From 433c403ddc506686bf6104a359f2fb7fc501d229 Mon Sep 17 00:00:00 2001
From: CroneKorkN <i@ckn.li>
Date: Sun, 10 May 2026 17:29:01 +0200
Subject: [PATCH] left4me: validate sudoers file with visudo before install
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A malformed /etc/sudoers.d/left4me would lock sudo on the target
(blast radius: every other bundle using sudo at apply time). bw's
file: items support test_with, which runs the supplied command on the
locally-rendered file before transfer. Use it to gate the sudoers
file on visudo -cf — analogous to the visudo -cf check the original
deploy script ran inline (deploy-test-server.sh:186).
---
 bundles/left4me/items.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bundles/left4me/items.py b/bundles/left4me/items.py
index 777bb13..7daee66 100644
--- a/bundles/left4me/items.py
+++ b/bundles/left4me/items.py
@@ -84,6 +84,7 @@ files = {
         'mode': '0440',
         'owner': 'root',
         'group': 'root',
+        'test_with': 'visudo -cf {}',
     },
     '/etc/sysctl.d/99-left4me.conf': {
         'source': 'etc/sysctl.d/99-left4me.conf',