---
  - name: ensure group exists
    become: true
    ansible.builtin.group:
      name: "{{ sanoid_user_group }}"
      state: present
    when:
      - sanoid_user_group is defined

  - name: ensure user exists
    become: true
    ansible.builtin.user:
      name: "{{ sanoid_user }}"
      group: "{{ sanoid_user_group }}"
      shell: /usr/sbin/nologin
    when:
      - sanoid_user_group is defined
      - sanoid_user is defined

  - name: add user to sudoers
    become: true
    ansible.builtin.blockinfile:
      path: /etc/sudoers
      state: present
      block:  |
        {{ sanoid_user }} ALL=(ALL) NOPASSWD:ALL
      validate: '/usr/sbin/visudo -cf %s'
      backup: yes
    when:
      - sanoid_user_group is defined
      - sanoid_user is defined