---
# Sudo Configuration (CIS 5.3.x)

- name: Ensure sudo is installed
  ansible.builtin.apt:
    name: sudo
    state: present
    update_cache: yes

- name: Configure sudo to use pty (CIS 5.3.2)
  ansible.builtin.lineinfile:
    path: /etc/sudoers.d/cis-hardening
    line: "Defaults use_pty"
    create: yes
    mode: '0440'
    validate: '/usr/sbin/visudo -cf %s'

- name: Configure sudo logfile (CIS 5.3.3)
  ansible.builtin.lineinfile:
    path: /etc/sudoers.d/cis-hardening
    line: "Defaults logfile=\"/var/log/sudo.log\""
    create: yes
    mode: '0440'
    validate: '/usr/sbin/visudo -cf %s'

- name: Configure sudo timeout
  ansible.builtin.lineinfile:
    path: /etc/sudoers.d/cis-hardening
    line: "Defaults timestamp_timeout={{ sudo_timeout }}"
    create: yes
    mode: '0440'
    validate: '/usr/sbin/visudo -cf %s'

- name: Configure sudo password requirement (CIS 5.3.4)
  ansible.builtin.lineinfile:
    path: /etc/sudoers.d/cis-hardening
    line: "Defaults !authenticate"
    state: "{{ 'present' if sudo_nopasswd else 'absent' }}"
    create: yes
    mode: '0440'
    validate: '/usr/sbin/visudo -cf %s'

- name: Allow sudo group to use sudo
  ansible.builtin.lineinfile:
    path: /etc/sudoers.d/sudo-group
    line: "%sudo ALL=(ALL:ALL) {{ 'NOPASSWD:' if sudo_nopasswd else '' }}ALL"
    create: yes
    mode: '0440'
    validate: '/usr/sbin/visudo -cf %s'

- name: Create sudo log file
  ansible.builtin.file:
    path: /var/log/sudo.log
    state: touch
    owner: root
    group: root
    mode: '0600'
    modification_time: preserve
    access_time: preserve

- name: Configure sudo log rotation
  ansible.builtin.copy:
    dest: /etc/logrotate.d/sudo
    content: |
      /var/log/sudo.log {
          weekly
          rotate 4
          compress
          delaycompress
          missingok
          notifempty
          create 0600 root root
      }
    owner: root
    group: root
    mode: '0644'