- hosts: pyrocufflink:!samba-dc
  roles:
  - winbind
  - nsswitch
  - system-auth
  - sudo
  tasks:
  - name: ensure winbind is running
    service:
      name=winbind
      state=started
  - name: ensure server admins can use sudo
    copy:
      dest: /etc/sudoers.d/20_server-admins
      content: |
        %server\ admins ALL=(ALL) ALL
      mode: '0440'
      validate: visudo -cf %s
- hosts: pyrocufflink
  roles:
  - role: trustca
    ca: dch-root-ca
  - step-ssh