Update initial_install/roles/baseline_sudo/tasks/main.yml

initial_install/roles/baseline_sudo/tasks/main.yml

@@ -4,40 +4,19 @@
     name: sudo
     state: present
 
-# Detect alternative sudo binaries (rust sudo etc.)
+- name: Ensure automation user has passwordless sudo
-- name: Find sudo candidates
+  ansible.builtin.copy:
-  ansible.builtin.shell: |
+    dest: /etc/sudoers.d/automation
-    ls -1 /usr/bin/sudo* 2>/dev/null | grep -v '^/usr/bin/sudo$' || true
+    content: "automation ALL=(ALL) NOPASSWD:ALL"
-  register: sudo_candidates
+    owner: root
-  changed_when: false
+    group: root
+    mode: '0440'
+    validate: 'visudo -cf %s'
 
-- name: Pick preferred sudo binary
+- name: Ensure sudo binary has correct permissions
-  ansible.builtin.set_fact:
-    preferred_sudo: "{{ sudo_candidates.stdout_lines[0] | default('/usr/bin/sudo') }}"
-
-# RHEL-like systems → use alternatives
-- name: Ensure alternatives exists (RHEL-like)
-  ansible.builtin.package:
-    name: alternatives
-    state: present
-  when: ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
-
-- name: Register sudo in alternatives
-  ansible.builtin.command: >
-    alternatives --install /usr/bin/sudo sudo {{ preferred_sudo }} 100
-  when: ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
-  ignore_errors: true
-
-- name: Force preferred sudo via alternatives
-  ansible.builtin.command: >
-    alternatives --set sudo {{ preferred_sudo }}
-  when: ansible_facts.os_family in ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
-  ignore_errors: true
-
-# Debian fallback (no alternatives)
-- name: Ensure /usr/bin/sudo points to system sudo (Debian fallback)
   ansible.builtin.file:
-    src: "{{ preferred_sudo }}"
+    path: /usr/bin/sudo
-    dest: /usr/bin/sudo
+    owner: root
-    state: link
+    group: root
-  when: ansible_facts.os_family == "Debian"
+    mode: '4755'
+  when: ansible_facts.os_family in ["Debian", "RedHat"]