CO admin group users need TOTP for sudo

README.md

@@ -26,7 +26,7 @@ Galaxy is configured to let the webserver (Nginx) handle authentication. The web
 
 Any members of the workspace's Collaborative Organisation (CO) will be able to authenticate using the authentication mechanism of their institution (Single Sign-On).
 
-Galaxy is configured such that members of the CO that are in the SRAM workspace admin group (`src_co_admin`) will be Galaxy administrators. Other users are normal users.
+Galaxy is configured such that members of the CO that are in the SRAM workspace admin group (`src_co_admin`) will be Galaxy administrator when logging in via SSH (`sudo` will require entering the user's SRAM TOTP). Other users are normal users.
 
 ### Logging in via SSH
 

galaxysrv.yml

@@ -92,7 +92,7 @@
     - name: Populate service facts
       ansible.builtin.service_facts:
 
-    # This is to ensure that the Collaborative Organisation admin group can use passwordless sudo on the machine,
+    # This is to ensure that the Collaborative Organisation admin group can use sudo on the machine,
     # allowing us to disable the ResearchCloud co_passwordless_sudo parameter,
     # which grants passwordless sudo to *all* CO users on the machine.
     - name: Add CO admin group to sudoers
@@ -101,7 +101,7 @@
         owner: "root"
         group: "root"
         mode: "0644"
-        content: "%{{ _galaxy_admin_co_group }} ALL=(ALL) NOPASSWD: ALL"
+        content: "%{{ _galaxy_admin_co_group }} ALL=(ALL:ALL) ALL"
 
     - name: Enable the server and bootstrap
       when: "ansible_facts.services['galaxy-gunicorn.service'] is not defined or ansible_facts.services['galaxy-gunicorn.service']['state'] != 'running' or _galaxy_do_bootstrap"