---
- name: Configure sudo hardening drop-in
  ansible.builtin.lineinfile:
    path: "{{ cis_sudoers_dropin_path }}"
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    create: true
    owner: root
    group: root
    mode: "0440"
    validate: /usr/sbin/visudo -cf %s
  loop:
    - regexp: '^Defaults\s+use_pty'
      line: "Defaults use_pty"
    - regexp: '^Defaults\s+logfile='
      line: 'Defaults logfile="{{ cis_sudo_logfile }}"'
  loop_control:
    label: "{{ item.line }}"