Update to 2021-12-01 19:13

roles/sudo/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+
+sudo_admin_groups: "{{ system_admin_groups | default(ad_auth | default(False) | ternary(['Domain\ Admins'],['admins'])) }}"
+
+sudo_base_defaults:
+  secure_path: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
+sudo_extra_defaults: {}
+# sudo_defaults:
+#   timestamp_timeout: 10
+sudo_defaults: "{{ sudo_base_defaults | combine(sudo_extra_defaults, recursive=True) }}"

roles/sudo/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Setup default sudo access
+  template: src=fws.j2 dest=/etc/sudoers.d/fws owner=root group=root mode=440 validate='visudo -cf %s'
+  tags: sudo
+
+- name: Ensure sudo provider is only files in nss
+  lineinfile: dest=/etc/nsswitch.conf regexp="^sudoers{{ ':' }}.+" line="sudoers{{ ':' }}    files"
+  when: ad_auth | default(False)
+  tags: sudo

roles/sudo/templates/fws.j2

@@ -0,0 +1,7 @@
+{% for def in sudo_defaults.keys() | list %}
+Defaults {{ def }}={{ sudo_defaults[def] }}
+{% endfor %}
+
+{% for group in sudo_admin_groups %}
+%{{ group }} ALL=(ALL) ALL
+{% endfor %}