- name: Ensure users exist and have SSH keys
  hosts: all
  become: true
  become_user: root
  become_method: sudo

  vars:
    users:
      - name: automation
        shell: /bin/bash
        groups: [sudo]      # optional
        password_lock: true # optional: no local password login
        keys:
          - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEx+ltCKNIEM7F4PzGLv22cIu7N0Fpn5gxwV02xq0GS9 automation@im.cz"

      # add more users like:
      # - name: deploy
      #   keys:
      #     - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ... deploy@example"

  tasks:
    - name: Ensure user exists (creates home if missing)
      ansible.builtin.user:
        name: "{{ item.name }}"
        shell: "{{ item.shell | default('/bin/bash') }}"
        groups: "{{ (item.groups | default([])) | join(',') if (item.groups | default([])) else omit }}"
        append: true
        create_home: true
        password_lock: "{{ item.password_lock | default(omit) }}"
        state: present
      loop: "{{ users }}"

    - name: Install authorized SSH keys
      ansible.builtin.authorized_key:
        user: "{{ item.0.name }}"
        key: "{{ item.1 }}"
        state: present
        manage_dir: true   # ensures ~/.ssh exists with correct perms
      loop: "{{ users | subelements('keys', skip_missing=True) }}"