---
- name: Baseline user setup
  hosts: all
  become: true

  vars:
    users:
      - name: automation
        shell: /bin/bash
        groups: []
        sudo_nopasswd: true
        ssh_keys:
          - "ssh-ed25519 AAAAC3..."

      - name: hellsos
        shell: /bin/bash
        groups: []
        sudo_nopasswd: true
        ssh_keys:
          - "ssh-ed25519 AAAAC3..."

      - name: jim
        shell: /bin/bash
        groups: []
        sudo_nopasswd: true
        ssh_keys:
          - "ssh-ed25519 AAAAC3..."

  tasks:

    - name: Pick sudo group per distro
      set_fact:
        sudo_group: >-
          {{ 'wheel'
             if ansible_facts.os_family in
             ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
             else 'sudo' }}

    - name: Ensure user exists
      ansible.builtin.user:
        name: "{{ item.name }}"
        shell: "{{ item.shell }}"
        groups: "{{ sudo_group }}"
        append: true
        create_home: true
      loop: "{{ users }}"

    - name: Enforce authorized SSH keys
      ansible.builtin.authorized_key:
        user: "{{ item.name }}"
        key: "{{ item.ssh_keys | join('\n') }}"
        exclusive: true
      loop: "{{ users }}"

    - name: Grant passwordless sudo
      ansible.builtin.copy:
        dest: "/etc/sudoers.d/{{ item.name }}"
        mode: '0440'
        content: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL\n"
        validate: 'visudo -cf %s'
      loop: "{{ users }}"
      when: item.sudo_nopasswd

# ==============================
# SECOND PLAY: SSH HARDENING
# ==============================

- name: SSH Hardening
  hosts: all
  become: true
  tags: never,hardening

  tasks:

    - name: Detect if system is Proxmox
      ansible.builtin.stat:
        path: /usr/bin/pveversion
      register: proxmox_check

    - name: Ensure sshd_config.d directory exists
      ansible.builtin.file:
        path: /etc/ssh/sshd_config.d
        state: directory

    - name: Deploy SSH hardening config
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/99-ansible-hardening.conf
        mode: '0644'
        content: |
          PasswordAuthentication no
          ChallengeResponseAuthentication no
          PubkeyAuthentication yes
          AuthenticationMethods publickey
          UsePAM yes

          {% if not proxmox_check.stat.exists %}
          PermitRootLogin no
          {% else %}
          PermitRootLogin prohibit-password
          {% endif %}
        validate: 'sshd -t -f %s'
      notify: Restart SSH

  handlers:
    - name: Restart SSH
      ansible.builtin.service:
        name: "{{ 'sshd'
                  if ansible_facts.os_family in
                  ['RedHat','Rocky','AlmaLinux','Fedora','OracleLinux','Suse']
                  else 'ssh' }}"
        state: restarted