# Strict allowlist - only these commands are permitted via sudo
# No PASSWD:ALL fallback - unlisted commands are denied
#
# SECURITY: No wildcards — every allowed argument is enumerated explicitly.
# Install dev tools at image build time; do not grant runtime apt-get install.

# Audit logging — record all sudo I/O for incident investigation
Defaults log_output
Defaults logfile=/var/log/sudo-audit.log

# Package management — update only (install packages at build time)
ubuntu ALL=(ALL) NOPASSWD: /usr/bin/apt-get update

# Service management — enumerate allowed services explicitly
ubuntu ALL=(ALL) NOPASSWD: /usr/sbin/service postgresql start
ubuntu ALL=(ALL) NOPASSWD: /usr/sbin/service postgresql stop
ubuntu ALL=(ALL) NOPASSWD: /usr/sbin/service postgresql restart
ubuntu ALL=(ALL) NOPASSWD: /usr/sbin/service postgresql status
ubuntu ALL=(ALL) NOPASSWD: /usr/sbin/service redis-server start
ubuntu ALL=(ALL) NOPASSWD: /usr/sbin/service redis-server stop
ubuntu ALL=(ALL) NOPASSWD: /usr/sbin/service redis-server restart
ubuntu ALL=(ALL) NOPASSWD: /usr/sbin/service redis-server status

# Network mode switching — enumerate allowed modes
ubuntu ALL=(ALL) NOPASSWD: /usr/local/bin/network-firewall.sh
ubuntu ALL=(ALL) NOPASSWD: /usr/local/bin/network-mode status
ubuntu ALL=(ALL) NOPASSWD: /usr/local/bin/network-mode limited
ubuntu ALL=(ALL) NOPASSWD: /usr/local/bin/network-mode host-only
ubuntu ALL=(ALL) NOPASSWD: /usr/local/bin/network-mode none
ubuntu ALL=(ALL) NOPASSWD: /usr/local/bin/network-mode list
ubuntu ALL=(ALL) NOPASSWD: /usr/local/bin/network-mode help

# DNS configuration (for credential isolation gateway)
ubuntu ALL=(ALL) NOPASSWD: /usr/bin/tee /etc/resolv.conf

# NO fallback line - everything else is denied
