---
- name: Configure NOPASSWD sudo for nomad user
  hosts: nomad_clients
  become: yes
  tasks:
    - name: Ensure sudoers.d directory exists
      file:
        path: /etc/sudoers.d
        state: directory
        owner: root
        group: root
        mode: '0750'

    - name: Allow nomad user passwordless sudo for required commands
      copy:
        dest: /etc/sudoers.d/nomad
        content: |
          nomad ALL=(ALL) NOPASSWD: /usr/bin/apt, /usr/bin/systemctl, /bin/mkdir, /bin/chown, /bin/chmod, /bin/mv, /bin/sed, /usr/bin/tee, /usr/sbin/usermod, /usr/bin/unzip, /usr/bin/wget
        owner: root
        group: root
        mode: '0440'
        validate: 'visudo -cf %s'