# SysManage Agent Sudoers Configuration for openSUSE Leap / Tumbleweed / SLES
# This file grants the sysmanage-agent user necessary privileges for system management
# File location: /etc/sudoers.d/sysmanage-agent
# Permissions: 0440 (enforced by package installer)

# Allow non-interactive sudo.
# (``Defaults:sysmanage-agent !requiretty`` was removed — sudo 1.9.x
# dropped the ``requiretty`` flag entirely; non-interactive sudo is
# the default behavior now.)

# Package Management (Zypper — the native openSUSE/SLES package manager).
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper refresh
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper install *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper remove *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper update *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper dup *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper patch *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper list-updates *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/zypper list-patches *

# Package Management (DNF/YUM) — available as alternatives on Tumbleweed.
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/dnf update
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/dnf install *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/dnf remove *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/dnf upgrade *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/dnf check-update
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/dnf system-upgrade *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/yum update
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/yum install *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/yum remove *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/yum upgrade *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/yum check-update
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/rpm -i *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/rpm -U *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/rpm -e *

# Firmware updates via fwupd (apply_fwupd_updates).
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/fwupdmgr update *

# Snap / Flatpak — supported on openSUSE when installed.
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/snap refresh *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/flatpak update -y *

# Repository Management
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/dnf config-manager *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/yum-config-manager *
# sudo 1.9.x rejects wildcards inside command arguments (only
# end-of-argument wildcards are accepted, and not inside path
# components).  Bare commands; the agent's own code constrains paths.
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/sed, /usr/bin/sed
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/rm, /usr/bin/rm

# Generic file deployment via ``sudo install`` (used by repository
# mirror apply, agent config push, and any deploy_files step).
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/install

# Repository mirroring tools (Pro+ repository_mirroring_engine).
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/createrepo_c, /usr/sbin/createrepo
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/trickle
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/mkdir, /bin/mkdir
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/find
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/chmod, /bin/chmod
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/chown, /bin/chown

# Systemd Service Management
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/systemctl start *
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/systemctl stop *
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/systemctl restart *
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/systemctl enable *
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/systemctl disable *
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/systemctl is-active *
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/systemctl daemon-reload
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl start *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl disable *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-active *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl daemon-reload

# Firewall Management (firewalld)
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/firewall-cmd *
sysmanage-agent ALL=(ALL) NOPASSWD: /bin/firewall-cmd *

# SELinux Management
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/setenforce *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/getenforce
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/semanage *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/setsebool *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/getsebool *

# System Power Management
sysmanage-agent ALL=(ALL) NOPASSWD: /sbin/shutdown -r *
sysmanage-agent ALL=(ALL) NOPASSWD: /sbin/shutdown -h *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/shutdown -r *
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/shutdown -h *
sysmanage-agent ALL=(ALL) NOPASSWD: /sbin/reboot
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/reboot
sysmanage-agent ALL=(ALL) NOPASSWD: /sbin/poweroff
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/sbin/poweroff

# Certificate Management
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/update-ca-trust extract
sysmanage-agent ALL=(ALL) NOPASSWD: /usr/bin/update-ca-trust
