---
- name: ensure sudo is installed
  package:
    name: "sudo"
    state: present

- name: ensure system users are present
  user:
    name: "{{ item.name }}"
    comment: "{{ item.comment }}"
    shell: "{{ item.shell }}"
    home: "{{ item.home }}"
    generate_ssh_key: "{{ item.generate_ssh_key }}"
    ssh_key_bits: "{{ item.ssh_key_bits }}"
    state: "{{ item.state }}"
  loop: "{{ system_users }}"

- name: ensure ssh config directory is present
  file:
    path: "{{ item.home }}/.ssh"
    state: directory
    owner: "{{ item.name }}"
    group: "{{ item.name }}"
    mode: '0700'
  loop: "{{ system_users }}"

- name: configure ssh public keys
  template:
    src: "authorized_keys.j2"
    dest: "{{ item.home }}/.ssh/authorized_keys"
    owner: "{{ item.name }}"
    group: "{{ item.name }}"
    mode: '0600'
  loop: "{{ system_users }}"

- name: configure passwordless sudo access
  template:
    src: "sudoers.j2"
    dest: "/etc/sudoers.d/{{ item.name }}"
    owner: root
    group: root
    mode: '0440'
    validate: "/usr/sbin/visudo -cf %s"
  loop: "{{ system_users }}"

- name: remove admin lines from /etc/sudoers
  lineinfile:
    path: "/etc/sudoers"
    state: absent
    regexp: '^admin\s'
    validate: "/usr/sbin/visudo -cf %s"