Add revoke-sudo role

Also add a .gitignore and establish a documentation pattern.

Change-Id: Ib447ac13d03de4ab61171d50b19117ff654ad329
Co-Authored-By: Paul Belanger <pabelanger@redhat.com>

.gitignore

@@ -0,0 +1,10 @@
+# Unit test / coverage reports
+.coverage
+.tox
+
+# Sphinx
+doc/build
+
+# pbr generates these
+AUTHORS
+ChangeLog

doc/source/index.rst

@@ -3,6 +3,8 @@
 .. toctree::
    :maxdepth: 2
 
+   roles
+
 Indices and tables
 ==================
 

doc/source/roles.rst

@@ -0,0 +1,7 @@
+Roles
+=====
+
+revoke-sudo
+-----------
+.. include:: ../../roles/revoke-sudo/README.rst
+

roles/revoke-sudo/README.rst

@@ -0,0 +1,8 @@
+Remove sudo access for the Zuul user.
+
+If the file ``/etc/sudoers.d/zuul-sudo`` exists, then it will be
+removed.  This is to facilitate systems which may use the same image
+for tests which require sudo and those which do not.
+
+This role also asserts that sudo access has been removed and will
+fail if it has not.

roles/revoke-sudo/tasks/main.yaml

@@ -0,0 +1,8 @@
+- name: Remove sudo access for zuul user.
+  become: yes
+  file:
+    path: /etc/sudoers.d/zuul-sudo
+    state: absent
+
+- name: Prove that general sudo access is actually revoked.
+  shell: ! sudo -n true