# https://stackoverflow.com/questions/37333305/ansible-create-a-user-with-sudo-privileges
- name: Add sources list
  ansible.builtin.copy:
    src: sources_list
    dest: /etc/apt/sources.list
    owner: root
    group: root
    mode: 0440

- name: Copy vault key.
  ansible.builtin.copy:
    content: "{{ lookup('file', '~/.vault-key') }}"
    dest: "/home/{{ homelab_user }}/.vault-key"
    owner: "{{ homelab_user }}"
    group: "{{ homelab_user }}"
    mode: 0440

- name: Install Packages.
  ansible.builtin.apt:
    pkg:
      - sudo
      # TODO move these somewhere else
      - ufw
      - htop
      - gdisk
    state: latest
    update_cache: true

- name: Ensure group.
  ansible.builtin.group:
    name: '{{ item.group }}'
    state: present
  with_items: '{{ users }}'

- name: Ensure Users.
  ansible.builtin.user:
    name: '{{ item.name }}'
    comment: '{{ item.name }} user'
    group: '{{ item.group }}'
  with_items: '{{ users }}'

- name: Add sudoers.
  ansible.builtin.template:
    src: sudoers.j2
    dest: /etc/sudoers.d/{{ item.name }}
    mode: 0440
  with_items: '{{ users }}'
  when: item.passwordless_sudo

- name: Set authorized key.
  authorized_key:
    user: '{{ homelab_user }}'
    state: present
    key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"

- name: Copy Bashrc.
  ansible.builtin.copy:
    src: bash_rc
    dest: "/home/{{ homelab_user }}/.bash_rc"
    group: "{{ homelab_user }}"
    owner: "{{ homelab_user }}"
    mode: 0644

- name: Disable password authentication for root.
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    state: present
    regexp: '^#?PermitRootLogin'
    line: 'PermitRootLogin prohibit-password'

- name: Disable password authentication for users.
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    state: present
    regexp: '^#?PasswordAuthentication'
    line: 'PasswordAuthentication no'