class sudo::defaults (
    Optional[String[1]] $sudogroup = undef,
    Boolean $root_may_sudo = true,
    Optional[Hash] $generic = undef,
    Optional[Hash] $user = undef,
    Optional[Hash] $host = undef,
    Optional[Hash] $runas = undef,
    Optional[Hash] $cmnd = undef,
) {
    $netfacts = $facts[networking] ? { undef => $facts, default => $facts[networking] }
    sudo::alias { "LOCALHOST":
        type => host,
        list => [ "localhost"
                , $netfacts[hostname]
                , $netfacts[fqdn]
                ],
    }

    if $sudogroup {
        $sudogroup_target = "00-sudogroup"

        group { "$sudogroup":
            ensure => present,
            system => true
        }->
        sudo::rule { "sudogroup":
            who     => "%$sudogroup",
            where   => "LOCALHOST",
            require => Sudo::Alias["LOCALHOST"],
            what    => "PASSWD: ALL",
            target  => "$sudogroup_target",
            comment => "Members of the ${sudogroup} group can use sudo (with password)",
        }
    }

    if $root_may_sudo {
        $rootsudo_target = "00-root_may_sudo"

        sudo::option { "syslog":
            value   => false,
            context => user,
            list    => "root",
            target  => "$rootsudo_target",
            comment => "No need to log root usage of sudo",
        }->
        sudo::rule { "root_may_sudo":
            who     => "root",
            where   => "LOCALHOST",
            require => Sudo::Alias["LOCALHOST"],
            what    => "NOPASSWD: ALL",
            target  => "$rootsudo_target",
            comment => "root may inadvertedly run sudo, so let them:",
        }
    }

    if $generic {
        concat::fragment { "sudo::defaults::generic comment":
            target  => "sudoers_file_$sudo::default_target",
            order   => 14,
            content => "\n# Generated from the sudo::defaults::generic class parameter:\n",
        }
        $generic.each | $param, $value | {
            sudo::option { "$param":
                value    => $value,
                order    => 15,
                newline_before => false,
                require  => Concat::Fragment["sudo::defaults::generic comment"],
            }
        }
        concat::fragment { "sudo::defaults::generic end":
            target  => "sudoers_file_$sudo::default_target",
            order   => 16,
            content => "# End sudo::defaults::generic class parameters\n",
        }
    }

    $context_hash = {"user"=>$user,"host"=>$host,"runas"=>$runas,"cmnd"=>$cmnd}
    $context_hash.keys.each | $index, $context | {
        $defaults = $context_hash[$context]
        if $defaults {
            concat::fragment { "sudo::defaults::${context} comment":
                target  => "sudoers_$default_target",
                order   => 17 + $index * 3,
                content => "\n# Generated from the sudo::defaults::${context} class parameter:\n",
            }
            $defaults.each | $list, $items  | {
                $items.each | $param, $value | {
                    sudo::option { "${context}_${list}_${param}":
                        parameter => $param,
                        context   => $context,
                        list      => $list,
                        value     => $value,
                        order     => 18 + $index * 3,
                        newline_before => false,
                    }
                }
            }
            concat::fragment { "sudo::defaults::${context} end":
                target  => "sudoers_$default_target",
                order   => 19 + $index * 3,
                content => "# End sudo::defaults::${context} class parameters\n",
            }
        }
    }
}