diff --git a/playbooks/roles/users/files/sudoers b/playbooks/roles/users/files/sudoers
new file mode 100644
index 0000000000..51828c2fdc
--- /dev/null
+++ b/playbooks/roles/users/files/sudoers
@@ -0,0 +1,26 @@
+# /etc/sudoers
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# See the man page for details on how to write a sudoers file.
+#
+
+Defaults	env_reset
+Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# User privilege specification
+root	ALL=(ALL) ALL
+
+# Allow members of group sudo to execute any command after they have
+# provided their password
+# (Note that later entries override this, so you might need to move
+# it further down)
+%sudo ALL=(ALL) NOPASSWD: ALL
+#
+#includedir /etc/sudoers.d
diff --git a/playbooks/roles/users/tasks/main.yaml b/playbooks/roles/users/tasks/main.yaml
index 9e33ce06df..4f711b892c 100644
--- a/playbooks/roles/users/tasks/main.yaml
+++ b/playbooks/roles/users/tasks/main.yaml
@@ -1,3 +1,24 @@
+- name: Add sudo admin groups
+  loop:
+    - sudo
+    - admin
+  group:
+    name: "{{ item }}"
+    state: present
+  when:
+
+# NOTE(mordred): We replace the main file rather than dropping a file in to
+# /etc/sudoers.d to deal with divergent base sudoers files from our distros.
+# We also want to change some default behavior (we want nopassword sudo, for
+# instance).
+- name: Setup sudoers file
+  copy:
+    dest: /etc/sudoers
+    src: sudoers
+    owner: root
+    group: root
+    mode: 0440
+
 - name: Setup login.defs file
   copy:
     dest: /etc/login.defs