ansible/initial_install/roles/baseline_sudo/tasks/main.yml

---
- name: Ensure sudo package is installed
  ansible.builtin.package:
    name: sudo
    state: present

- name: Ensure automation user has passwordless sudo
  ansible.builtin.copy:
    dest: /etc/sudoers.d/automation
    owner: root
    group: root
    mode: '0440'
    content: |
      automation ALL=(ALL:ALL) NOPASSWD: ALL
    validate: 'visudo -cf %s'

- name: Ensure sudo binary has correct permissions
  ansible.builtin.file:
    path: /usr/bin/sudo
    owner: root
    group: root
    mode: '4755'
  when: ansible_facts.os_family in ["Debian", "RedHat"]