---
- name: Ensure sudo package is installed
  ansible.builtin.package:
    name: sudo
    state: present

- name: Ensure automation user has passwordless sudo
  ansible.builtin.copy:
    dest: /etc/sudoers.d/automation
    content: "automation ALL=(ALL) NOPASSWD:ALL"
    owner: root
    group: root
    mode: '0440'
    validate: 'visudo -cf %s'

- name: Ensure sudo binary has correct permissions
  ansible.builtin.file:
    path: /usr/bin/sudo
    owner: root
    group: root
    mode: '4755'
  when: ansible_facts.os_family in ["Debian", "RedHat"]