---
- name: grant sudo
  hosts: "{{ HOSTS | default('all') }}"
  become: yes
  gather_facts: no
  vars:
    sudo_cleanup: true

  tasks:
    - name: Check if sudo user exists on system
      getent:
        database: passwd
        key: "{{ sudo_user }}"

    - name: create sudo rule
      copy:
        dest: "/etc/sudoers.d/{{ sudo_user }}"
        owner: root
        group: root
        mode: 0640
        content: "{{ sudo_user }} ALL=(ALL) NOPASSWD:ALL"

    - name: time based cleanup
      at:
        command: "rm /etc/sudoers.d/{{ sudo_user }}"
        count: "{{ sudo_count | default('10') }}"
        units: "{{ sudo_units | default('minutes') }}"
      when: sudo_cleanup|bool