diff --git a/roles/sudo/defaults/main.yml b/roles/sudo/defaults/main.yml
new file mode 100644
index 0000000..11f2f29
--- /dev/null
+++ b/roles/sudo/defaults/main.yml
@@ -0,0 +1 @@
+admin_users: []
diff --git a/roles/sudo/files/sudo.sudoers b/roles/sudo/files/sudo.sudoers
new file mode 100644
index 0000000..5e3c1bb
--- /dev/null
+++ b/roles/sudo/files/sudo.sudoers
@@ -0,0 +1 @@
+%sudo ALL=(ALL) ALL
diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml
new file mode 100644
index 0000000..1021a6c
--- /dev/null
+++ b/roles/sudo/tasks/main.yml
@@ -0,0 +1,25 @@
+- name: ensure sudo is installed
+  package:
+    name=sudo
+    state=present
+
+- name: ensure sudo group exists
+  group:
+    name=sudo
+    state=present
+- name: ensure admin users members of sudo group
+  user:
+    name={{ item }}
+    groups=sudo
+    append=yes
+  with_items: '{{ admin_users }}'
+- name: ensure members of sudo group can use sudo
+  copy:
+    src: sudo.sudoers
+    dest: /etc/sudoers.d/10_sudo
+    mode: '0440'
+    validate: visudo -cf %s
+- name: ensure legacy sudo group configuration is removed
+  file:
+    path=/etc/sudoers.d/sudo
+    state=absent