
@@ -85,6 +86,7 @@ onexit() {
     unset SUDO_OPTIONS
 
     ramdisk_umount_and_destroy_storage "secrets"
+    sudoers_remove_profile "dotfiles_bootstrap" "$(whoami)"
 }
 
 trap onexit EXIT
diff --git a/install/bootstrap_macos.sh b/install/bootstrap_macos.sh
@@ -84,8 +84,10 @@ else
     exit 1
 fi
 if is_profile_dev_single; then
-    sudoers_add_user "$(whoami)"
+    sudoers_add_profile "dotfiles_dev" "$(whoami)"
 fi
+sudoers_add_profile "dotfiles_bootstrap" "$(whoami)" "bootstrap_permission"
+
 
 onexit() {
     # FIXME remove config file with passwords ...
@@ -95,6 +97,7 @@ onexit() {
     unset SUDO_OPTIONS
 
     ramdisk_umount_and_destroy_storage "secrets"
+    sudoers_remove_profile "dotfiles_bootstrap" "$(whoami)"
 }
 
 trap onexit EXIT
diff --git a/install/common/shell/sudoers.sh b/install/common/shell/sudoers.sh
@@ -1,34 +1,70 @@
-function sudoers_add_user() {
-    local current_user="$1"
-    local stderr_file="/tmp/bootstrap.$$.sudoers.log"
+ETC_SUDOERS_D_DIR="/etc/sudoers.d"
 
-    if sudo visudo -c 1>${stderr_file} 2>&1; then
-        :
-    else
-        if grep "bad permission" "${stderr_file}"; then
-            rm -fv "$stderr_file"
-        else
-            cat "$stderr_file"
-            exit 1
-        fi
+function sudoers_add_profile() {
+    local profile_name="$1"
+    local current_user="$2"
+    local capability="${3:-default}"
+
+    if test "$capability" = "default"; then
+	capability="$current_user ALL=(ALL) ALL"
+    elif test "$capability" = "bootstrap_permission"; then
+	    capability="$current_user ALL=(ALL) NOPASSWD: ALL"
+    fi
+
+    sudoers_add_capability "${profile_name}_${current_user}" "$capability"
+}
+
+function sudoers_remove_profile() {
+    local profile_name="$1"
+    local current_user="$2"
+
+    sudoers_remove_capability "${profile_name}_${current_user}"
+}
+
+function sudoers_remove_capability() {
+    local profile_file="$1"
+
+    local sudoers_file="$ETC_SUDOERS_D_DIR/$profile_file" 
+    if sudo test -f "$sudoers_file"; then
+        sudo rm -v "$sudoers_file"
+    fi
+}
+
+function sudoers_add_capability() {
+    local profile_file="$1"
+    local capability="$2"
+    local stderr_file="/tmp/bootstrap.$$.sudoers.add_capability.$profile_file.log"
+
+    if ! sudoers_verify "${stderr_file}"; then
+	    exit 1
     fi
 
-    local sudoersFile="/etc/sudoers.d/bootstrap-machine" # file name must not contain '.' or '~'
+    # file name must not contain '.' or '~'
+    local sudoers_file="$ETC_SUDOERS_D_DIR/$profile_file" 
 
-    sudo cat <<-EOF > "$sudoersFile" 
-	# Added by dotfiles's boostrap.sh script
-	$current_user	ALL=(ALL) ALL
+    sudo tee "$sudoers_file" > /dev/null <<-EOF
+	# Added by dotfiles's bootstrap.sh script
+	$capability
 	EOF
-    sudo chmod 0440 "$sudoersFile"
+    sudo chmod 0440 "$sudoers_file"
+
+    if ! sudoers_verify "${stderr_file}"; then
+	    exit 1
+    fi
+}
+
+function sudoers_verify() {
+    local stderr_file="$1"
 
     if sudo visudo -c 1>${stderr_file} 2>&1; then
-        :
+        return 0
     else
         if grep "bad permission" "${stderr_file}"; then
             rm -fv "$stderr_file"
+	    return 1
         else
             cat "$stderr_file"
-            exit 1
+            return 1
         fi
     fi
 }
