boma/roles/base/tasks/operational_access.yml

---
- name: Grant the AI-worker user passwordless sudo (ADR-015 amended / ADR-021)
  ansible.builtin.copy:
    content: "{{ base__ai_worker_user }} ALL=(ALL) NOPASSWD:ALL\n"
    dest: "/etc/sudoers.d/{{ base__ai_worker_user }}-ai-worker"
    owner: root
    group: root
    mode: "0440"
    validate: "visudo -cf %s"
  when: base__ai_worker_user | length > 0
  tags: [users]