add su_debuild::sudo class

files/etc/filter-syslog/pbuilder

+# Syslog filter rules for a system building packages with pbuilder.
+
+# Running pbuilder via sudo.
+sudo:	/.* USER=root ; COMMAND=/usr/sbin/pbuilder .*/
+sudo:	/.* USER=root ; COMMAND=/usr/sbin/cowbuilder .*/
+sudo:   /^pam_unix\(sudo:session\): session (opened|closed) for user root/
+
+# People doing builds out of AFS home directories.
+kernel: /^\[\d+\.\d+\] afs: byte-range locks only enforced for processes on /

files/etc/pam.d/sudo

+#%PAM-1.0
+
+@include common-auth
+@include common-account
+
+# @include common-session-noninteractive
+#
+# Instead of including the stock common-session-noninteractive we
+# use parts of it, overriding minimum_uid for pam_afs_session
+# so that sudo will be able to get AFS tokens (helps with cowbuilder)
+session optional		pam_krb5.so minimum_uid=1000
+session required		pam_unix.so
+session optional		pam_afs_session.so minimum_uid=0

manifests/sudo.pp

+class su_debuld::sudo {
+
+  ### SUDO ###
+  ensure_packages(['sudo'], {'ensure' => 'present'})
+
+  # Install a sudo configuration letting mortals run pdebuild.
+  file_line { 'sudo_rule_for_pdebuild':
+    path => '/etc/sudoers',
+    line => '%root      ALL = NOPASSWD: /usr/sbin/cowbuilder',
+  }
+
+  # Ignore the pbuilder sudos.
+  file { '/etc/filter-syslog/pbuilder':
+    source => 'puppet:///modules/su_debuild/etc/filter-syslog/pbuilder';
+  }
+
+  # To be able to run cowbuilder in AFS, we need to use a special version of
+  # /etc/pam.d/sudo.
+  file {
+    '/etc/pam.d/sudo':
+      source  => 'puppet:///modules/su_debuild/etc/pam.d/sudo',
+      require => Package['sudo'];
+  }
+
+}