# command: ansible-playbook -i config/<target manifest>.ini common/create-ansible-user.yml --ask-become-pass
# Note: this playbook requires an interactive mode or passed secret for privilege escalation
---
- name: Create ansible user and configure passwordless sudo
  hosts: all
  become: true
  become_method: sudo
  vars:
    ansible_user: khwezi
  tasks:
    - name: Ensure 'ansible' user exists
      ansible.builtin.user:
        name: ansible
        groups: sudo
        append: yes
        shell: /bin/bash
        state: present
    - name: Check if passwordless sudo is already configured for 'ansible'
      ansible.builtin.shell: |
        grep -Fxq "ansible ALL=(ALL) NOPASSWD: ALL" /etc/sudoers.d/ansible
      register: sudoers_check
      ignore_errors: true
      changed_when: false
    - name: Allow 'ansible' user passwordless sudo
      ansible.builtin.copy:
        dest: /etc/sudoers.d/ansible
        content: "ansible ALL=(ALL) NOPASSWD: ALL\n"
        owner: root
        group: root
        mode: '0440'
      when: sudoers_check.rc != 0
    - name: Ensure /home/ansible/.ssh directory exists
      ansible.builtin.file:
        path: /home/ansible/.ssh
        state: directory
        owner: ansible
        group: ansible
        mode: '0700'
    - name: Copy id_ed25519 private key to ansible user
      ansible.builtin.copy:
        src: ~/.ssh/id_ed25519
        dest: /home/ansible/.ssh/id_ed25519
        owner: ansible
        group: ansible
        mode: '0600'
    - name: Copy id_ed25519 public key to ansible user
      ansible.builtin.copy:
        src: ~/.ssh/id_ed25519.pub
        dest: /home/ansible/.ssh/id_ed25519.pub
        owner: ansible
        group: ansible
        mode: '0644'
    - name: Ensure authorized_keys exists
      ansible.builtin.file:
        path: /home/ansible/.ssh/authorized_keys
        state: touch
        owner: ansible
        group: ansible
        mode: '0600'
    - name: Read public key content
      ansible.builtin.slurp:
        src: /home/ansible/.ssh/id_ed25519.pub
      register: pubkey_content
    - name: Ensure public key is present in authorized_keys
      ansible.builtin.lineinfile:
        path: /home/ansible/.ssh/authorized_keys
        line: "{{ pubkey_content['content'] | b64decode | trim }}"
        owner: ansible
        group: ansible
        mode: '0600'
        create: yes
        state: present

    - name: Allow 'ansible' user to write to /etc/systemd/resolved.conf
      ansible.builtin.file:
        path: /etc/systemd/resolved.conf
        owner: ansible
        group: ansible
        mode: '0664'
        state: file
      become: true