- name: Set sudoers right
  ansible.builtin.lineinfile:
    dest: '/etc/sudoers.d/{{ system_sudoers_group }}'
    regexp: '{{ item.regexp }}'
    line: '{{ item.line }}'
    state: 'present'
    create: True
    owner: 'root'
    group: 'root'
    mode: '0440'
    validate: 'visudo -cf "%s"'
  with_items:
    - regexp: '^%{{ system_sudoers_group }}\s'
      line: '%{{ system_sudoers_group }} ALL = (ALL) NOPASSWD:ALL'
  become: True

- name: Change secure path
  ansible.builtin.replace:
    path: '/etc/sudoers'
    regexp: ^Defaults\s*secure_path.*
    replace: Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin
    validate: 'visudo -cf "%s"'
  become: true