---
- name: Ensure sudoers.d directory exists
  ansible.builtin.file:
    path: /mnt/etc/sudoers.d
    state: directory
    mode: "0755"
    owner: root
    group: root

- name: Give sudo access to wheel group
  ansible.builtin.copy:
    content: "{{ _configuration_platform.sudo_group }} ALL=(ALL) ALL\n"
    dest: /mnt/etc/sudoers.d/01-wheel
    mode: "0440"
    validate: /usr/sbin/visudo --check --file=%s

- name: Deploy per-user sudoers rules
  when: item.sudo | default(false)
  vars:
    configuration_sudoers_rule: >-
      {{ item.sudo if item.sudo is string else 'ALL=(ALL) NOPASSWD: ALL' }}
  ansible.builtin.copy:
    content: "{{ item.name }} {{ configuration_sudoers_rule }}\n"
    dest: "/mnt/etc/sudoers.d/{{ item.name }}"
    mode: "0440"
    validate: /usr/sbin/visudo --check --file=%s
  loop: "{{ system_cfg.users }}"
  loop_control:
    label: "{{ item.name }}"