infrastructure/roles/sudo/tasks/main.yml

- name: Install sudo
  pacman: name=sudo state=present

# https://github.com/ansible/ansible/issues/11024
- name: Remove all users from wheel group
  command: groupmems -g wheel --purge
  register: groupmems
  changed_when: "groupmems.rc == 0"

- name: Add sudo users to wheel
  user: name="{{ item }}" append=yes groups=wheel
  with_items: "{{ sudo_users }}"
  tags: ['archusers']

- name: Allow wheel group to use sudo
  lineinfile:
    dest: /etc/sudoers
    state: present
    regexp: '^%wheel ALL=\(ALL\) ALL'
    insertafter: '^# %wheel ALL=\(ALL\) ALL'
    line: '%wheel ALL=(ALL) ALL'
    validate: 'visudo -cf %s'
    mode: '0440'
    owner: root
    group: root

- name: Secure path to protect against attacks
  lineinfile:
    dest: /etc/sudoers
    state: present
    regexp: '^Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
    insertafter: '^# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
    line: 'Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
    validate: 'visudo -cf %s'
    mode: '0440'
    owner: root
    group: root