Allows toggling sudo: with password and group sudo, passwordless with group wheel

The default behaviour is to activate both password-based sudo through the group sudo and
passwordless sudo through group wheel (to not break compatibility with previous behaviour).

defaults/main.yml

@@ -12,3 +12,5 @@ users:
 sudoers:
   - vagrant
 ensure_ansible_version: 2.10.3
+enable_sudo: yes
+enable_passwordless_sudo: yes

tasks/users.yml

@@ -5,31 +5,40 @@
     - sudo
   when: ansible_facts['os_family'] == 'FreeBSD'
 
-- name: 'Allow wheel group to do passwordless sudo'
-  lineinfile:
-    dest: /usr/local/etc/sudoers
-    state: present
-    regexp: '^%wheel'
-    line: '%wheel ALL=(ALL) NOPASSWD:ALL'
-    validate: visudo -cf %s
-  when: ansible_facts['os_family'] == 'FreeBSD'
-
-- name: 'Allow wheel group to do passwordless sudo'
-  lineinfile:
-    dest: /etc/sudoers
-    state: present
-    regexp: '^%wheel'
-    line: '%wheel ALL=(ALL) NOPASSWD:ALL'
-    validate: visudo -cf %s
-  when:
-    - ansible_facts['os_family'] in ['Debian', 'Archlinux']
-
 - name: 'Create users with corresponding groups'
   user:
     name: "{{ item }}"
     groups: users
   with_items: "{{ users }}"
 
+- block:
+    - name: 'Ensure that sudo group is existing'
+      group:
+        name: sudo
+        state: present
+
+    - name: 'Allow sudo group to do sudo'
+      lineinfile:
+        dest: "{{ lookup('first_found', files, errors='ignore') }}"
+        state: present
+        regexp: '^#?\s*%sudo'
+        line: '%sudo   ALL=(ALL) ALL'
+        validate: visudo -cf %s
+      vars:
+        files:
+          - /etc/sudoers
+          - /usr/local/etc/sudoers # e.g. FreeBSD
+
+    - name: 'Add sudoers user to sudo group'
+      user:
+        name: "{{ item }}"
+        groups: sudo
+        append: yes
+      with_items: "{{ sudoers }}"
+  when:
+    - enable_sudo
+    - not enable_passwordless_sudo
+
 - name: 'Add corresponding authorized_keys to each user'
   authorized_key:
     user: "{{ item }}"
@@ -38,17 +47,33 @@
   with_items: "{{ users }}"
   ignore_errors: yes
 
-- name: 'Ensure that wheel group is existing'
+- block:
-  group:
+    - name: 'Ensure that wheel group is existing'
-    name: wheel
+      group:
-    state: present
+        name: wheel
+        state: present
 
-- name: 'Add sudoers user to wheel group'
+    - name: 'Add sudoers user to wheel group'
-  user:
+      user:
-    name: "{{ item }}"
+        name: "{{ item }}"
-    groups: wheel
+        groups: wheel
-    append: yes
+        append: yes
-  with_items: "{{ sudoers }}"
+      with_items: "{{ sudoers }}"
+
+    - name: 'Allow wheel group to do passwordless sudo'
+      lineinfile:
+        dest: "{{ lookup('first_found', files, errors='ignore') }}"
+        state: present
+        regexp: '^%wheel'
+        line: '%wheel ALL=(ALL) NOPASSWD:ALL'
+        validate: visudo -cf %s
+      vars:
+        files:
+          - /etc/sudoers
+          - /usr/local/etc/sudoers # e.g. FreeBSD
+  when:
+    - enable_sudo
+    - enable_passwordless_sudo
 
 - name: Copy tmux config
   copy: