# SysManage Agent Sudoers Configuration for openSUSE Leap / Tumbleweed / SLES
# This file grants the sysmanage-agent user necessary privileges for system management
# File location: /etc/sudoers.d/sysmanage-agent
# Permissions: 0440 (enforced by package installer)

# Allow non-interactive sudo
Defaults:sysmanage-agent !requiretty

# Package Management (Zypper — the native openSUSE/SLES package manager).
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper refresh
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper install *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper remove *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper update *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper dup *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper patch *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper list-updates *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper list-patches *

# Package Management (DNF/YUM) — available as alternatives on Tumbleweed.
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/dnf update
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/dnf install *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/dnf remove *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/dnf upgrade *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/dnf check-update
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/dnf system-upgrade *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/yum update
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/yum install *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/yum remove *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/yum upgrade *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/yum check-update
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/rpm -i *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/rpm -U *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/rpm -e *

# Firmware updates via fwupd (apply_fwupd_updates).
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/fwupdmgr update *

# Snap / Flatpak — supported on openSUSE when installed.
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/snap refresh *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/flatpak update -y *

# Repository Management
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/dnf config-manager *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/yum-config-manager *
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/sed -i * /etc/yum.repos.d/*
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/sed -i * /etc/yum.repos.d/*
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/rm -f /etc/yum.repos.d/*

# Generic file deployment via ``sudo install`` (used by repository
# mirror apply, agent config push, and any other plan that uses the
# ``generic_deployment.deploy_files`` step).  Source is restricted to
# the agent's staging-tmp prefix (``/tmp/.sysmanage_deploy_*``, which
# the agent creates with mkstemp and 0600 mode); destination is
# restricted to the system config dirs the engine actually targets.
# Without these rules, ``sudo install`` returns "user not allowed"
# and every deploy_files step fails.
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/install -m * -o * -g * /tmp/.sysmanage_deploy_* /etc/apt/sources.list.d/*
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/install -m * -o * -g * /tmp/.sysmanage_deploy_* /etc/yum.repos.d/*
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/install -m * -o * -g * /tmp/.sysmanage_deploy_* /etc/zypp/repos.d/*
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/install -m * -o * -g * /tmp/.sysmanage_deploy_* /usr/local/etc/pkg/repos/*

# Systemd Service Management
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/systemctl start *
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/systemctl stop *
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/systemctl restart *
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/systemctl enable *
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/systemctl disable *
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/systemctl is-active *
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/systemctl daemon-reload
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl start *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl disable *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-active *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl daemon-reload

# Firewall Management (firewalld)
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/firewall-cmd *
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/firewall-cmd *

# SELinux Management
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/setenforce *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/getenforce
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/semanage *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/setsebool *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/getsebool *

# System Power Management
sysmanage-agent ALL=(ALL) NOPASSWD: /sbin/shutdown -r *
sysmanage-agent ALL=(ALL) NOPASSWD: /sbin/shutdown -h *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/shutdown -r *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/shutdown -h *
sysmanage-agent ALL=(ALL) NOPASSWD: /sbin/reboot
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/reboot
sysmanage-agent ALL=(ALL) NOPASSWD: /sbin/poweroff
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/poweroff

# Certificate Management
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/update-ca-trust extract
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/update-ca-trust
