From 808a40ac68ea6cbca2317363397b8e96a873096f Mon Sep 17 00:00:00 2001
From: Tunui Franken <tfranken@protonmail.com>
Date: Sun, 7 Apr 2024 12:49:52 +0200
Subject: [PATCH] Set more specific sudoers permissions for git user

---
 roles/forgejo/tasks/unix.yml             | 4 ++--
 roles/forgejo/templates/sudoers.d/git.j2 | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 roles/forgejo/templates/sudoers.d/git.j2

diff --git a/roles/forgejo/tasks/unix.yml b/roles/forgejo/tasks/unix.yml
index 8afc4a4..295f173 100644
--- a/roles/forgejo/tasks/unix.yml
+++ b/roles/forgejo/tasks/unix.yml
@@ -46,8 +46,8 @@
 
 - name: Set sudoer permissions to git user
   become: true
-  ansible.builtin.copy:
-    content: 'git ALL=(root) NOPASSWD:/usr/bin/systemctl'
+  ansible.builtin.template:
+    src: sudoers.d/git.j2
     dest: /etc/sudoers.d/git
     owner: root
     group: root
diff --git a/roles/forgejo/templates/sudoers.d/git.j2 b/roles/forgejo/templates/sudoers.d/git.j2
new file mode 100644
index 0000000..b3f0efe
--- /dev/null
+++ b/roles/forgejo/templates/sudoers.d/git.j2
@@ -0,0 +1,2 @@
+git ALL=(root) NOPASSWD:/usr/bin/systemctl stop forgejo.service
+git ALL=(root) NOPASSWD:/usr/bin/systemctl restart forgejo.service