---
# `users` comes from group_vars/all/users.yml
- name: Ensure users exist
  ansible.builtin.user:
    name: "{{ item.name }}"
    shell: "{{ item.shell }}"
    create_home: true
  loop: "{{ users }}"

# --------------------------------------------------
# Configure passwordless sudo safely
# --------------------------------------------------
- name: Configure passwordless sudo
  ansible.builtin.copy:
    dest: "/etc/sudoers.d/{{ item.name }}"
    mode: '0440'
    owner: root
    group: root
    content: |
      {{ item.name }} ALL=(ALL:ALL) NOPASSWD: ALL
    validate: 'visudo -cf %s'
  loop: "{{ users }}"
  when: item.sudo_nopasswd | default(false)

# --------------------------------------------------
# Install SSH keys
# --------------------------------------------------
- name: Install authorized SSH keys
  ansible.builtin.authorized_key:
    user: "{{ item.name }}"
    key: "{{ item.ssh_keys | join('\n') }}"
    exclusive: true
  loop: "{{ users }}"

# --------------------------------------------------
# Reset connection so sudo rules take effect immediately
# --------------------------------------------------
- name: Reset SSH connection
  meta: reset_connection