From 9c2f0e577be7a2c6277c4304b60e174c6b584c7d Mon Sep 17 00:00:00 2001
From: jakub <jakub@zacekj.cz>
Date: Fri, 24 Apr 2026 12:20:39 +0000
Subject: [PATCH] Update initial_install/roles/baseline_sudo/tasks/main.yml

---
 .../roles/baseline_sudo/tasks/main.yml        | 49 ++++++-------------
 1 file changed, 14 insertions(+), 35 deletions(-)

diff --git a/initial_install/roles/baseline_sudo/tasks/main.yml b/initial_install/roles/baseline_sudo/tasks/main.yml
index 2093767..9ba6a53 100644
--- a/initial_install/roles/baseline_sudo/tasks/main.yml
+++ b/initial_install/roles/baseline_sudo/tasks/main.yml
@@ -4,40 +4,19 @@
     name: sudo
     state: present
 
-# Detect alternative sudo binaries (rust sudo etc.)
-- name: Find sudo candidates
-  ansible.builtin.shell: |
-    ls -1 /usr/bin/sudo* 2>/dev/null | grep -v '^/usr/bin/sudo$' || true
-  register: sudo_candidates
-  changed_when: false
+- name: Ensure automation user has passwordless sudo
+  ansible.builtin.copy:
+    dest: /etc/sudoers.d/automation
+    content: "automation ALL=(ALL) NOPASSWD:ALL"
+    owner: root
+    group: root
+    mode: '0440'
+    validate: 'visudo -cf %s'
 
-- name: Pick preferred sudo binary
-  ansible.builtin.set_fact:
-    preferred_sudo: "{{ sudo_candidates.stdout_lines[0] | default('/usr/bin/sudo') }}"
-
-# RHEL-like systems → use alternatives
-- name: Ensure alternatives exists (RHEL-like)
-  ansible.builtin.package:
-    name: alternatives
-    state: present
-  when: ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
-
-- name: Register sudo in alternatives
-  ansible.builtin.command: >
-    alternatives --install /usr/bin/sudo sudo {{ preferred_sudo }} 100
-  when: ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
-  ignore_errors: true
-
-- name: Force preferred sudo via alternatives
-  ansible.builtin.command: >
-    alternatives --set sudo {{ preferred_sudo }}
-  when: ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
-  ignore_errors: true
-
-# Debian fallback (no alternatives)
-- name: Ensure /usr/bin/sudo points to system sudo (Debian fallback)
+- name: Ensure sudo binary has correct permissions
   ansible.builtin.file:
-    src: "{{ preferred_sudo }}"
-    dest: /usr/bin/sudo
-    state: link
-  when: ansible_facts.os_family == "Debian"
\ No newline at end of file
+    path: /usr/bin/sudo
+    owner: root
+    group: root
+    mode: '4755'
+  when: ansible_facts.os_family in ["Debian", "RedHat"]
\ No newline at end of file