---
- name: grant sudo
  hosts: "{{ HOSTS | default('web') }}"
  become: true
  gather_facts: false
  vars:
    sudo_cleanup: true

  tasks:
    - name: Check if sudo user exists on system
      getent:
        database: passwd
        key: "{{ sudo_user }}"

    - name: create sudo rule
      copy:
        dest: "/etc/sudoers.d/{{ sudo_user }}"
        owner: root
        group: root
        mode: 0640
        content: "{{ sudo_user }} ALL=(ALL) NOPASSWD:ALL"

    - name: install package
      yum:
        name: at
        state: latest

    - name: start service
      service:
        name: atd
        state: started

    - name: time based cleanup
      at:
        command: "rm /etc/sudoers.d/{{ sudo_user }}"
        count: "{{ sudo_count | default('10') }}"
        units: "{{ sudo_units | default('minutes') }}"
      when: sudo_cleanup|bool