---
# tasks file for users

- name: create local ssh_key_directory
  ansible.builtin.file:
    path: "{{ users_ssh_key_directory }}"
    state: directory
    mode: "0750"
  when:
    - user.manage_ssh_key is defined
    - user.manage_ssh_key | bool
  delegate_to: localhost
  become: no

- name: manage users {{ user.name }}
  ansible.builtin.user:
    name: "{{ user.name }}"
    state: "{{ user.state | default('present') }}"
    comment: "{{ user.comment | default(omit) }}"
    create_home: "{{ users_create_home }}"
    password: "{{ user.password | default(omit) }}"
    uid: "{{ user.uid | default(omit) }}"
    group: "{{ user.group | default(omit) }}"
    groups: "{{ user.groups | default(omit) }}"
    home: "{{ user.home | default(omit) }}"
    shell: "{{ user.shell | default(users_shell) }}"
    update_password: "{{ user.update_password | default(omit) }}"
    expires: "{{ user.expires | default(omit) }}"
    system: "{{ user.system | default(omit) }}"
  register: users_manage_user

- name: set sudo options for {{ user.name }}
  ansible.builtin.template:
    src: sudo.j2
    dest: '/etc/sudoers.d/{{ user.name | replace(".", "dot") }}'
    mode: "0640"
    validate: /usr/sbin/visudo -cf %s
  when:
    - user.sudo_options is defined
  loop_control:
    label: "{{ user.name }}"

- name: remove sudo options for {{ user.name }}
  ansible.builtin.file:
    path: '/etc/sudoers.d/{{ user.name | replace(".", "dot")  }}'
    state: absent
  when:
    - user.sudo_options is not defined
  loop_control:
    label: "{{ user.name }}"

- name: ensure the sudoers.d directory is checked for user sudoers files (will be put after EOF if not exists)
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    state: present
    line: '#includedir /etc/sudoers.d'

- name: generate private ssh key for {{ user.name }}
  ansible.builtin.command:
    cmd: "{{ users_ssh_keygen_command }}"
    creates: "{{ users_ssh_key_directory }}/{{ user.name }}"
  when:
    - user.manage_ssh_key is defined
    - user.manage_ssh_key | bool
  loop_control:
    label: "{{ user.name }}"
  delegate_to: localhost
  become: no

- name: generate public ssh key for {{ user.name }}
  ansible.builtin.shell:
    cmd: "{{ users_ssh_keygen_pubkey_command }} > {{ users_ssh_key_directory }}/{{ user.name }}.pub"
    creates: "{{ users_ssh_key_directory }}/{{ user.name }}.pub"
  when:
    - user.manage_ssh_key is defined
    - user.manage_ssh_key | bool
  loop_control:
    label: "{{ user.name }}"
  delegate_to: localhost
  become: no

- name: convert ssh key to ppk for {{ user.name }}
  ansible.builtin.shell:
    cmd: >
           ssh-keygen -e -f "{{ users_ssh_key_directory }}/{{ user.name }}"
           -C "Generated by Ansible role robertdebock.users"
           > "{{ users_ssh_key_directory }}/{{ user.name }}.ppk"
    creates: "{{ users_ssh_key_directory }}/{{ user.name }}.ppk"
  when:
    - user.manage_ssh_key is defined
    - user.manage_ssh_key | bool
  delegate_to: localhost
  become: no

- name: create .ssh directory for {{ user.name }}
  ansible.builtin.file:
    path: "/home/{{ user.name }}/.ssh"
    state: directory
    mode: "700"
  become: yes
  become_user: "{{ user.name }}"
  when:
    - user.manage_ssh_key is defined
    - user.manage_ssh_key

- name: Deploy authorized keys for {{ user.name }}
  ansible.posix.authorized_key:
    user: "{{ user.name }}"
    state: present
    key: "{{ item }}"
  loop: "{{ user.authorized_keys }}"
  loop_control:
    label: "{{ user.name }}"
  when:
    - user.authorized_keys is defined

- name: Remove unauthorized keys for {{ user.name }}
  ansible.posix.authorized_key:
    user: "{{ user.name }}"
    state: absent
    key: "{{ item }}"
  loop: "{{ user.unauthorized_keys }}"
  loop_control:
    label: "{{ user.name }}"
  when:
    - user.unauthorized_keys is defined

- name: copy generated private ssh key for {{ user.name }}
  ansible.builtin.copy:
    src: "{{ users_ssh_key_directory }}/{{ user.name }}"
    dest: "/home/{{ user.name }}/.ssh/id_rsa"
    mode: "400"
    owner: "{{ user.name }}"
    group: "{{ user.group | default(omit) }}"
  when:
    - users_manage_user is defined
    - user.copy_private_key is defined
    - user.copy_private_key | bool
  loop_control:
    label: "{{ user.name }}"

- name: check users password valid time
  ansible.builtin.command:
    cmd: awk 'BEGIN { FS = ":" } $1 == "{{ user.name }}" { print $5 }' /etc/shadow
  register: users_pw_valid
  changed_when: no
  check_mode: no
  when:
    - user.state is defined and user.state != "absent" or
      user.state is not defined

- name: set users password valid time
  ansible.builtin.command:
    cmd: chage -M "{{ user.password_validity_days }}" "{{ user.name }}"
  when:
    - user.password_validity_days is defined
    - users_pw_valid.stdout is defined
    - users_pw_valid.stdout | int !=  user.password_validity_days | int