---
- name: Ensure sudoers.d directory exists
  ansible.builtin.file:
    path: /mnt/etc/sudoers.d
    state: directory
    mode: "0755"
    owner: root
    group: root

- name: Give sudo access to wheel group
  ansible.builtin.copy:
    content: "{{ '%sudo ALL=(ALL) ALL\n' if is_debian | bool else '%wheel ALL=(ALL) ALL\n' }}"
    dest: /mnt/etc/sudoers.d/01-wheel
    mode: "0440"
    validate: /usr/sbin/visudo --check --file=%s

- name: Deploy per-user sudoers rules
  when: item.sudo is defined and (item.sudo | string | length) > 0
  ansible.builtin.copy:
    content: "{{ item.name }} {{ item.sudo }}\n"
    dest: "/mnt/etc/sudoers.d/{{ item.name }}"
    mode: "0440"
    validate: /usr/sbin/visudo --check --file=%s
  loop: "{{ system_cfg.users }}"
  loop_control:
    label: "{{ item.name }}"