diff --git a/initial_install/roles/baseline_sudo/tasks/main.yml b/initial_install/roles/baseline_sudo/tasks/main.yml
new file mode 100644
index 0000000..2093767
--- /dev/null
+++ b/initial_install/roles/baseline_sudo/tasks/main.yml
@@ -0,0 +1,43 @@
+---
+- name: Ensure sudo package is installed
+  ansible.builtin.package:
+    name: sudo
+    state: present
+
+# Detect alternative sudo binaries (rust sudo etc.)
+- name: Find sudo candidates
+  ansible.builtin.shell: |
+    ls -1 /usr/bin/sudo* 2>/dev/null | grep -v '^/usr/bin/sudo$' || true
+  register: sudo_candidates
+  changed_when: false
+
+- name: Pick preferred sudo binary
+  ansible.builtin.set_fact:
+    preferred_sudo: "{{ sudo_candidates.stdout_lines[0] | default('/usr/bin/sudo') }}"
+
+# RHEL-like systems → use alternatives
+- name: Ensure alternatives exists (RHEL-like)
+  ansible.builtin.package:
+    name: alternatives
+    state: present
+  when: ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
+
+- name: Register sudo in alternatives
+  ansible.builtin.command: >
+    alternatives --install /usr/bin/sudo sudo {{ preferred_sudo }} 100
+  when: ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
+  ignore_errors: true
+
+- name: Force preferred sudo via alternatives
+  ansible.builtin.command: >
+    alternatives --set sudo {{ preferred_sudo }}
+  when: ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
+  ignore_errors: true
+
+# Debian fallback (no alternatives)
+- name: Ensure /usr/bin/sudo points to system sudo (Debian fallback)
+  ansible.builtin.file:
+    src: "{{ preferred_sudo }}"
+    dest: /usr/bin/sudo
+    state: link
+  when: ansible_facts.os_family == "Debian"
\ No newline at end of file