I want the default user, ubuntu to be able to run a specific service without being prompted for a password.

Specifically systemctl restart unicorn_my_app.service.

Have followed the instructions here to add user ubuntu to a newly created group, LimitedAdmins, which is confirmed with:

$ getent group LimitedAdmins
LimitedAdmins:x:1001:ubuntu

Created a new file, limitedadmins (using sudo vim) in the /etc/sudoers.d directory containing the following text:

%LimitedAdmins ALL=NOPASSWD: /etc/init.d/unicorn_ofn_america restart, /etc/init.d/unicorn_ofn_america start

I have also tried:

%LimitedAdmins ALL=NOPASSWD: /bin/systemctl/unicorn_ofn_america restart, /bin/systemctl/unicorn_ofn_america start

(And /bin/systemd)

Content of /etc/sudoers/ is the default as confirmed with sudo visudo (or sudo cat /etc/sudoers):

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults    env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

(The hash sign in #includedir is not a comment, but part of the #include directive syntax).

However there's still a password prompt following running systemctl restart unicorn_my_app.service

Service is there in the init.d directory:

$ ls -l /etc/init.d | grep unicorn
-rwxr--r-- 1 ubuntu ubuntu 1874 Oct 29 06:47 unicorn_my_app

Tried chmodding 755 on the app, but don't think that should make a difference, since ubuntu owns it anyway.

Even tried rebooting the system with no difference. Am I missing a step, like a restart/reload)? Configuring something wrong?

I should also mention that I used vim to create the new file within /etc/sudoers.d, as it seems that the visudo command is only for editing /etc/sudoers.

UPDATE

Looks like you can edit additional sudo config files with visudo. See below.

Doesn't seem to be working. I can copy /bin/systemctl restart unicorn_my_app.service directly from the /etc/sudoers.d/limitedadmins file and run it in the CLI, and am prompted for a password. Does user ubuntu need tp be specified somewhere or does ALL open it up to all users for all domains?

You would run sudo /bin/systemctl restart unicorn_my_app.service and it should then run without a password. (posting as comment in case PsiOps's answer is separated from this one)

@rosuav Is there any way so that we can run it directly like systemctl restart myapp.service without using sudo.

Not really, but you could put the command into a script (complete with the sudo prefix), and then put that script onto $PATH. Or make it a shell alias.

Attention: On other distros systemctl is in /usr/bin :-(.

This was helpful. Also nice to emphasize the differences between start and restart. Thank you.