---
- name: Check that the sudo-dom0-prompt exists
  stat:
    path: '/etc/authselect/custom/sudo-dom0-prompt'
  register: stat_result

- name: Create authselect profile
  shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam
  when: not stat_result.stat.exists

- name: Copy authselect file
  ansible.builtin.copy:
    src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
    dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside'
    mode: '0644'

- name: Copy authselect folder
  ansible.builtin.copy:
    src: '/etc/authselect/system-auth'
    dest: '/etc/authselect/custom/sudo-dom0-prompt'
    mode: '0755'

- name: Copy authselect file
  ansible.builtin.copy:
    src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth'
    dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
    mode: '0644'


- name: Select authselect profile
  shell: authselect select custom/sudo-dom0-prompt

- name: Fix sudoers.d
  ansible.builtin.copy:
    src: 'etc/sudoers.d/qubes'
    dest: '/etc/sudoers.d/qubes'
    mode: '0440'

- name: Check that allow all rule doesn't exist
  stat:
    path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
  register: allow_all_result

- name: Delete allow all rule
  ansible.builtin.file:
    path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
    state: 'absent'
  when: allow_all_result.stat.exists