- name: 'Install package: sudo'
  package:
    name: sudo    # (1) Should be installed prior to installing IIAB, (2) Can be installed by 1-prep's roles/tailscale/tasks/install.yml, (3) Can be installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml here, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!)

- name: Temporarily make file /etc/sudoers editable (0640)
  file:
    path: /etc/sudoers
    mode: 0640

- name: '/etc/sudoers: Have sudo log all commands to /var/log/sudo.log -- in addition to the lengthier /var/log/auth.log'
  lineinfile:
    path: /etc/sudoers
    regexp: logfile
    line: "Defaults     logfile = /var/log/sudo.log"

# Not nec (heavyhanded removal of customizations+comments) given sudo defaults.
#- name: Remove all lines that contain 'requiretty'
#  lineinfile:
#    path: /etc/sudoers
#    regexp: requiretty
#    state: absent

- name: End editing file /etc/sudoers -- protect it again (0440)
  file:
    path: /etc/sudoers
    mode: 0440