linux_ws2122_ansible/roles/sudo_users/tasks/main.yml

---

- name: install sudo
  yum:
    name: sudo
    state: present

# https://github.com/ansible/ansible/issues/11024
- name: remove all users from wheel group
  command: groupmems -g wheel --purge
  register: groupmems
  changed_when: "groupmems.rc == 0"

- name: add sudo users to wheel
  user:
    name: "{{ item }}"
    append: yes
    groups: [ wheel ]
  with_items: "{{ sudo_users }}"

- name: remove wheel group to use sudo
  block:
  - name: remove wheel group to use sudo with password
    lineinfile:
      dest: /etc/sudoers
      state: present
      regexp: '^%wheel ALL=\(ALL\) ALL'
      line: '# %wheel ALL=(ALL) ALL'
      validate: 'visudo -cf %s'
      mode: 0440
      owner: root
      group: root

  - name: remove wheel group to use sudo without password
    lineinfile:
      dest: /etc/sudoers
      state: present
      regexp: '^%wheel ALL=\(ALL\) NOPASSWD: ALL'
      line: '# %wheel ALL=(ALL) NOPASSWD: ALL'
      validate: 'visudo -cf %s'
      mode: 0440
      owner: root
      group: root

- name:  allow wheel group to use sudo
  block:
  - name: allow wheel group to use sudo with password
    lineinfile:
      dest: /etc/sudoers
      state: present
      regexp: '^# %wheel ALL=\(ALL\) ALL'
      line: '%wheel ALL=(ALL) ALL'
      validate: 'visudo -cf %s'
      mode: 0440
      owner: root
      group: root
    when: not sudo_without_password

  - name: allow wheel group to use sudo without password
    tags: [ sudo_users_no_pwd ]
    lineinfile:
      dest: /etc/sudoers
      state: present
      regexp: '^# %wheel ALL=\(ALL\) NOPASSWD: ALL'
      line: '%wheel ALL=(ALL) NOPASSWD: ALL'
      validate: 'visudo -cf %s'
      mode: 0440
      owner: root
      group: root
    when: sudo_without_password

# - name: secure path to protect against attacks
#   lineinfile:
#     dest: /etc/sudoers
#     state: present
#     regexp: '^Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
#     insertafter: '^# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
#     line: 'Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
#     validate: 'visudo -cf %s'
#     mode: 0440
#     owner: root
#     group: root