roles/sudo: Configure sudo and policy

The *sudo* role installs `sudo` and configures policy for it. By
default, users who are members of the *sudo* group can run any command
as root.

roles/sudo/defaults/main.yml

@@ -0,0 +1 @@
+admin_users: []

roles/sudo/files/sudo.sudoers

@@ -0,0 +1 @@
+%sudo ALL=(ALL) ALL

roles/sudo/tasks/main.yml

@@ -0,0 +1,25 @@
+- name: ensure sudo is installed
+  package:
+    name=sudo
+    state=present
+
+- name: ensure sudo group exists
+  group:
+    name=sudo
+    state=present
+- name: ensure admin users members of sudo group
+  user:
+    name={{ item }}
+    groups=sudo
+    append=yes
+  with_items: '{{ admin_users }}'
+- name: ensure members of sudo group can use sudo
+  copy:
+    src: sudo.sudoers
+    dest: /etc/sudoers.d/10_sudo
+    mode: '0440'
+    validate: visudo -cf %s
+- name: ensure legacy sudo group configuration is removed
+  file:
+    path=/etc/sudoers.d/sudo
+    state=absent