---
- name: Create the groups that we want to add to the users
  tags: users
  block:
    - name: Create the sudoers group if needed
      ansible.builtin.group:
        name: "{{ users_sudoers_group }}"
        state: present
      when: users_sudoers_create_group | bool

    - name: Add a sudo additional configuration for the new sudoers group
      ansible.builtin.template:
        src: sudoers.j2
        dest: "/etc/sudoers.d/{{ users_sudoers_group }}"
        owner: root
        group: root
        mode: "0600"
      when: users_sudoers_create_sudo_conf | bool

- name: Manage additional groups
  when: users_additional_groups is defined | bool
  tags: users
  block:
    - name: Manage additional groups
      ansible.builtin.group:
        name: "{{ item.group }}"
        state: "{{ item.state | default('present') }}"
      loop: '{{ users_additional_groups }}'

- name: Remove some default users from cloud images
  tags:
    - users
    - default_users
  block:
    - name: Remove the default cloud users
      ansible.builtin.user:
        name: "{{ item }}"
        state: absent
        remove: true
      loop: '{{ users_default_cloud_users }}'

- name: Manage the users of a system
  tags: users
  block:
    - name: Manage the creation or removal of the default set of users
      ansible.builtin.user:
        name: "{{ item.login }}"
        group: "{{ item.group | default(omit) }}"
        groups: "{{ item.groups | default(omit) }}"
        append: true
        comment: "{{ item.name | default(item.login) }}"
        home: "{% if item.home is defined %}{{ item.home }}/{{ item.login }}{% else %}/home/{{ item.login }}{% endif %}"
        createhome: "{{ item.createhome | default(true) }}"
        shell: "{{ item.shell | default('/bin/bash') }}"
        password: "{{ item.password | default('*') }}"
        update_password: "{{ item.update_password | default('on_create') }}"
        state: "{{ item.state | default('present') }}"
        remove: "{{ item.remove_data | default(false) }}"
        force: true
      loop: '{{ users_system_users }}'
      no_log: "{% if item.password is defined %}true{% else %}false{% endif %}"

    - name: Ensure that the users can login with their ssh keys
      ansible.posix.authorized_key:
        user: "{{ item.login }}"
        key: "{{ item.ssh_key }}"
        exclusive: true
        state: present
      loop: '{{ users_system_users }}'
      when:
        - item.ssh_key is defined
        - item.state is not defined or item.state == "present"

    - name: Add the admin users to the sudoers group
      ansible.builtin.user:
        name: "{{ item.login }}"
        groups: '{% if ansible_distribution_file_variety == "Debian" %}{{ deb_users_sudoers_group }}{% elif ansible_distribution_file_variety == "RedHat" %}{{ rh_users_sudoers_group }}{% endif %}'
        append: true
      loop: '{{ users_system_users }}'
      when:
        - item.admin is defined and item.admin
        - item.state is not defined or item.state == "present"

- name: Manage additional users
  tags: users
  block:
    - name: Manage the creation of removal of additional users
      ansible.builtin.user:
        name: "{{ item.login }}"
        group: "{{ item.group | default(omit) }}"
        groups: "{{ item.groups | default(omit) }}"
        append: true
        comment: "{{ item.name | default(item.login) }}"
        home: "{% if item.home is defined %}{{ item.home }}/{{ item.login }}{% else %}/home/{{ item.login }}{% endif %}"
        createhome: "{{ item.createhome | default(true) }}"
        shell: "{{ item.shell | default('/bin/bash') }}"
        password: "{{ item.password | default('*') }}"
        update_password: "{{ item.update_password | default('on_create') }}"
        state: "{{ item.state | default('present') }}"
        remove: "{{ item.remove_data | default(false) }}"
        force: true
      loop: '{{ users_system_users_adjunct }}'
      no_log: "{% if item.password is defined %}true{% else %}false{% endif %}"

    - name: Ensure that the additional users can login with their ssh keys
      ansible.posix.authorized_key:
        user: "{{ item.login }}"
        key: "{{ item.ssh_key }}"
        exclusive: true
        state: present
      loop: '{{ users_system_users_adjunct }}'
      when:
        - item.ssh_key is defined
        - item.state is not defined or item.state == "present"

    - name: Add the additional admin users to the sudoers group
      ansible.builtin.user:
        name: "{{ item.login }}"
        groups: '{% if ansible_distribution_file_variety == "Debian" %}{{ deb_users_sudoers_group }}{% elif ansible_distribution_file_variety == "RedHat" %}{{ rh_users_sudoers_group }}{% endif %}'
        append: true
      loop: '{{ users_system_users_adjunct }}'
      when:
        - item.admin is defined and item.admin
        - item.state is not defined or item.state == "present"

- name: Configure passwordless sudo
  tags: ['users', 'sudo_wheel']
  block:
    - name: Permit sudo without password on Deb based systems
      ansible.builtin.lineinfile:
        path: /etc/sudoers
        state: present
        regexp: '^%{{ deb_users_sudoers_group }}\s'
        line: '%{{ deb_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
      when: ansible_distribution_file_variety == "Debian"

    - name: Change the sudo configuration to permit sudo without password on RH/CentOS systems
      ansible.builtin.lineinfile:
        path: /etc/sudoers
        state: present
        regexp: '^%{{ rh_users_sudoers_group }}\s'
        line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
      when: ansible_distribution_file_variety == "RedHat"