---

# manage users
- name: "manage users"
  tags: "usermanagement"
  loop: "{{ user }}"
  loop_control:
    loop_var: "__user"

  block:

    # manage facts
    - name: "user - set default facts for {{ __user['username'] }}"
      ansible.builtin.set_fact:
        sudo_hosts: "{{ __user['hosts'] | default('all') }}"
        sudo_file: "{{ __user['sudo'] | default('False') }}"
        sudo_pwless: "{{ __user['sudo_passwordless'] | default('False') }}"
        user_state: "{{ __user['state'] | default('present') }}"

    # create user with password
    - name: "user - create users with password - {{ __user['username'] }}"
      ansible.builtin.user:
        name: "{{ __user['username'] }}"
        comment: "{{ __user['name'] }}"
        password: "{{ __user['password'] }}"
        shell: "{{ __user['shell'] | default('/bin/bash') }}"
        state: "present"
      when:
        - "__user['password'] is defined"
        - "user_state == 'present'"

    # create user without password
    - name: "user - create users without password - {{ __user['username'] }}"
      ansible.builtin.user:
        name: "{{ __user['username'] }}"
        comment: "{{ __user['name'] }}"
        shell: "{{ __user['shell'] | default('/bin/bash') }}"
        state: "{{ user_state }}"
      when:
        - "__user['password'] is not defined"
        - "user_state == 'present'"

    # manage authorized_keys
    - name: "user - manage authorized_keys - {{ __user['username'] }}"
      ansible.posix.authorized_key:
        user: "{{ __user['username'] }}"
        key: "{{ __user['publickey'] }}"
        state: "present"
        manage_dir: "true"
      when: "__user['publickey'] is defined"

    # delete users
    - name: "user - delete users - {{ __user['username'] }}"
      ansible.builtin.user:
        name: "{{ __user['username'] }}"
        state: "absent"
        remove: true
      when: "user_state == 'absent'"

    # manage sudoers file
    - name: "user - create sudoers file - {{ __user['username'] }}"
      ansible.builtin.template:
        src: "templates/usermanagement/sudoers.d/sudoers.j2"
        dest: "/etc/sudoers.d/{{ __user['username'] }}"
        owner: "root"
        group: "root"
        mode: "0644"
      when: "sudo_file"

    - name: "user - delete sudoers file - {{ __user['username'] }}"
      ansible.builtin.file:
        state: "absent"
        path: "/etc/sudoers.d/{{ __user['username'] }}"
      when: "not sudo_file"