Hardening setuid `su` before finishing the setup of the new user can lock you out of a machine

[ELLIOTTCABLE]

At the moment, the requirements role runs:

$ sudo dpkg-statoverride --update --add root suusers 4750 /bin/su

… before the admin user is fully configured.

On machines that start without sudo installed (and for which become_method: su is necessary), this can prevent the playbook from continuing. Worse, on systems without root SSH-login enabled, this can lock you entirely out of the machine. (Ask me how I know!)

This step should be done after user-creation and reauthentication, over a connection as the final, intended admin user. (=