---
## ---------------------------------- ##
## Adds a user to the list of sudoers ##
## ---------------------------------- ##
# TODO: add to "admin" groups when needed on OSx/BSD
# https://stackoverflow.com/questions/33359404/ansible-best-practice-for-maintaining-list-of-sudoers

- name: install sudo package
  ansible.builtin.package:
    name: sudo
    state: present

# determine default group with sudo privileges
- name: get all groups
  ansible.builtin.shell: set -o pipefail && getent group | awk -F":" '{print $1}'
  args:
    executable: bash
  changed_when: false
  register: getent_groups

- name: find default sudoers group
  when: item in getent_groups.stdout_lines
  # XXX: in ascending order of precedence
  # see: https://wiki.archlinux.org/index.php/Sudo#Example_entries
  loop:
    - sudo
    - wheel
  loop_control:
    loop_var: sudoer_group
  ansible.builtin.set_fact:
    default_sudoers_group: "{{ sudoer_group }}"

- name: find preexisting custom sudoers files
  ansible.builtin.find:
    paths: "/etc/sudoers.d"
    patterns: "custom_*"
  register: find_custom_sudoers

- name: reset custom sudoers files
  when: find_custom_sudoers.files
  loop: "{{ find_custom_sudoers.files }}"
  loop_control:
    loop_var: custom_sudoer_file
  ansible.builtin.file:
    path: "{{ custom_sudoer_file.path }}"
    state: absent

- name: add custom sudoers file
  community.general.sudoers:
    name: custom_nologin
    state: present
    group: "{{ default_sudoers_group }}"
    commands: ALL
    nopassword: true