---
#
# This task sets up /etc/sudoers.d/fedora on a machine.
#

#
# Put in place the default sysadmin-main sudoers file.
#
- name: Setup /etc/sudoers.d/01-sysadmin-main
  ansible.builtin.copy: src="{{ private }}/files/sudo/sysadmin-main" dest=/etc/sudoers.d/01-sysadmin-main owner=root group=root mode=0600
  when: "sudoers_main is not defined and (primary_auth_source | default('fas')) == 'fas'"
  tags:
  - config
  - sudo
  - sudoers

#
# Put in place the default sysadmin-main sudoers file. (nopasswd edition)
#
- name: Setup /etc/sudoers.d/01-sysadmin-main (nopasswd)
  ansible.builtin.copy: src="{{ private }}/files/sudo/sysadmin-main-nopasswd" dest=/etc/sudoers.d/01-sysadmin-main owner=root group=root mode=0600
  when: sudoers_main is defined and sudoers_main == 'nopasswd'
  tags:
  - config
  - sudo
  - sudoers

- name: Remove old sysadmin-main file if its still around
  ansible.builtin.file: dest=/etc/sudoers.d/sysadmin-main state=absent
  tags:
  - config
  - sudo
  - sudoers

#
# This will move a /etc/sudoers.d/ file in place
#
- name: Setup /etc/sudoers.d/sudoer file for client use
  ansible.builtin.copy: src={{ item }} dest=/etc/sudoers.d/{{ item | basename | replace('.', '_') }}
          owner=root group=root mode=0600
  with_first_found:
  - "{{ sudoers }}"
  - "{{ private }}/files/sudo/{{ inventory_hostname }}-sudoers"
  - "{{ private }}/files/sudo/{{ ansible_hostname }}-sudoers"
  - "{{ private }}/files/sudo/{{ ansible_domain }}-sudoers"
  - "{{ private }}/files/sudo/default"
  when: inventory_hostname.startswith('batcave')
  tags:
  - config
  - sudo
  - sudoers