--- - name: Grant the AI-worker user passwordless sudo (ADR-015 amended / ADR-021) ansible.builtin.copy: content: "{{ base__ai_worker_user }} ALL=(ALL) NOPASSWD:ALL\n" dest: "/etc/sudoers.d/{{ base__ai_worker_user }}-ai-worker" owner: root group: root mode: "0440" validate: "visudo -cf %s" when: base__ai_worker_user | length > 0 tags: [users]